Ransomware Threat Assessments: A Companion to the 2021 Unit 42 Ransomware Threat Report

This post is also available in: 日本語 (Japanese)

Threat Assessment: GandCrab and REvil Ransomware

Executive Summary

GandCrab ransomware was a short-lived but prolific ransomware family in its time. It was first observed in January 2018 and was a prevalent threat until May 2019. During that time, it went through a number of different versions. GandCrab infections were most commonly observed as payloads in malvertising, spam and exploit kit attacks. Malvertising attacks are malicious advertisements that are used to infect victims via a drive-by download. Exploit kits have routinely been used in a similar manner, with a multitude of them dropping GandCrab on a victim’s computer. The most common exploit kits used to distribute GandCrab were Rig and Grandsoft.

In early 2019, the authors behind GandCrab announced that they were retiring as they had made enough money and done enough damage. However, around the same time, a new ransomware threat called REvil was emerging (also known as Sodinokibi). There were strong similarities between the two ransomware families, which have led security researchers to believe that REvil was an evolution of GandCrab. The victims and tactics employed by affiliate attackers had changed. REvil was still an affiliate ransomware like GandCrab, but the affiliates used were more skilled at targeted attacks as opposed to the commodity attacks employed by GandCrab.

GandCrab Ransomware Overview

What made GandCrab unique was the affiliate program that was used to propagate the malware. This left the distribution of the ransomware to partners who would gather victims and would in turn receive a portion of the profits from ransoms paid. It's been reported that affiliates would receive 30 to 40 percent.

This left the distribution logistics to other attackers, which explains the wide array of attacks used, leaving the authors of GandCrab free to further develop and harden the malware. This was necessary for the authors, as there had been instances in which decryptors were released by researchers that would allow victims to decrypt their files after infection without needing to pay ransom. It's also suspected that the authors may be Russian, as the malware had been known to check victim keyboard layout and ignore a Russian layout. It's been suspected that this was to avoid prosecution in that country.

GandCrab is often easily identifiable by the file extension appended to the end of ransomed files – .KRAB and .CRAB

In May 2019, the developers of GandCrab famously announced that they were no longer going to develop the ransomware. Their reasoning was that they had made enough money in over a year to retire and prove that they could do evil and get away with it. The developers also claimed that they had made over $150 million in over a year and that they had dispersed their profits into other legal projects. Since this announcement, there have been other ransomware samples observed with similar indicators, so it's thought that some of the authors continued with the development of ransomware.

REvil Ransomware Overview

In April 2019, another ransomware called REvil appeared (also known as Sodinokibi). There were immediate similarities between GandCrab and REvil, which caused early samples of REvil to be identified as GandCrab. REvil is also a Ransomware-as-a-Service (RaaS), which uses affiliates to distribute infections of the malware. The affiliates would then get a percentage of the ransoms paid after developers of the ransomware got their cut.

The distribution methods for REvil differed from those of GandCrab because affiliates were more skilled and actively attacked victims to compromise enterprise networks via exploits such as Oracle WebLogic CVE-2019-2725 or brute-forcing Remote Desktop Protocol (RDP) passwords to drop REvil. There would also be usage of red team tools, techniques and procedures (TTP) as opposed to the malicious spam, exploit kits and malvertising vectors of GandCrab. This also meant that victims would be more targeted for the intent of higher ransoms to be paid.

Analysis of GandCrab has shown that there are strong similarities between REvil and GandCrab ransomware samples. Based on the similarities between the two, it's widely believed that REvil is just a rebrand and evolution of GandCrab. This in turn leads to the conclusion that not all of the developers of GandCrab were done creating such malware. The tactics for infection by affiliates also shows an evolution of the malware by moving on from commodity-based attacks to attacks using more skilled affiliates with familiarity of red team TTP. Targeted users also changed from anyone who may have clicked on a link in a malicious email to companies with exterior-facing vulnerabilities that allowed attackers in to drop REvil.

In 2020, the average ransom payment was $508,523, with REvil threat actors targeting victims in the professional and legal services, manufacturing, media and communication, wholesale and retail, construction and engineering, and energy sectors in the US, Australia, Canada, Finland, and Hong Kong.

More information on REvil victimology can be found in the 2021 Unit 42 Ransomware Threat Report.

Courses of Action

This section documents relevant tactics, techniques and procedures (TTPs) used with GandCrab and REvil, and maps them directly to Palo Alto Networks product(s) and service(s). It also further instructs customers on how to ensure their devices are configured correctly.

Product / Service	Courses of Action
Command And Control
Application Layer Protocol [T1071.001], Non-Application Layer Protocol [T1095]
NGFW	Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone
	Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist
	Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists
Threat Prevention†	Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'
	Ensure a secure antivirus profile is applied to all relevant security policies
	Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories and threats
	Ensure DNS sinkholing is configured on all anti-spyware profiles in use
	Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in use
	Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the internet
DNS Security†	Enable DNS Security in Anti-Spyware profile
URL Filtering†	Ensure that URL Filtering is used
	Ensure that URL Filtering uses the action of ‘block’ or ‘override on the <enterprise approved value> URL categories
	Ensure that access to every URL is logged
	Ensure all HTTP Header Logging options are enabled
	Ensure secure URL filtering is enabled for all security policies allowing traffic to the internet
Cortex XSOAR	Deploy XSOAR Playbook - Block IP
	Deploy XSOAR Playbook - Block URL
	Deploy XSOAR Playbook - Palo Alto Networks - Hunting And Threat Detection
Defense Evasion, Persistence, Discovery
Exploitation for Defense Evasion [T1211], Registry Run Keys / Startup Folder [T1547.001], Masquerading [T1036.005], Modify Registry [T1112], Process Discovery [T1057]
Threat Prevention†	Ensure a Vulnerability Protection Profile is set to block attacks against critical and high vulnerabilities, and set to default on medium, low and informational vulnerabilities
	Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic
Cortex XDR	Enable Anti-Exploit Protection
	Enable Anti-Malware Protection
	Configure Behavioral Threat Protection under the Malware Security Profile
	Configure Restrictions Security Profile
Impact
Data Encrypted for Impact [T1486], Inhibit System Recovery [T1490]
Cortex XSOAR	Deploy XSOAR Playbook - Ransomware Manual for incident response.
	Deploy XSOAR Playbook - Palo Alto Networks Endpoint Malware Investigation

^{Table 1. Courses of Action for GandCrab and REvilransomware.
†These capabilities are part of the NGFW security subscriptions service.}

Conclusion

While the concept of an attacker leveraging ransomware affiliate programs is not new, GandCrab proved just how easy and successful these programs can be in practice. Key to this success is creating a low barrier for entry into the cybercrime ecosystem, while also distributing funds across affiliate program members. GandCrab helped establish itself as a power player in the affiliate market schemes common in underground forums and social networks.

The actors behind GandCrab would have had people believe in 2019 that they were done with ransomware, but there were similarities in an emerging threat called REvil. The similarities observed became so strong that the security community believes that REvil is an evolution of Gandcrab. The evolution was not only in the malware, but in the affiliates used to distribute and their TTP to compromise enterprise victims. This led to more targeted victims and unfortunately higher ransoms. To top this all off, there is also an extortion angle that REvil employs. If victims would not pay by a deadline, their data stolen during encryption would be auctioned off in underground forums. It’s this direction of targeted attacks for affiliate ransomware that makes REvil so dangerous to enterprises.

Palo Alto Networks detects and prevents GandCrab in the following ways:

• WildFire: All known samples are identified as malware.
• Cortex XDR with:
  • indicators for GandCrab.
  • Anti-Ransomware Module to detect GandCrab encryption behaviors.
  • Local Analysis detection to detect GandCrab binaries.
• Next-Generation Firewalls: DNS Signatures detect the known command and control (C2) domains, which are also categorized as malware in URL Filtering.
• AutoFocus: Tracking related activity using the GandCrab tag.
• AutoFocus: Tracking related activity using the REvil AKA Sodinokibi tag

Additionally, Indicators of Compromise (IoCs) associated with GandCrab are available on GitHub, and have been published to the Unit 42 TAXII feed.

Continue Reading: Defray777

Back to Top