win.gandcrab (Back to overview)

Gandcrab

aka: GrandCrab

Actor(s): Pinchy Spider

URLhaus                                

GandCrab was a Ransomware-as-a-Service (RaaS) emerged in January 28, 2018, managed by a criminal organization known to be confident and vocal, while running a rapidly evolving ransomware campaign. Through their aggressive, albeit unusual, marketing strategies and constant recruitment of affiliates, they were able to globally distribute a high volume of their malware.

In a surprising announcement on May 31, 2019, the GandCrab’s operators posted on a dark web forum, announced the end of a little more than a year of ransomware operations, citing staggering profit figures. However, If there’s one thing that sets these threat actors apart from other groups, it is that they are unpredictable; so there is always the possibility that they might re-surface in one form or another.

References
http://asec.ahnlab.com/1145
http://csecybsec.com/download/zlab/20181001_CSE_GandCrabv5.pdf
http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/
https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/
https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html
https://isc.sans.edu/diary/23417
https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/
https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/
https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/
https://labs.bitdefender.com/2019/06/good-riddance-gandcrab-were-still-fixing-the-mess-you-left-behind
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/
https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/
https://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html
https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/
https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/
https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/
https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/
https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/
https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom
https://www.fortinet.com/blog/threat-research/gandcrab-threat-actors-retire.html
https://www.scmagazine.com/home/security-news/ransomware/gandcrab-ransomware-operators-put-in-retirement-papers/
Yara Rules
[TLP:WHITE] win_gandcrab_auto (20190620 | autogenerated rule brought to you by yara-signator)
rule win_gandcrab_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-07-05"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.2a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab"
        malpedia_version = "20190620"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 83bf8000000000 74?? ffb788000000 ff15???????? ffb784000000 8bf0 }
            // n = 6, score = 2100
            //   83bf8000000000       | cmp                 dword ptr [edi + 0x80], 0
            //   74??                 |                     
            //   ffb788000000         | push                dword ptr [edi + 0x88]
            //   ff15????????         |                     
            //   ffb784000000         | push                dword ptr [edi + 0x84]
            //   8bf0                 | mov                 esi, eax

        $sequence_1 = { 74?? ff772c ff15???????? ff7728 }
            // n = 4, score = 2100
            //   74??                 |                     
            //   ff772c               | push                dword ptr [edi + 0x2c]
            //   ff15????????         |                     
            //   ff7728               | push                dword ptr [edi + 0x28]

        $sequence_2 = { ff15???????? ff7778 8bf0 ff15???????? 03c3 8d5e04 03d8 }
            // n = 7, score = 2100
            //   ff15????????         |                     
            //   ff7778               | push                dword ptr [edi + 0x78]
            //   8bf0                 | mov                 esi, eax
            //   ff15????????         |                     
            //   03c3                 | add                 eax, ebx
            //   8d5e04               | lea                 ebx, [esi + 4]
            //   03d8                 | add                 ebx, eax

        $sequence_3 = { ff7720 ff15???????? ff771c 8bf0 ff15???????? 03c3 8d5e04 }
            // n = 7, score = 2100
            //   ff7720               | push                dword ptr [edi + 0x20]
            //   ff15????????         |                     
            //   ff771c               | push                dword ptr [edi + 0x1c]
            //   8bf0                 | mov                 esi, eax
            //   ff15????????         |                     
            //   03c3                 | add                 eax, ebx
            //   8d5e04               | lea                 ebx, [esi + 4]

        $sequence_4 = { 837f6000 74?? 83c314 837f7400 74?? ff777c }
            // n = 6, score = 2100
            //   837f6000             | cmp                 dword ptr [edi + 0x60], 0
            //   74??                 |                     
            //   83c314               | add                 ebx, 0x14
            //   837f7400             | cmp                 dword ptr [edi + 0x74], 0
            //   74??                 |                     
            //   ff777c               | push                dword ptr [edi + 0x7c]

        $sequence_5 = { ff7734 8bf0 ff15???????? 03c3 8d5e04 }
            // n = 5, score = 2100
            //   ff7734               | push                dword ptr [edi + 0x34]
            //   8bf0                 | mov                 esi, eax
            //   ff15????????         |                     
            //   03c3                 | add                 eax, ebx
            //   8d5e04               | lea                 ebx, [esi + 4]

        $sequence_6 = { 8bf0 ff15???????? 03c3 8d5e04 03d8 837f5400 74?? }
            // n = 7, score = 2100
            //   8bf0                 | mov                 esi, eax
            //   ff15????????         |                     
            //   03c3                 | add                 eax, ebx
            //   8d5e04               | lea                 ebx, [esi + 4]
            //   03d8                 | add                 ebx, eax
            //   837f5400             | cmp                 dword ptr [edi + 0x54], 0
            //   74??                 |                     

        $sequence_7 = { 83bf8000000000 74?? ffb788000000 ff15???????? ffb784000000 8bf0 ff15???????? }
            // n = 7, score = 2100
            //   83bf8000000000       | cmp                 dword ptr [edi + 0x80], 0
            //   74??                 |                     
            //   ffb788000000         | push                dword ptr [edi + 0x88]
            //   ff15????????         |                     
            //   ffb784000000         | push                dword ptr [edi + 0x84]
            //   8bf0                 | mov                 esi, eax
            //   ff15????????         |                     

    condition:
        7 of them
}
Download all Yara Rules