GandCrab evolution 2018: Agile ransomware with real-time updates

GandCrab – the most prominent ransomware of 2018, whose developers consistently use Agile software development model

GandCrab keeps evolving. Agile software development approach^[1] that the developers of the ransomware practice are a key to a success, experts claim. The methodology applied by crooks encompass adaptive planning, early delivery, continuous improvements, and ability to respond as quickly as possible. Based on facts outlined by Check Point team^[2] last week, we'll explain how GandCrab ransomware managed to keep undefeated and keep circulating up-until-now since the end of January 2018.

GandCrab ransomware attack resume

GandCrab virus has been first spotted at the end of January 2018. Initially, crooks used the Rig, and GrandSoft exploits kits to disseminate it, but soon experts published warnings claiming that the payload has been injected into deceptive spam emails featuring Receipt Feb-21310 [ random numbered] subject line. Eventually, “The HoeflerText font wasn’t found” scam^[3] has also been included in the GandCrab virus affairs.

It has been estimated that from January to March, the number of victims exceeded 50,000. Most of the infected PCs are located in US, UK, Scandinavia, Australia, and Israel, while countries in the Commonwealth of Independent States (Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan and Ukraine) were excluded from the list of targets. Consequently, experts assume hackers from Russia to be standing behind this ransomware.

Bitdefender, the company that took the leading position in the development of Gand Crab decryptor, says that it's “one of the highest bidders,” while Europol's spokesperson^[4] refers to the ransomware as:

one of the most aggressive forms of ransomware so far this year.

The statistics prove that. In the middle of March 2018, experts counted how much ransom the virus managed to collect. The payment varied from 400 to 700,000 USD in DACH cryptocurrency depending on the status of the victim, i.e., whether he or she belongs to the organization or not. It turns out that crooks gained more than 600,000 USD revenue in total.

GandCrab ransomware developers – experts of the Agile development approach

Despite free decryptor released, multiple bus upon the initial release, and other failures, GandCrab keeps evolving. Experts noticed the second wave of its attacks and warn home and enterprise users to install professional AV tools and make sure to update virus definitions regularly. Check Point adds:

In the fifth generation of cyber threats, ransomware-as-a-service is evolving, its primary goal is still extortion, but now it’s agile. As a result, it is vital that organizations arm themselves with ‘Gen V’ advanced technologies to face these new threats with confidence.

The Agile GandCrab development and maintenance approach encompasses four strategic aspects and well explain each of them in short.

• Adaptive planning. This means that GandCrab ransomware developers think out of the box. They keep track on how their “masterpiece” is plowing its way to victims PCs and how successfully it managed to collect the ransom.
  Soon after the release of GandCrab ransomware, developers started selling it as a Ransomware-as-a-Service on the black market.
  The program allows wanna-be-hackers to customize the ransomware and distribute it in exchange of 30, 40 or sometimes even 70% of ransom revenue to the developer. The idea of GandCrab RaaS spreading on the black market created the whole net of affiliates currently exceeding 80. The outcome – significant increment of revenue from GandCrab ransomware affiliates.
• Early delivery. Initially, the ransomware was distributed via spam and exploit kits. While these social engineering strategies worked quite successfully, criminals extended incorporated “The HoeflerText font wasn’t found”scam, which has been infamous for distributing malware for many years already.
• Continuous improvements. GandCrab virus seems to be updated in real time. It was first created as RaaS and distributed on the black market to build a strong affiliate program. Then it distribution methods improved. Recently, it has been improved to evade detection by signature-based anti-virus tools thanks to an inbuilt self-scanning technology inbuilt into the malicious software. Finally, the new version GandCrab2 is released in response to the free GandCrab decryptor available in NoMoreRansom.
• Ability to respond as quickly as possible. Bitdefender along with Romanian Police, the Directorate for Investigating Organized Crime and Terrorism (DIICOT) and Europol found a severe flaw in GandCrab's RSA private decryption key and released a free decryptor that has been included in the list of NoMoreRansom decryptors.^[5] However, researchers made hasten to mock the situation:

This is the ransomware equivalent of someone locking you out of your apartment and yet leaving a duplicate of the key for you under the doormat

GandCrab developers improved the initial version of the virus and patched the flaw, so the current GandCrab2 version cannot be decrypted.

Throughout the entire span of the existence, HandCrab's developers have been busy fixing, updating, and improving the malware allowing them staying one-step ahead of the security experts. The never-before-seen agile software development approach makes it difficult for professionals to spot the flaws. So what could we expect about GandCrab? No one knows yet, but the forecasts are rather worrying.