win.gandcrab (Back to overview)

Gandcrab

aka: GrandCrab

Actor(s): Pinchy Spider

URLhaus                                

GandCrab was a Ransomware-as-a-Service (RaaS) emerged in January 28, 2018, managed by a criminal organization known to be confident and vocal, while running a rapidly evolving ransomware campaign. Through their aggressive, albeit unusual, marketing strategies and constant recruitment of affiliates, they were able to globally distribute a high volume of their malware.

In a surprising announcement on May 31, 2019, the GandCrab’s operators posted on a dark web forum, announced the end of a little more than a year of ransomware operations, citing staggering profit figures. However, If there’s one thing that sets these threat actors apart from other groups, it is that they are unpredictable; so there is always the possibility that they might re-surface in one form or another.

References
2020-01-20 ⋅ Virus BulletinAhnLab Security Analysis Team
@online{team:20200120:behind:edefc01, author = {AhnLab Security Analysis Team}, title = {{Behind the scenes of GandCrab’s operation}}, date = {2020-01-20}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/}, language = {English}, urldate = {2020-01-20} } Behind the scenes of GandCrab’s operation
Gandcrab
2020-01-10 ⋅ CSISCSIS
@techreport{csis:20200110:threat:7454f36, author = {CSIS}, title = {{Threat Matrix H1 2019}}, date = {2020-01-10}, institution = {CSIS}, url = {https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf}, language = {English}, urldate = {2020-01-22} } Threat Matrix H1 2019
Gustuff magecart Emotet Gandcrab Ramnit TrickBot
2019-11 ⋅ Virus BulletinAlexandre Mundo Alguacil, John Fokker
@online{alguacil:201911:vb2019:a565e76, author = {Alexandre Mundo Alguacil and John Fokker}, title = {{VB2019 paper: Different ways to cook a crab: GandCrab ransomware-as-a-service (RaaS) analysed in depth}}, date = {2019-11}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/}, language = {English}, urldate = {2020-01-08} } VB2019 paper: Different ways to cook a crab: GandCrab ransomware-as-a-service (RaaS) analysed in depth
Gandcrab
2019-10-02 ⋅ McAfeeMcAfee Labs
@online{labs:20191002:mcafee:1a04182, author = {McAfee Labs}, title = {{McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us}}, date = {2019-10-02}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/}, language = {English}, urldate = {2019-12-22} } McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us
Gandcrab REvil
2019-07-08 ⋅ KrebsOnSecurityBrian Krebs
@online{krebs:20190708:whos:54977ab, author = {Brian Krebs}, title = {{Who’s Behind the GandCrab Ransomware?}}, date = {2019-07-08}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/}, language = {English}, urldate = {2020-01-07} } Who’s Behind the GandCrab Ransomware?
Gandcrab
2019-06-24 ⋅ FortinetJoie Salvio
@online{salvio:20190624:gandcrab:6120cb2, author = {Joie Salvio}, title = {{GandCrab Threat Actors Retire...Maybe}}, date = {2019-06-24}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/gandcrab-threat-actors-retire.html}, language = {English}, urldate = {2020-01-08} } GandCrab Threat Actors Retire...Maybe
Gandcrab
2019-06-17 ⋅ BitdefenderBogdan Botezatu
@online{botezatu:20190617:good:c24ed06, author = {Bogdan Botezatu}, title = {{Good riddance, GandCrab! We’re still fixing the mess you left behind}}, date = {2019-06-17}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2019/06/good-riddance-gandcrab-were-still-fixing-the-mess-you-left-behind}, language = {English}, urldate = {2020-01-10} } Good riddance, GandCrab! We’re still fixing the mess you left behind
Gandcrab
2019-06-03 ⋅ SC MagazineDoug Olenick
@online{olenick:20190603:gandcrab:9ed3174, author = {Doug Olenick}, title = {{GandCrab ransomware operators put in retirement papers}}, date = {2019-06-03}, organization = {SC Magazine}, url = {https://www.scmagazine.com/home/security-news/ransomware/gandcrab-ransomware-operators-put-in-retirement-papers/}, language = {English}, urldate = {2020-01-08} } GandCrab ransomware operators put in retirement papers
Gandcrab
2019-06-01 ⋅ Bleeping ComputerLawrence Abrams
@online{abrams:20190601:gandcrab:cb581e3, author = {Lawrence Abrams}, title = {{GandCrab Ransomware Shutting Down After Claiming to Earn $2 Billion}}, date = {2019-06-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/}, language = {English}, urldate = {2019-12-20} } GandCrab Ransomware Shutting Down After Claiming to Earn $2 Billion
Gandcrab
2019-03-06 ⋅ CrowdStrikeBrendon Feeley, Bex Hartley, Sergei Frankoff
@online{feeley:20190306:pinchy:f5060bd, author = {Brendon Feeley and Bex Hartley and Sergei Frankoff}, title = {{PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute GandCrab Ransomware}}, date = {2019-03-06}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/}, language = {English}, urldate = {2019-12-20} } PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute GandCrab Ransomware
Gandcrab Phorpiex Pinchy Spider Zombie Spider
2019-02-19 ⋅ BitdefenderBogdan Botezatu
@online{botezatu:20190219:new:21079a9, author = {Bogdan Botezatu}, title = {{New GandCrab v5.1 Decryptor Available Now}}, date = {2019-02-19}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/}, language = {English}, urldate = {2019-10-15} } New GandCrab v5.1 Decryptor Available Now
Gandcrab
2019-01-07 ⋅ Bleeping ComputerIonut Ilascu
@online{ilascu:20190107:gandcrab:8167b7f, author = {Ionut Ilascu}, title = {{GandCrab Operators Use Vidar Infostealer as a Forerunner}}, date = {2019-01-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/}, language = {English}, urldate = {2019-12-20} } GandCrab Operators Use Vidar Infostealer as a Forerunner
Gandcrab vidar
2018-11-08 ⋅ TC Contretcontre
@online{tcontre:20181108:re:c143721, author = {tcontre}, title = {{R.E.: Gandcrab Downloader.. 'There's More To This Than Meets The Eye'}}, date = {2018-11-08}, organization = {TC Contre}, url = {https://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html}, language = {English}, urldate = {2020-01-09} } R.E.: Gandcrab Downloader.. 'There's More To This Than Meets The Eye'
Gandcrab
2018-10-25 ⋅ BitdefenderBogdan Botezatu
@online{botezatu:20181025:gandcrab:4e85fe9, author = {Bogdan Botezatu}, title = {{GandCrab Ransomware decryption tool}}, date = {2018-10-25}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/}, language = {English}, urldate = {2020-01-10} } GandCrab Ransomware decryption tool
Gandcrab
2018-10-25 ⋅ EuropolEuropol
@online{europol:20181025:pay:d82bbfc, author = {Europol}, title = {{Pay No More: universal GandCrab decryption tool released for free on No More Ransom}}, date = {2018-10-25}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom}, language = {English}, urldate = {2019-11-26} } Pay No More: universal GandCrab decryption tool released for free on No More Ransom
Gandcrab
2018-07-19 ⋅ Sensors Tech ForumVentsislav Krastev
@online{krastev:20180719:killswitch:487a882, author = {Ventsislav Krastev}, title = {{Killswitch File Now Available for GandCrab v4.1.2 Ransomware}}, date = {2018-07-19}, organization = {Sensors Tech Forum}, url = {https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/}, language = {English}, urldate = {2020-01-07} } Killswitch File Now Available for GandCrab v4.1.2 Ransomware
Gandcrab
2018-07-18 ⋅ ASECAhnLab ASEC Analysis Team
@online{team:20180718:gandcrab:dc09385, author = {AhnLab ASEC Analysis Team}, title = {{GandCrab v4.1.2 Encryption Blocking Method (Kill Switch)}}, date = {2018-07-18}, organization = {ASEC}, url = {http://asec.ahnlab.com/1145}, language = {Korean}, urldate = {2020-01-08} } GandCrab v4.1.2 Encryption Blocking Method (Kill Switch)
Gandcrab
2018-05-09 ⋅ Cisco TalosNick Biasini, Nick Lister, Christopher Marczewski
@online{biasini:20180509:gandcrab:50296a6, author = {Nick Biasini and Nick Lister and Christopher Marczewski}, title = {{Gandcrab Ransomware Walks its Way onto Compromised Sites}}, date = {2018-05-09}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html}, language = {English}, urldate = {2019-10-21} } Gandcrab Ransomware Walks its Way onto Compromised Sites
Gandcrab
2018-03-07 ⋅ InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20180307:ransomware:504a693, author = {Brad Duncan}, title = {{Ransomware news: GlobeImposter gets a facelift, GandCrab is still out there}}, date = {2018-03-07}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/23417}, language = {English}, urldate = {2020-01-06} } Ransomware news: GlobeImposter gets a facelift, GandCrab is still out there
Gandcrab GlobeImposter
2018-02-08 ⋅ Bleeping ComputerLawrence Abrams
@online{abrams:20180208:gandcrab:40fb494, author = {Lawrence Abrams}, title = {{GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts}}, date = {2018-02-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/}, language = {English}, urldate = {2019-12-20} } GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts
Gandcrab
2018-01-30 ⋅ MalwarebytesMalwarebytes Labs
@online{labs:20180130:gandcrab:86c30cb, author = {Malwarebytes Labs}, title = {{GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated)}}, date = {2018-01-30}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/}, language = {English}, urldate = {2019-12-20} } GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated)
Gandcrab
2018-01-29 ⋅ Bleeping ComputerLawrence Abrams
@online{abrams:20180129:gandcrab:9e003f9, author = {Lawrence Abrams}, title = {{GandCrab Ransomware Distributed by Exploit Kits, Appends GDCB Extension}}, date = {2018-01-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/}, language = {English}, urldate = {2019-12-20} } GandCrab Ransomware Distributed by Exploit Kits, Appends GDCB Extension
Gandcrab
Yara Rules
[TLP:WHITE] win_gandcrab_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_gandcrab_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 03c3 8d5e04 03d8 837f3c00 741b }
            // n = 5, score = 1600
            //   03c3                 | add                 eax, ebx
            //   8d5e04               | lea                 ebx, [esi + 4]
            //   03d8                 | add                 ebx, eax
            //   837f3c00             | cmp                 dword ptr [edi + 0x3c], 0
            //   741b                 | je                  0x1d

        $sequence_1 = { 03d8 837f3000 741b ff7738 ff15???????? }
            // n = 5, score = 1600
            //   03d8                 | add                 ebx, eax
            //   837f3000             | cmp                 dword ptr [edi + 0x30], 0
            //   741b                 | je                  0x1d
            //   ff7738               | push                dword ptr [edi + 0x38]
            //   ff15????????         |                     

        $sequence_2 = { 8d5e04 03d8 837f6000 7403 83c314 }
            // n = 5, score = 1600
            //   8d5e04               | lea                 ebx, [esi + 4]
            //   03d8                 | add                 ebx, eax
            //   837f6000             | cmp                 dword ptr [edi + 0x60], 0
            //   7403                 | je                  5
            //   83c314               | add                 ebx, 0x14

        $sequence_3 = { ff7740 8bf0 ff15???????? 03c3 8d5e04 03d8 }
            // n = 6, score = 1600
            //   ff7740               | push                dword ptr [edi + 0x40]
            //   8bf0                 | mov                 esi, eax
            //   ff15????????         |                     
            //   03c3                 | add                 eax, ebx
            //   8d5e04               | lea                 ebx, [esi + 4]
            //   03d8                 | add                 ebx, eax

        $sequence_4 = { ff15???????? ff7728 8bf0 ff15???????? 03c3 8d5e04 }
            // n = 6, score = 1600
            //   ff15????????         |                     
            //   ff7728               | push                dword ptr [edi + 0x28]
            //   8bf0                 | mov                 esi, eax
            //   ff15????????         |                     
            //   03c3                 | add                 eax, ebx
            //   8d5e04               | lea                 ebx, [esi + 4]

        $sequence_5 = { ff7758 8bf0 ff15???????? 03c3 8d5e04 03d8 }
            // n = 6, score = 1600
            //   ff7758               | push                dword ptr [edi + 0x58]
            //   8bf0                 | mov                 esi, eax
            //   ff15????????         |                     
            //   03c3                 | add                 eax, ebx
            //   8d5e04               | lea                 ebx, [esi + 4]
            //   03d8                 | add                 ebx, eax

        $sequence_6 = { 741b ff7738 ff15???????? ff7734 8bf0 ff15???????? }
            // n = 6, score = 1600
            //   741b                 | je                  0x1d
            //   ff7738               | push                dword ptr [edi + 0x38]
            //   ff15????????         |                     
            //   ff7734               | push                dword ptr [edi + 0x34]
            //   8bf0                 | mov                 esi, eax
            //   ff15????????         |                     

        $sequence_7 = { 8bf0 ff15???????? 03c3 8d5e04 03d8 83bf8000000000 }
            // n = 6, score = 1600
            //   8bf0                 | mov                 esi, eax
            //   ff15????????         |                     
            //   03c3                 | add                 eax, ebx
            //   8d5e04               | lea                 ebx, [esi + 4]
            //   03d8                 | add                 ebx, eax
            //   83bf8000000000       | cmp                 dword ptr [edi + 0x80], 0

        $sequence_8 = { 837f2400 741b ff772c ff15???????? ff7728 8bf0 }
            // n = 6, score = 1600
            //   837f2400             | cmp                 dword ptr [edi + 0x24], 0
            //   741b                 | je                  0x1d
            //   ff772c               | push                dword ptr [edi + 0x2c]
            //   ff15????????         |                     
            //   ff7728               | push                dword ptr [edi + 0x28]
            //   8bf0                 | mov                 esi, eax

        $sequence_9 = { 03c3 8d5e04 03d8 837f1800 }
            // n = 4, score = 1600
            //   03c3                 | add                 eax, ebx
            //   8d5e04               | lea                 ebx, [esi + 4]
            //   03d8                 | add                 ebx, eax
            //   837f1800             | cmp                 dword ptr [edi + 0x18], 0

    condition:
        7 of them
}
Download all Yara Rules