gandcrab ransomware update...gandcrab – introduction. gandcrab - intro first identified on january...
TRANSCRIPT
GandCrab Ransomware UpdateOVERALL CLASSIFICATION IS
UNCLASSIFIEDTLPWHITE
3282019
UNCLASSIFIED TLPWHITE
UNCLASSIFIED
GandCrab ndash AgendaGandCrabWhat is ransomware Why does it matter to HPH GandCrab introduction GandCrab updates Actor Example - GandCrab phishing attack Example - ransom notes Infection vectors and persistence Versions Indicators of compromise amp Yara rule Solutions References Conclusion
UNCLASSIFIED 2
UNCLASSIFIED TLPWHITE
Non-Technical managerial strategic and high-level (general audience)
Technical Tactical IOCs requiring in-depth knowledge (sysadmins IRT)
Slides Key
3282019
Image httpssensorstechforumcom
Ransomware ndash WhatWhy
UNCLASSIFIED 3
UNCLASSIFIED TLPWHITE
3282019
RansomwareWhat is ransomware
ndash Malicious code that infects a system encrypts important files and requests ransom to decrypt them
Critical to the Healthcare industry Data-driven decisions Mission (wellbeing health and lives)Reporting Cylance Threat Report (May 2018)
ndash Ransomware attacks tripled in 2017ndash Healthcare was targeted more than any other industry
Kaspersky Cyber Pulse The State of Cybersecurity in Healthcare (December 2018)
ndash One in four healthcare organizations were successfully attacked by ransomware in 2018
Solutionary Security Engineering Research Team (SERT) Q2 2016 report
ndash 88 of all ransomware attacks targeted the healthcare industry
Image Health IT Outcomes
Image Wall Street Journal
GandCrab ndash IntroductionGandcrab - Intro First identified on January 26 2018 Itrsquos a form of ransomware aggressively updated
ndash Over 500000 global infections since first release Offered as Ransomware-as-a-Service (RaaS)
ndash Operators arenrsquot necessarily technical Developers outsource attacks split profits
ndash Monetization Per PC not lump sumndash Typical ransoms $300 to $6000 (Dash)
Spread via common tacticsndash Malspamphishingndash Remote Desktop Protocol (RDP)ndash Virtual Network Computing (VNC)
Other functionsndash Can bypass some firewalls and AVsndash Can detect sandboxes and virtual machines
Used to target Windows systems in large organizations (big game hunting)
UNCLASSIFIED 4
UNCLASSIFIED TLPWHITE
3282019
Image SC Magazine
GandCrab ndash UpdatesWhatrsquos changed recently Version 52 is out
ndash Decryptors exist for all versions previous to 52 Better affiliate relationships
ndash Structured profitable long-term agreementsndash Separation between developers and operationsndash Incentive to use GandCrab
Big game huntingndash Increased reconnaissancendash Even more persistence against high-value
targetsndash High-value targetsndash ldquoFrom mob attack to surgical strikerdquo
UNCLASSIFIED 5
UNCLASSIFIED TLPWHITE
3282019
Image BestTechTips
GandCrab ndash ActorPINCHY SPIDER (GandCrab developers) Named by CrowdStrike
ndash ldquohellipthe latest eCrime adversaries to join the growing trend of targeted low-volumehigh-return ransomware deployments known as lsquobig game huntingrsquordquo
ndash Unknown country(ies) of operation or any nation-state affiliation Offered as RaaS Uses distributors to infect systems
ndash Allows for PINCHY SPIDER to focus on development vice infectionsndash Provides separation between victims and PINCHY SPIDERndash Splits profits (6040 and sometimes 7030)ndash Operators arenrsquot necessarily technical
UNCLASSIFIED 6
UNCLASSIFIED TLPWHITE
3282019
Image Crowdstrike
Example Screenshot of fake CDC e-mail
UNCLASSIFIED 7
UNCLASSIFIED TLPWHITE
3282019
Fake e-mail address attempting to look legitimate
Malicious attachments
Body of e-mail designed to look legitimate
Image httpsmyonlinesecuritycouk
Example
Macro A series of commands and instructions used in Microsoft Windows grouped together as a single command to automate a task and make people more productive
UNCLASSIFIED 8
UNCLASSIFIED TLPWHITE
3282019
Macros
Image httpsmyonlinesecuritycouk
GandCrab ndash Ransom NotesExample ransom notes Notification of compromise Expression of futility Compliance instructions
UNCLASSIFIED 9
UNCLASSIFIED TLPWHITE
3282019
Source Symantec
Source Malwarebytes
Infection vectors and persistenceInfection vectors Remote Desktop Protocol (RDP) Virtual Network Computing (VNC) Corporate spamphishingmalspam
ndash Necurs botnet Exploit kits
ndash Fallout RIG Magnitude GrandSoft Social Engineering
Once itrsquos on your system how does it stay there
Persistence Living off the land (both default and post-installation tools)
ndash Sysinternals ProcMonndash Process Hackerndash LAN Search Pro
UNCLASSIFIED 10
UNCLASSIFIED TLPWHITE
3282019
GandCrab ndash VersionsHow to identify the version
UNCLASSIFIED 11
UNCLASSIFIED TLPWHITE
3282019
VERSION EXTENSION RANSOM NOTE
1 GDCB Starts with mdash= GANDCRAB =mdash helliphelliphelliphelliphellip the extension GDCB
2 GDCB Starts with mdash= GANDCRAB =mdash helliphelliphelliphelliphellip the extension GDCB
3 CRAB Starts with mdash= GANDCRAB V3 =mdash helliphelliphellip the extension CRAB
4 KRAB Starts with mdash= GANDCRAB V4 =mdash helliphelliphellip the extension KRAB
5 ([A-Z]+) Starts with mdash= GANDCRAB V50 =mdash helliphelliphellip the extension UKCZA
501 ([A-Z]+) Starts with mdash= GANDCRAB V501 =mdash hellip the extension YIAQDG
502 ([A-Z]+) Starts withmdash= GANDCRAB V502 =mdash hellip the extension CQXGPMKNR
503 ([A-Z]+) Starts withmdash= GANDCRAB V503 =mdash hellip the extension HHFEHIOL
503 ([A-Z]+) Starts withmdash= GANDCRAB V504 =mdash hellip the extension BYACZCZI
505 ([A-Z]+) Starts withmdash= GANDCRAB V505 =mdash hellip the extension KZZXVWMLI
505 ([A-Z]+) Starts withmdash= GANDCRAB V51 =mdash hellip the extension IJDHRQJD
Source Bitdefender
GandCrab ndash Indicators of compromiseIndicators of compromise (IOCs)
UNCLASSIFIED 12
UNCLASSIFIED TLPWHITE
3282019
VersionType MD5 HashGandCrab v51 SHA256 0741e7c0b02f6ef0b28d00a7467bf91edb0cb0f6f20dc1fbed76119c7ae79b4f
GandCrab v52 SHA256 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9
GandCrab v52 SHA256 bd16b703cd20e622e3e70e71bb4c68d1d1a3e14462f4b09978bbbb14e41625dc
GandCrab v52 SHA256 d7ffa0d8566702474790d7cbbbf9d51e9937d82582f82e1a00ddb1c489700d62
GandCrab v52 SHA256 d860bdf0d56a66f0e1b502067d07bdb595f60ef8c43de6b9caf5492a429426d6
GandCrab v52 SHA256 f70d73b6c3f61f412567bf74d4f1fba052ddccf0f8b2e61a6c69de9c8c5e6ec1
GandCrab v52 SHA256 fb136c8360d1a5ab80f61109c55c5a788aa1d8796d1e75aca8c1a762b598d3f4
GandCrab ndash Yara ruleimport pe
rule gandcrab_win32_downloader_unpack meta
author = tccontredescription = detecting gandcrab downloaderdate = 2018-11-08sha256 = 7cb45951e8f8dd064b467dd55819c83d3d85359ef7a382c3bad9f9116282e2e4
strings$mz = 4d 5a
$s1 = open=_DeviceManagerexe fullword $s2 = Mozilla50 (Macintosh Intel Mac OS X 109 rv250) Gecko20100101 Firefox250 fullword
$c0 = DisableAntiSpyware fullword wide$c1 = DisableBehaviorMonitoring fullword wide$c2 = FirewallDisableNotify fullword wide$c3 = lsT80870405687060 fullword$c4 = RecycleBin fullword wide$c5 = autoruninf fullword wide
$code1 = 83 C8 20 83 F8 61 74 61 8B 45 FC 0F B7 00 83 C8 20 83 F8 62 74 53 $code2 = D1 E8 EB 07 D1 E8 35 20 83 B8 ED E2 EC AB
condition($mz at 0) and all of ($s) and 2 of ($c) and 1 of ($code)
UNCLASSIFIED 13
UNCLASSIFIED TLPWHITE
3282019
YARA A rule-based tool for malware analysts to identify and analyze malware
GandCrab ndash SolutionsContent filtering Deploys to mail server signature-based traffic blockingConfiguration management and strong password policy Periodically review all network hardware devices and applications for configurations develop and enforce
strong password policyEndpoint security Every system in the enterprise should be protectedNetwork traffic analysisNetflow and packet capture Real-time examination of system and network eventsData backup Network cloud redundancy is criticalDecryptors Bit Defender maintains a tool that can decrypt files encrypted by versions 1 4 and 501 through 51
ndash httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-freendash Requires Internet connection and ransom note
Employ a zero-day recovery approachhttpswwwnomoreransomorg
UNCLASSIFIED 14
UNCLASSIFIED TLPWHITE
3282019
Source blogmalwarebytescom
GandCrab ndash Solutions (continued)Infection vectors ndash GandCrab-specific countermeasures and mitigations Remote Desktop Protocol and Virtual Network Computing ndash Protect credentials and auditlog access Corporate spamphishingmalspam ndash User awareness training and content filtering Exploit kits ndash
ndash User awareness training (visiting untrustedsuspicious websites)ndash Whitelisting and blacklisting websitesndash Implementing intrusion detection technologies
Social Engineering ndash User awareness training
WE DO NOT RECOMMEND PAYING A RANSOM
UNCLASSIFIED 15
UNCLASSIFIED TLPWHITE
3282019
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
Do not pay ransom
We recommend not paying ransom No guarantee files are decrypted and available again It incentivizes future ransomware attacks
Norsk Hydro Suffered from ransomware attack on March 19 2019 Production management systems and equipment was rendered inoperable Described as ldquocripplingrdquo ldquodebilitatingrdquo and ldquodisastrousrdquo Reported $40 million loss in revenue
UNCLASSIFIED 16
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Palmer Danny This Malware Spreading Tool is Back With Some New Tricks ZDNet January 18 2019 httpswwwzdnetcomarticlethis-malware-spreading-tool-is-back-with-some-new-tricks Palmer Danny Ransomware Warning The Gang Behind this Virulent Malware Just Changed Tactics Again ZDNet March 7 2019 httpswwwzdnetcomarticleransomware-warning-the-
gang-behind-this-virulent-malware-just-changed-tactics-again Palmer Danny What is ransomware Everything You Need to Know About One of the Biggest Menaces on the Web ZDNet August 22 2018 httpswwwzdnetcomarticleransomware-an-
executive-guide-to-one-of-the-biggest-menaces-on-the-web Palmer Danny What is Ransomware Ransomware Gets Easier for Would-Be Crooks as Developers Offer Malware-As-A-Service ZDNet February 8 2018
httpswwwzdnetcomarticleransomware-gets-easier-for-would-be-crooks-easier-as-developers-offer-malware-as-a-service Palmer Danny Ransomware Crooks Test a New Way to Spread Their Malware ZDNet January 31 2018 httpswwwzdnetcomarticleransomware-crooks-test-a-new-way-to-spread-their-
malware Cimpanu Catalin Bitdefender Releases Third GandCrab Ransomware Free Decrypter in the Past Year ZDNet February 19 2019 httpswwwzdnetcomarticlebitdefender-releases-third-
gandcrab-ransomware-free-decrypter-in-the-past-year Botezatu Bogdan Thwarting GandCrab in the New Era of Agile Computer-Jackers Security Boulevard March 6 2019 httpssecurityboulevardcom201903thwarting-gandcrab-in-the-new-
era-of-agile-computer-jackers Moshailov Roy Threat Profile GandCrab Ransomware Morphisec February 23 2018 httpblogmorphiseccomthreat-profile-gandcrab-ransomware Threat Landscape Dashboard GandCrab 5 - Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-5-
ransomwarehtml GandCrab 4 ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-4-ransomwarehtml GandCrab ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-ransomwarehtml Barth Bradley Third Decryption Tool for GandCrab Ransomware Released to Public SC Magazine February 20 2019 httpswwwscmagazinecomhomesecurity-newsransomwarethird-
decryption-tool-for-gandcrab-ransomware-released-to-public The GandCrab Ransomware Mindset Checkpoint March 13 2018 httpsresearchcheckpointcomgandcrab-ransomware-mindset Heller Michael GandCrab ransomware adds NSA tools for faster spreading Tech Target Search Security July 11 2018 httpssearchsecuritytechtargetcomnews252444624GandCrab-
ransomware-adds-NSA-tools-for-faster-spreading Gandcrab Ransomware Actively Spreading in the Wild Soincwall Security News May 16 2018 httpssecuritynewssonicwallcomxmlpostgandcrab-ransomware-actively-spreading-in-the-
wild GandCrab Ransomware BtCIRT February 28 2019 httpswwwbtcirtbtgandcrab-ransomware GandCrab and Ursnif Campaign IBM X-Force Exchange httpsexchangexforceibmcloudcomcollectionGandCrab-and-Ursnif-Campaign-5ada0685f6645ba53c64955d80c90f04 GandCrab The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) January 31 2018 httpswwwcybernjgovthreat-profilesransomware-variantsgandcrab GandCrab The Malware Wiki httpmalwarewikiacomwikiGandCrab Paganini Pierluigi Experts Released a free Decryption Tool for GandCrab Ransomware Security Affairs October 25 2018 httpssecurityaffairscowordpress77392malwaregandcrab-
decryption-toolhtml Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049 GandCrab Ransomware Decryption Tool No More Ransom Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049
UNCLASSIFIED 17
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading FeeleyBrendon Hartley Bex and Frankoff Sergei PINCHY SPIDER Affiliates Adopt ldquoBig Game Huntingrdquo Tactics to Distribute GandCrab Ransomware March 6 2019
httpswwwcrowdstrikecomblogpinchy-spider-adopts-big-game-hunting Botezatu Bogdan New GandCrab v51 Decryptor Available Now Bit Defender February 19 2019 httpslabsbitdefendercom201902new-gandcrab-v5-1-decryptor-available-
nowcid=soc7Cc7ctw7CGandCrab Abrams Lawrence GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts BleepingComputer February 8 2018
httpswwwbleepingcomputercomnewssecuritygandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts Castillo Donald EGG Files in Spam Delivers GandCrab v43 Ransomware to South Korean Users Trend Micro August 20 2018
httpswwwtrendmicrocomvinfoussecuritynewscybercrime-and-digital-threats-egg-files-in-spam-delivers-gandcrab-v4-3-ransomware-to-south-korean-users Abrams Lawrence EITest HoeflerText Scam Distributing GandCrab amp Netsupport Manager February 28 2018 httpswwwbleepingcomputercomnewssecurityeitest-hoeflertext-scam-
distributing-gandcrab-and-netsupport-manager Abrams Lawrence GandCrab Ransomware Version 2 Released With New Crab Extension amp Other Changes March 6 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-
ransomware-version-2-released-with-new-crab-extension-and-other-changes Abrams Lawrence GandCrab V4 Released With the New KRAB Extension for Encrypted Files September 25 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v4-released-
with-the-new-krab-extension-for-encrypted-files Abrams Lawrence GandCrab V5 Released With Random Extensions and New HTML Ransom Note June 3 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v5-released-
with-random-extensions-and-new-html-ransom-note Abrams Lawrence Mail Attachment Builds Malware Downloader from Super Mario Image February 8 2019 httpswwwbleepingcomputercomnewssecuritymail-attachment-builds-malware-
downloader-from-super-mario-image Salvio Joie GandCrab V3 Accidentally Locks Systems with New lsquoChange Wallpaperrsquo Feature Fortinet Blog May 4 2018 httpswwwfortinetcomblogthreat-researchgandcrab-v3-
accidentally-locks-systems-with-new--change-wallpapehtml Costis Andrew Cramer Cathy Miner Emily Myers Jared CB TAU amp CB ThreatSight Threat Analysis GandCrab and Ursnif Campaign Carbon Black Threat Analysis Unit January 24 2019
httpswwwcarbonblackcom20190124carbon-black-tau-threatsight-analysis-gandcrab-and-ursnif-campaign Botezatu Bogdan GandCrab Ransomware decryption tool Bit Defender October 25 2018 httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-free Hioueras Vasilios and Segura Jeacuterocircme GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated) Malwarebytes Labs Last updated May 10 2018
httpsblogmalwarebytescomthreat-analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Murphy Ian GandCrab Goes From Mob Attack to Surgical Strike Enterprise Times March 8 2019 httpswwwenterprisetimescouk20190308gandcrab-goes-from-mob-attack-to-surgical-
strike 2017 Cylance Threat Report httpspagescylancecom2018-03CylanceThreatReport2017html Kaspersky Cyber Pulse The State of Cybersecurity in Healthcare httpsgokasperskycomrs802-IJN-240imagesHealthcare-Survey-Reportpdf Fuentes Maria Rosario Cybercrime and Other Threats Faced by the Healthcare Industry Trend Micro httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf Solutionary SERT Q2 Report 88 Percent of All Ransomware Is Detected in Healthcare Industry httpwwwmarketwiredcompress-releasesolutionary-sert-q2-report-88-percent-all-
ransomware-is-detected-healthcare-industry-nyse-ntt-2145268htm
UNCLASSIFIED 18
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Krastev Ventsislav Killswitch File Now Available for GandCrab v412 Ransomware Sensors Tech Forum July 19 2018 httpssensorstechforumcomkillswitch-file-now-available-gandcrab-
v4-1-2-ransomware Boczan Tamas The Evolution of GandCrab Ransomware VMRay Cybersecurity Blog June 5 2018 (updated July 9 2018) httpswwwvmraycomcyber-security-bloggandcrab-ransomware-
evolution-analysis Malwarebytes Labs Malwarebytes Blog GandCrab ransomware distributed by RIG and GrandSoft exploit kits January 30 2018 (updated May 10 2018) httpsblogmalwarebytescomthreat-
analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Biasini Nick with contributions from Lister Nick and Marczewski Christopher Cisco Talos Blog Gandcrab Ransomware Walks its Way onto Compromised Sites May 9 2018
httpsblogtalosintelligencecom201805gandcrab-compromised-siteshtml Duncan Brad SANS Internet Storm Center InfoSec Handlers Dairy Blog Ransomware news GlobeImposter gets a facelift GandCrab is still out there March 7 2018
httpsiscsansedudiary23417 Cyber Security blog - Tools and Malware Analysis RE Gandcrab Downloader Theres More To This Than Meets The Eye November 8 2018 httpstccontreblogspotcom201811re-
gandcrab-downloader-theres-more-tohtml Europol Press Release Pay No More Universal GandCrab Decryption Tool Released for Free on No More Ransom Oct 28 2018 httpswwweuropoleuropaeunewsroomnewspay-no-
more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom VirusTotal GandCrab entry httpswwwvirustotalcomfile69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1ddetails
UNCLASSIFIED 19
UNCLASSIFIED TLPWHITE
3282019
Upcoming Briefsbull Exploit Landscapebull Dark web PHI Marketplace
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide their feedback to HC3HHSGOV
Requests for InformationDo you need information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV
20
UNCLASSIFIED
6212018
Questions
UNCLASSIFIED
UNCLASSIFIED
3282019
TLPWHITE
Image SC Magazine
- GandCrab Ransomware Update
- GandCrab ndash Agenda
- Ransomware ndash WhatWhy
- GandCrab ndash Introduction
- GandCrab ndash Updates
- GandCrab ndash Actor
- Example
- Example
- GandCrab ndash Ransom Notes
- Infection vectors and persistence
- GandCrab ndash Versions
- GandCrab ndash Indicators of compromise
- GandCrab ndash Yara rule
- GandCrab ndash Solutions
- GandCrab ndash Solutions (continued)
- Do not pay ransom
- References
- References
- References
- Slide Number 20
-
GandCrab ndash AgendaGandCrabWhat is ransomware Why does it matter to HPH GandCrab introduction GandCrab updates Actor Example - GandCrab phishing attack Example - ransom notes Infection vectors and persistence Versions Indicators of compromise amp Yara rule Solutions References Conclusion
UNCLASSIFIED 2
UNCLASSIFIED TLPWHITE
Non-Technical managerial strategic and high-level (general audience)
Technical Tactical IOCs requiring in-depth knowledge (sysadmins IRT)
Slides Key
3282019
Image httpssensorstechforumcom
Ransomware ndash WhatWhy
UNCLASSIFIED 3
UNCLASSIFIED TLPWHITE
3282019
RansomwareWhat is ransomware
ndash Malicious code that infects a system encrypts important files and requests ransom to decrypt them
Critical to the Healthcare industry Data-driven decisions Mission (wellbeing health and lives)Reporting Cylance Threat Report (May 2018)
ndash Ransomware attacks tripled in 2017ndash Healthcare was targeted more than any other industry
Kaspersky Cyber Pulse The State of Cybersecurity in Healthcare (December 2018)
ndash One in four healthcare organizations were successfully attacked by ransomware in 2018
Solutionary Security Engineering Research Team (SERT) Q2 2016 report
ndash 88 of all ransomware attacks targeted the healthcare industry
Image Health IT Outcomes
Image Wall Street Journal
GandCrab ndash IntroductionGandcrab - Intro First identified on January 26 2018 Itrsquos a form of ransomware aggressively updated
ndash Over 500000 global infections since first release Offered as Ransomware-as-a-Service (RaaS)
ndash Operators arenrsquot necessarily technical Developers outsource attacks split profits
ndash Monetization Per PC not lump sumndash Typical ransoms $300 to $6000 (Dash)
Spread via common tacticsndash Malspamphishingndash Remote Desktop Protocol (RDP)ndash Virtual Network Computing (VNC)
Other functionsndash Can bypass some firewalls and AVsndash Can detect sandboxes and virtual machines
Used to target Windows systems in large organizations (big game hunting)
UNCLASSIFIED 4
UNCLASSIFIED TLPWHITE
3282019
Image SC Magazine
GandCrab ndash UpdatesWhatrsquos changed recently Version 52 is out
ndash Decryptors exist for all versions previous to 52 Better affiliate relationships
ndash Structured profitable long-term agreementsndash Separation between developers and operationsndash Incentive to use GandCrab
Big game huntingndash Increased reconnaissancendash Even more persistence against high-value
targetsndash High-value targetsndash ldquoFrom mob attack to surgical strikerdquo
UNCLASSIFIED 5
UNCLASSIFIED TLPWHITE
3282019
Image BestTechTips
GandCrab ndash ActorPINCHY SPIDER (GandCrab developers) Named by CrowdStrike
ndash ldquohellipthe latest eCrime adversaries to join the growing trend of targeted low-volumehigh-return ransomware deployments known as lsquobig game huntingrsquordquo
ndash Unknown country(ies) of operation or any nation-state affiliation Offered as RaaS Uses distributors to infect systems
ndash Allows for PINCHY SPIDER to focus on development vice infectionsndash Provides separation between victims and PINCHY SPIDERndash Splits profits (6040 and sometimes 7030)ndash Operators arenrsquot necessarily technical
UNCLASSIFIED 6
UNCLASSIFIED TLPWHITE
3282019
Image Crowdstrike
Example Screenshot of fake CDC e-mail
UNCLASSIFIED 7
UNCLASSIFIED TLPWHITE
3282019
Fake e-mail address attempting to look legitimate
Malicious attachments
Body of e-mail designed to look legitimate
Image httpsmyonlinesecuritycouk
Example
Macro A series of commands and instructions used in Microsoft Windows grouped together as a single command to automate a task and make people more productive
UNCLASSIFIED 8
UNCLASSIFIED TLPWHITE
3282019
Macros
Image httpsmyonlinesecuritycouk
GandCrab ndash Ransom NotesExample ransom notes Notification of compromise Expression of futility Compliance instructions
UNCLASSIFIED 9
UNCLASSIFIED TLPWHITE
3282019
Source Symantec
Source Malwarebytes
Infection vectors and persistenceInfection vectors Remote Desktop Protocol (RDP) Virtual Network Computing (VNC) Corporate spamphishingmalspam
ndash Necurs botnet Exploit kits
ndash Fallout RIG Magnitude GrandSoft Social Engineering
Once itrsquos on your system how does it stay there
Persistence Living off the land (both default and post-installation tools)
ndash Sysinternals ProcMonndash Process Hackerndash LAN Search Pro
UNCLASSIFIED 10
UNCLASSIFIED TLPWHITE
3282019
GandCrab ndash VersionsHow to identify the version
UNCLASSIFIED 11
UNCLASSIFIED TLPWHITE
3282019
VERSION EXTENSION RANSOM NOTE
1 GDCB Starts with mdash= GANDCRAB =mdash helliphelliphelliphelliphellip the extension GDCB
2 GDCB Starts with mdash= GANDCRAB =mdash helliphelliphelliphelliphellip the extension GDCB
3 CRAB Starts with mdash= GANDCRAB V3 =mdash helliphelliphellip the extension CRAB
4 KRAB Starts with mdash= GANDCRAB V4 =mdash helliphelliphellip the extension KRAB
5 ([A-Z]+) Starts with mdash= GANDCRAB V50 =mdash helliphelliphellip the extension UKCZA
501 ([A-Z]+) Starts with mdash= GANDCRAB V501 =mdash hellip the extension YIAQDG
502 ([A-Z]+) Starts withmdash= GANDCRAB V502 =mdash hellip the extension CQXGPMKNR
503 ([A-Z]+) Starts withmdash= GANDCRAB V503 =mdash hellip the extension HHFEHIOL
503 ([A-Z]+) Starts withmdash= GANDCRAB V504 =mdash hellip the extension BYACZCZI
505 ([A-Z]+) Starts withmdash= GANDCRAB V505 =mdash hellip the extension KZZXVWMLI
505 ([A-Z]+) Starts withmdash= GANDCRAB V51 =mdash hellip the extension IJDHRQJD
Source Bitdefender
GandCrab ndash Indicators of compromiseIndicators of compromise (IOCs)
UNCLASSIFIED 12
UNCLASSIFIED TLPWHITE
3282019
VersionType MD5 HashGandCrab v51 SHA256 0741e7c0b02f6ef0b28d00a7467bf91edb0cb0f6f20dc1fbed76119c7ae79b4f
GandCrab v52 SHA256 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9
GandCrab v52 SHA256 bd16b703cd20e622e3e70e71bb4c68d1d1a3e14462f4b09978bbbb14e41625dc
GandCrab v52 SHA256 d7ffa0d8566702474790d7cbbbf9d51e9937d82582f82e1a00ddb1c489700d62
GandCrab v52 SHA256 d860bdf0d56a66f0e1b502067d07bdb595f60ef8c43de6b9caf5492a429426d6
GandCrab v52 SHA256 f70d73b6c3f61f412567bf74d4f1fba052ddccf0f8b2e61a6c69de9c8c5e6ec1
GandCrab v52 SHA256 fb136c8360d1a5ab80f61109c55c5a788aa1d8796d1e75aca8c1a762b598d3f4
GandCrab ndash Yara ruleimport pe
rule gandcrab_win32_downloader_unpack meta
author = tccontredescription = detecting gandcrab downloaderdate = 2018-11-08sha256 = 7cb45951e8f8dd064b467dd55819c83d3d85359ef7a382c3bad9f9116282e2e4
strings$mz = 4d 5a
$s1 = open=_DeviceManagerexe fullword $s2 = Mozilla50 (Macintosh Intel Mac OS X 109 rv250) Gecko20100101 Firefox250 fullword
$c0 = DisableAntiSpyware fullword wide$c1 = DisableBehaviorMonitoring fullword wide$c2 = FirewallDisableNotify fullword wide$c3 = lsT80870405687060 fullword$c4 = RecycleBin fullword wide$c5 = autoruninf fullword wide
$code1 = 83 C8 20 83 F8 61 74 61 8B 45 FC 0F B7 00 83 C8 20 83 F8 62 74 53 $code2 = D1 E8 EB 07 D1 E8 35 20 83 B8 ED E2 EC AB
condition($mz at 0) and all of ($s) and 2 of ($c) and 1 of ($code)
UNCLASSIFIED 13
UNCLASSIFIED TLPWHITE
3282019
YARA A rule-based tool for malware analysts to identify and analyze malware
GandCrab ndash SolutionsContent filtering Deploys to mail server signature-based traffic blockingConfiguration management and strong password policy Periodically review all network hardware devices and applications for configurations develop and enforce
strong password policyEndpoint security Every system in the enterprise should be protectedNetwork traffic analysisNetflow and packet capture Real-time examination of system and network eventsData backup Network cloud redundancy is criticalDecryptors Bit Defender maintains a tool that can decrypt files encrypted by versions 1 4 and 501 through 51
ndash httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-freendash Requires Internet connection and ransom note
Employ a zero-day recovery approachhttpswwwnomoreransomorg
UNCLASSIFIED 14
UNCLASSIFIED TLPWHITE
3282019
Source blogmalwarebytescom
GandCrab ndash Solutions (continued)Infection vectors ndash GandCrab-specific countermeasures and mitigations Remote Desktop Protocol and Virtual Network Computing ndash Protect credentials and auditlog access Corporate spamphishingmalspam ndash User awareness training and content filtering Exploit kits ndash
ndash User awareness training (visiting untrustedsuspicious websites)ndash Whitelisting and blacklisting websitesndash Implementing intrusion detection technologies
Social Engineering ndash User awareness training
WE DO NOT RECOMMEND PAYING A RANSOM
UNCLASSIFIED 15
UNCLASSIFIED TLPWHITE
3282019
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
Do not pay ransom
We recommend not paying ransom No guarantee files are decrypted and available again It incentivizes future ransomware attacks
Norsk Hydro Suffered from ransomware attack on March 19 2019 Production management systems and equipment was rendered inoperable Described as ldquocripplingrdquo ldquodebilitatingrdquo and ldquodisastrousrdquo Reported $40 million loss in revenue
UNCLASSIFIED 16
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Palmer Danny This Malware Spreading Tool is Back With Some New Tricks ZDNet January 18 2019 httpswwwzdnetcomarticlethis-malware-spreading-tool-is-back-with-some-new-tricks Palmer Danny Ransomware Warning The Gang Behind this Virulent Malware Just Changed Tactics Again ZDNet March 7 2019 httpswwwzdnetcomarticleransomware-warning-the-
gang-behind-this-virulent-malware-just-changed-tactics-again Palmer Danny What is ransomware Everything You Need to Know About One of the Biggest Menaces on the Web ZDNet August 22 2018 httpswwwzdnetcomarticleransomware-an-
executive-guide-to-one-of-the-biggest-menaces-on-the-web Palmer Danny What is Ransomware Ransomware Gets Easier for Would-Be Crooks as Developers Offer Malware-As-A-Service ZDNet February 8 2018
httpswwwzdnetcomarticleransomware-gets-easier-for-would-be-crooks-easier-as-developers-offer-malware-as-a-service Palmer Danny Ransomware Crooks Test a New Way to Spread Their Malware ZDNet January 31 2018 httpswwwzdnetcomarticleransomware-crooks-test-a-new-way-to-spread-their-
malware Cimpanu Catalin Bitdefender Releases Third GandCrab Ransomware Free Decrypter in the Past Year ZDNet February 19 2019 httpswwwzdnetcomarticlebitdefender-releases-third-
gandcrab-ransomware-free-decrypter-in-the-past-year Botezatu Bogdan Thwarting GandCrab in the New Era of Agile Computer-Jackers Security Boulevard March 6 2019 httpssecurityboulevardcom201903thwarting-gandcrab-in-the-new-
era-of-agile-computer-jackers Moshailov Roy Threat Profile GandCrab Ransomware Morphisec February 23 2018 httpblogmorphiseccomthreat-profile-gandcrab-ransomware Threat Landscape Dashboard GandCrab 5 - Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-5-
ransomwarehtml GandCrab 4 ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-4-ransomwarehtml GandCrab ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-ransomwarehtml Barth Bradley Third Decryption Tool for GandCrab Ransomware Released to Public SC Magazine February 20 2019 httpswwwscmagazinecomhomesecurity-newsransomwarethird-
decryption-tool-for-gandcrab-ransomware-released-to-public The GandCrab Ransomware Mindset Checkpoint March 13 2018 httpsresearchcheckpointcomgandcrab-ransomware-mindset Heller Michael GandCrab ransomware adds NSA tools for faster spreading Tech Target Search Security July 11 2018 httpssearchsecuritytechtargetcomnews252444624GandCrab-
ransomware-adds-NSA-tools-for-faster-spreading Gandcrab Ransomware Actively Spreading in the Wild Soincwall Security News May 16 2018 httpssecuritynewssonicwallcomxmlpostgandcrab-ransomware-actively-spreading-in-the-
wild GandCrab Ransomware BtCIRT February 28 2019 httpswwwbtcirtbtgandcrab-ransomware GandCrab and Ursnif Campaign IBM X-Force Exchange httpsexchangexforceibmcloudcomcollectionGandCrab-and-Ursnif-Campaign-5ada0685f6645ba53c64955d80c90f04 GandCrab The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) January 31 2018 httpswwwcybernjgovthreat-profilesransomware-variantsgandcrab GandCrab The Malware Wiki httpmalwarewikiacomwikiGandCrab Paganini Pierluigi Experts Released a free Decryption Tool for GandCrab Ransomware Security Affairs October 25 2018 httpssecurityaffairscowordpress77392malwaregandcrab-
decryption-toolhtml Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049 GandCrab Ransomware Decryption Tool No More Ransom Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049
UNCLASSIFIED 17
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading FeeleyBrendon Hartley Bex and Frankoff Sergei PINCHY SPIDER Affiliates Adopt ldquoBig Game Huntingrdquo Tactics to Distribute GandCrab Ransomware March 6 2019
httpswwwcrowdstrikecomblogpinchy-spider-adopts-big-game-hunting Botezatu Bogdan New GandCrab v51 Decryptor Available Now Bit Defender February 19 2019 httpslabsbitdefendercom201902new-gandcrab-v5-1-decryptor-available-
nowcid=soc7Cc7ctw7CGandCrab Abrams Lawrence GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts BleepingComputer February 8 2018
httpswwwbleepingcomputercomnewssecuritygandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts Castillo Donald EGG Files in Spam Delivers GandCrab v43 Ransomware to South Korean Users Trend Micro August 20 2018
httpswwwtrendmicrocomvinfoussecuritynewscybercrime-and-digital-threats-egg-files-in-spam-delivers-gandcrab-v4-3-ransomware-to-south-korean-users Abrams Lawrence EITest HoeflerText Scam Distributing GandCrab amp Netsupport Manager February 28 2018 httpswwwbleepingcomputercomnewssecurityeitest-hoeflertext-scam-
distributing-gandcrab-and-netsupport-manager Abrams Lawrence GandCrab Ransomware Version 2 Released With New Crab Extension amp Other Changes March 6 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-
ransomware-version-2-released-with-new-crab-extension-and-other-changes Abrams Lawrence GandCrab V4 Released With the New KRAB Extension for Encrypted Files September 25 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v4-released-
with-the-new-krab-extension-for-encrypted-files Abrams Lawrence GandCrab V5 Released With Random Extensions and New HTML Ransom Note June 3 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v5-released-
with-random-extensions-and-new-html-ransom-note Abrams Lawrence Mail Attachment Builds Malware Downloader from Super Mario Image February 8 2019 httpswwwbleepingcomputercomnewssecuritymail-attachment-builds-malware-
downloader-from-super-mario-image Salvio Joie GandCrab V3 Accidentally Locks Systems with New lsquoChange Wallpaperrsquo Feature Fortinet Blog May 4 2018 httpswwwfortinetcomblogthreat-researchgandcrab-v3-
accidentally-locks-systems-with-new--change-wallpapehtml Costis Andrew Cramer Cathy Miner Emily Myers Jared CB TAU amp CB ThreatSight Threat Analysis GandCrab and Ursnif Campaign Carbon Black Threat Analysis Unit January 24 2019
httpswwwcarbonblackcom20190124carbon-black-tau-threatsight-analysis-gandcrab-and-ursnif-campaign Botezatu Bogdan GandCrab Ransomware decryption tool Bit Defender October 25 2018 httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-free Hioueras Vasilios and Segura Jeacuterocircme GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated) Malwarebytes Labs Last updated May 10 2018
httpsblogmalwarebytescomthreat-analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Murphy Ian GandCrab Goes From Mob Attack to Surgical Strike Enterprise Times March 8 2019 httpswwwenterprisetimescouk20190308gandcrab-goes-from-mob-attack-to-surgical-
strike 2017 Cylance Threat Report httpspagescylancecom2018-03CylanceThreatReport2017html Kaspersky Cyber Pulse The State of Cybersecurity in Healthcare httpsgokasperskycomrs802-IJN-240imagesHealthcare-Survey-Reportpdf Fuentes Maria Rosario Cybercrime and Other Threats Faced by the Healthcare Industry Trend Micro httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf Solutionary SERT Q2 Report 88 Percent of All Ransomware Is Detected in Healthcare Industry httpwwwmarketwiredcompress-releasesolutionary-sert-q2-report-88-percent-all-
ransomware-is-detected-healthcare-industry-nyse-ntt-2145268htm
UNCLASSIFIED 18
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Krastev Ventsislav Killswitch File Now Available for GandCrab v412 Ransomware Sensors Tech Forum July 19 2018 httpssensorstechforumcomkillswitch-file-now-available-gandcrab-
v4-1-2-ransomware Boczan Tamas The Evolution of GandCrab Ransomware VMRay Cybersecurity Blog June 5 2018 (updated July 9 2018) httpswwwvmraycomcyber-security-bloggandcrab-ransomware-
evolution-analysis Malwarebytes Labs Malwarebytes Blog GandCrab ransomware distributed by RIG and GrandSoft exploit kits January 30 2018 (updated May 10 2018) httpsblogmalwarebytescomthreat-
analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Biasini Nick with contributions from Lister Nick and Marczewski Christopher Cisco Talos Blog Gandcrab Ransomware Walks its Way onto Compromised Sites May 9 2018
httpsblogtalosintelligencecom201805gandcrab-compromised-siteshtml Duncan Brad SANS Internet Storm Center InfoSec Handlers Dairy Blog Ransomware news GlobeImposter gets a facelift GandCrab is still out there March 7 2018
httpsiscsansedudiary23417 Cyber Security blog - Tools and Malware Analysis RE Gandcrab Downloader Theres More To This Than Meets The Eye November 8 2018 httpstccontreblogspotcom201811re-
gandcrab-downloader-theres-more-tohtml Europol Press Release Pay No More Universal GandCrab Decryption Tool Released for Free on No More Ransom Oct 28 2018 httpswwweuropoleuropaeunewsroomnewspay-no-
more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom VirusTotal GandCrab entry httpswwwvirustotalcomfile69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1ddetails
UNCLASSIFIED 19
UNCLASSIFIED TLPWHITE
3282019
Upcoming Briefsbull Exploit Landscapebull Dark web PHI Marketplace
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide their feedback to HC3HHSGOV
Requests for InformationDo you need information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV
20
UNCLASSIFIED
6212018
Questions
UNCLASSIFIED
UNCLASSIFIED
3282019
TLPWHITE
Image SC Magazine
- GandCrab Ransomware Update
- GandCrab ndash Agenda
- Ransomware ndash WhatWhy
- GandCrab ndash Introduction
- GandCrab ndash Updates
- GandCrab ndash Actor
- Example
- Example
- GandCrab ndash Ransom Notes
- Infection vectors and persistence
- GandCrab ndash Versions
- GandCrab ndash Indicators of compromise
- GandCrab ndash Yara rule
- GandCrab ndash Solutions
- GandCrab ndash Solutions (continued)
- Do not pay ransom
- References
- References
- References
- Slide Number 20
-
Ransomware ndash WhatWhy
UNCLASSIFIED 3
UNCLASSIFIED TLPWHITE
3282019
RansomwareWhat is ransomware
ndash Malicious code that infects a system encrypts important files and requests ransom to decrypt them
Critical to the Healthcare industry Data-driven decisions Mission (wellbeing health and lives)Reporting Cylance Threat Report (May 2018)
ndash Ransomware attacks tripled in 2017ndash Healthcare was targeted more than any other industry
Kaspersky Cyber Pulse The State of Cybersecurity in Healthcare (December 2018)
ndash One in four healthcare organizations were successfully attacked by ransomware in 2018
Solutionary Security Engineering Research Team (SERT) Q2 2016 report
ndash 88 of all ransomware attacks targeted the healthcare industry
Image Health IT Outcomes
Image Wall Street Journal
GandCrab ndash IntroductionGandcrab - Intro First identified on January 26 2018 Itrsquos a form of ransomware aggressively updated
ndash Over 500000 global infections since first release Offered as Ransomware-as-a-Service (RaaS)
ndash Operators arenrsquot necessarily technical Developers outsource attacks split profits
ndash Monetization Per PC not lump sumndash Typical ransoms $300 to $6000 (Dash)
Spread via common tacticsndash Malspamphishingndash Remote Desktop Protocol (RDP)ndash Virtual Network Computing (VNC)
Other functionsndash Can bypass some firewalls and AVsndash Can detect sandboxes and virtual machines
Used to target Windows systems in large organizations (big game hunting)
UNCLASSIFIED 4
UNCLASSIFIED TLPWHITE
3282019
Image SC Magazine
GandCrab ndash UpdatesWhatrsquos changed recently Version 52 is out
ndash Decryptors exist for all versions previous to 52 Better affiliate relationships
ndash Structured profitable long-term agreementsndash Separation between developers and operationsndash Incentive to use GandCrab
Big game huntingndash Increased reconnaissancendash Even more persistence against high-value
targetsndash High-value targetsndash ldquoFrom mob attack to surgical strikerdquo
UNCLASSIFIED 5
UNCLASSIFIED TLPWHITE
3282019
Image BestTechTips
GandCrab ndash ActorPINCHY SPIDER (GandCrab developers) Named by CrowdStrike
ndash ldquohellipthe latest eCrime adversaries to join the growing trend of targeted low-volumehigh-return ransomware deployments known as lsquobig game huntingrsquordquo
ndash Unknown country(ies) of operation or any nation-state affiliation Offered as RaaS Uses distributors to infect systems
ndash Allows for PINCHY SPIDER to focus on development vice infectionsndash Provides separation between victims and PINCHY SPIDERndash Splits profits (6040 and sometimes 7030)ndash Operators arenrsquot necessarily technical
UNCLASSIFIED 6
UNCLASSIFIED TLPWHITE
3282019
Image Crowdstrike
Example Screenshot of fake CDC e-mail
UNCLASSIFIED 7
UNCLASSIFIED TLPWHITE
3282019
Fake e-mail address attempting to look legitimate
Malicious attachments
Body of e-mail designed to look legitimate
Image httpsmyonlinesecuritycouk
Example
Macro A series of commands and instructions used in Microsoft Windows grouped together as a single command to automate a task and make people more productive
UNCLASSIFIED 8
UNCLASSIFIED TLPWHITE
3282019
Macros
Image httpsmyonlinesecuritycouk
GandCrab ndash Ransom NotesExample ransom notes Notification of compromise Expression of futility Compliance instructions
UNCLASSIFIED 9
UNCLASSIFIED TLPWHITE
3282019
Source Symantec
Source Malwarebytes
Infection vectors and persistenceInfection vectors Remote Desktop Protocol (RDP) Virtual Network Computing (VNC) Corporate spamphishingmalspam
ndash Necurs botnet Exploit kits
ndash Fallout RIG Magnitude GrandSoft Social Engineering
Once itrsquos on your system how does it stay there
Persistence Living off the land (both default and post-installation tools)
ndash Sysinternals ProcMonndash Process Hackerndash LAN Search Pro
UNCLASSIFIED 10
UNCLASSIFIED TLPWHITE
3282019
GandCrab ndash VersionsHow to identify the version
UNCLASSIFIED 11
UNCLASSIFIED TLPWHITE
3282019
VERSION EXTENSION RANSOM NOTE
1 GDCB Starts with mdash= GANDCRAB =mdash helliphelliphelliphelliphellip the extension GDCB
2 GDCB Starts with mdash= GANDCRAB =mdash helliphelliphelliphelliphellip the extension GDCB
3 CRAB Starts with mdash= GANDCRAB V3 =mdash helliphelliphellip the extension CRAB
4 KRAB Starts with mdash= GANDCRAB V4 =mdash helliphelliphellip the extension KRAB
5 ([A-Z]+) Starts with mdash= GANDCRAB V50 =mdash helliphelliphellip the extension UKCZA
501 ([A-Z]+) Starts with mdash= GANDCRAB V501 =mdash hellip the extension YIAQDG
502 ([A-Z]+) Starts withmdash= GANDCRAB V502 =mdash hellip the extension CQXGPMKNR
503 ([A-Z]+) Starts withmdash= GANDCRAB V503 =mdash hellip the extension HHFEHIOL
503 ([A-Z]+) Starts withmdash= GANDCRAB V504 =mdash hellip the extension BYACZCZI
505 ([A-Z]+) Starts withmdash= GANDCRAB V505 =mdash hellip the extension KZZXVWMLI
505 ([A-Z]+) Starts withmdash= GANDCRAB V51 =mdash hellip the extension IJDHRQJD
Source Bitdefender
GandCrab ndash Indicators of compromiseIndicators of compromise (IOCs)
UNCLASSIFIED 12
UNCLASSIFIED TLPWHITE
3282019
VersionType MD5 HashGandCrab v51 SHA256 0741e7c0b02f6ef0b28d00a7467bf91edb0cb0f6f20dc1fbed76119c7ae79b4f
GandCrab v52 SHA256 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9
GandCrab v52 SHA256 bd16b703cd20e622e3e70e71bb4c68d1d1a3e14462f4b09978bbbb14e41625dc
GandCrab v52 SHA256 d7ffa0d8566702474790d7cbbbf9d51e9937d82582f82e1a00ddb1c489700d62
GandCrab v52 SHA256 d860bdf0d56a66f0e1b502067d07bdb595f60ef8c43de6b9caf5492a429426d6
GandCrab v52 SHA256 f70d73b6c3f61f412567bf74d4f1fba052ddccf0f8b2e61a6c69de9c8c5e6ec1
GandCrab v52 SHA256 fb136c8360d1a5ab80f61109c55c5a788aa1d8796d1e75aca8c1a762b598d3f4
GandCrab ndash Yara ruleimport pe
rule gandcrab_win32_downloader_unpack meta
author = tccontredescription = detecting gandcrab downloaderdate = 2018-11-08sha256 = 7cb45951e8f8dd064b467dd55819c83d3d85359ef7a382c3bad9f9116282e2e4
strings$mz = 4d 5a
$s1 = open=_DeviceManagerexe fullword $s2 = Mozilla50 (Macintosh Intel Mac OS X 109 rv250) Gecko20100101 Firefox250 fullword
$c0 = DisableAntiSpyware fullword wide$c1 = DisableBehaviorMonitoring fullword wide$c2 = FirewallDisableNotify fullword wide$c3 = lsT80870405687060 fullword$c4 = RecycleBin fullword wide$c5 = autoruninf fullword wide
$code1 = 83 C8 20 83 F8 61 74 61 8B 45 FC 0F B7 00 83 C8 20 83 F8 62 74 53 $code2 = D1 E8 EB 07 D1 E8 35 20 83 B8 ED E2 EC AB
condition($mz at 0) and all of ($s) and 2 of ($c) and 1 of ($code)
UNCLASSIFIED 13
UNCLASSIFIED TLPWHITE
3282019
YARA A rule-based tool for malware analysts to identify and analyze malware
GandCrab ndash SolutionsContent filtering Deploys to mail server signature-based traffic blockingConfiguration management and strong password policy Periodically review all network hardware devices and applications for configurations develop and enforce
strong password policyEndpoint security Every system in the enterprise should be protectedNetwork traffic analysisNetflow and packet capture Real-time examination of system and network eventsData backup Network cloud redundancy is criticalDecryptors Bit Defender maintains a tool that can decrypt files encrypted by versions 1 4 and 501 through 51
ndash httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-freendash Requires Internet connection and ransom note
Employ a zero-day recovery approachhttpswwwnomoreransomorg
UNCLASSIFIED 14
UNCLASSIFIED TLPWHITE
3282019
Source blogmalwarebytescom
GandCrab ndash Solutions (continued)Infection vectors ndash GandCrab-specific countermeasures and mitigations Remote Desktop Protocol and Virtual Network Computing ndash Protect credentials and auditlog access Corporate spamphishingmalspam ndash User awareness training and content filtering Exploit kits ndash
ndash User awareness training (visiting untrustedsuspicious websites)ndash Whitelisting and blacklisting websitesndash Implementing intrusion detection technologies
Social Engineering ndash User awareness training
WE DO NOT RECOMMEND PAYING A RANSOM
UNCLASSIFIED 15
UNCLASSIFIED TLPWHITE
3282019
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
Do not pay ransom
We recommend not paying ransom No guarantee files are decrypted and available again It incentivizes future ransomware attacks
Norsk Hydro Suffered from ransomware attack on March 19 2019 Production management systems and equipment was rendered inoperable Described as ldquocripplingrdquo ldquodebilitatingrdquo and ldquodisastrousrdquo Reported $40 million loss in revenue
UNCLASSIFIED 16
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Palmer Danny This Malware Spreading Tool is Back With Some New Tricks ZDNet January 18 2019 httpswwwzdnetcomarticlethis-malware-spreading-tool-is-back-with-some-new-tricks Palmer Danny Ransomware Warning The Gang Behind this Virulent Malware Just Changed Tactics Again ZDNet March 7 2019 httpswwwzdnetcomarticleransomware-warning-the-
gang-behind-this-virulent-malware-just-changed-tactics-again Palmer Danny What is ransomware Everything You Need to Know About One of the Biggest Menaces on the Web ZDNet August 22 2018 httpswwwzdnetcomarticleransomware-an-
executive-guide-to-one-of-the-biggest-menaces-on-the-web Palmer Danny What is Ransomware Ransomware Gets Easier for Would-Be Crooks as Developers Offer Malware-As-A-Service ZDNet February 8 2018
httpswwwzdnetcomarticleransomware-gets-easier-for-would-be-crooks-easier-as-developers-offer-malware-as-a-service Palmer Danny Ransomware Crooks Test a New Way to Spread Their Malware ZDNet January 31 2018 httpswwwzdnetcomarticleransomware-crooks-test-a-new-way-to-spread-their-
malware Cimpanu Catalin Bitdefender Releases Third GandCrab Ransomware Free Decrypter in the Past Year ZDNet February 19 2019 httpswwwzdnetcomarticlebitdefender-releases-third-
gandcrab-ransomware-free-decrypter-in-the-past-year Botezatu Bogdan Thwarting GandCrab in the New Era of Agile Computer-Jackers Security Boulevard March 6 2019 httpssecurityboulevardcom201903thwarting-gandcrab-in-the-new-
era-of-agile-computer-jackers Moshailov Roy Threat Profile GandCrab Ransomware Morphisec February 23 2018 httpblogmorphiseccomthreat-profile-gandcrab-ransomware Threat Landscape Dashboard GandCrab 5 - Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-5-
ransomwarehtml GandCrab 4 ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-4-ransomwarehtml GandCrab ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-ransomwarehtml Barth Bradley Third Decryption Tool for GandCrab Ransomware Released to Public SC Magazine February 20 2019 httpswwwscmagazinecomhomesecurity-newsransomwarethird-
decryption-tool-for-gandcrab-ransomware-released-to-public The GandCrab Ransomware Mindset Checkpoint March 13 2018 httpsresearchcheckpointcomgandcrab-ransomware-mindset Heller Michael GandCrab ransomware adds NSA tools for faster spreading Tech Target Search Security July 11 2018 httpssearchsecuritytechtargetcomnews252444624GandCrab-
ransomware-adds-NSA-tools-for-faster-spreading Gandcrab Ransomware Actively Spreading in the Wild Soincwall Security News May 16 2018 httpssecuritynewssonicwallcomxmlpostgandcrab-ransomware-actively-spreading-in-the-
wild GandCrab Ransomware BtCIRT February 28 2019 httpswwwbtcirtbtgandcrab-ransomware GandCrab and Ursnif Campaign IBM X-Force Exchange httpsexchangexforceibmcloudcomcollectionGandCrab-and-Ursnif-Campaign-5ada0685f6645ba53c64955d80c90f04 GandCrab The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) January 31 2018 httpswwwcybernjgovthreat-profilesransomware-variantsgandcrab GandCrab The Malware Wiki httpmalwarewikiacomwikiGandCrab Paganini Pierluigi Experts Released a free Decryption Tool for GandCrab Ransomware Security Affairs October 25 2018 httpssecurityaffairscowordpress77392malwaregandcrab-
decryption-toolhtml Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049 GandCrab Ransomware Decryption Tool No More Ransom Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049
UNCLASSIFIED 17
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading FeeleyBrendon Hartley Bex and Frankoff Sergei PINCHY SPIDER Affiliates Adopt ldquoBig Game Huntingrdquo Tactics to Distribute GandCrab Ransomware March 6 2019
httpswwwcrowdstrikecomblogpinchy-spider-adopts-big-game-hunting Botezatu Bogdan New GandCrab v51 Decryptor Available Now Bit Defender February 19 2019 httpslabsbitdefendercom201902new-gandcrab-v5-1-decryptor-available-
nowcid=soc7Cc7ctw7CGandCrab Abrams Lawrence GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts BleepingComputer February 8 2018
httpswwwbleepingcomputercomnewssecuritygandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts Castillo Donald EGG Files in Spam Delivers GandCrab v43 Ransomware to South Korean Users Trend Micro August 20 2018
httpswwwtrendmicrocomvinfoussecuritynewscybercrime-and-digital-threats-egg-files-in-spam-delivers-gandcrab-v4-3-ransomware-to-south-korean-users Abrams Lawrence EITest HoeflerText Scam Distributing GandCrab amp Netsupport Manager February 28 2018 httpswwwbleepingcomputercomnewssecurityeitest-hoeflertext-scam-
distributing-gandcrab-and-netsupport-manager Abrams Lawrence GandCrab Ransomware Version 2 Released With New Crab Extension amp Other Changes March 6 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-
ransomware-version-2-released-with-new-crab-extension-and-other-changes Abrams Lawrence GandCrab V4 Released With the New KRAB Extension for Encrypted Files September 25 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v4-released-
with-the-new-krab-extension-for-encrypted-files Abrams Lawrence GandCrab V5 Released With Random Extensions and New HTML Ransom Note June 3 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v5-released-
with-random-extensions-and-new-html-ransom-note Abrams Lawrence Mail Attachment Builds Malware Downloader from Super Mario Image February 8 2019 httpswwwbleepingcomputercomnewssecuritymail-attachment-builds-malware-
downloader-from-super-mario-image Salvio Joie GandCrab V3 Accidentally Locks Systems with New lsquoChange Wallpaperrsquo Feature Fortinet Blog May 4 2018 httpswwwfortinetcomblogthreat-researchgandcrab-v3-
accidentally-locks-systems-with-new--change-wallpapehtml Costis Andrew Cramer Cathy Miner Emily Myers Jared CB TAU amp CB ThreatSight Threat Analysis GandCrab and Ursnif Campaign Carbon Black Threat Analysis Unit January 24 2019
httpswwwcarbonblackcom20190124carbon-black-tau-threatsight-analysis-gandcrab-and-ursnif-campaign Botezatu Bogdan GandCrab Ransomware decryption tool Bit Defender October 25 2018 httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-free Hioueras Vasilios and Segura Jeacuterocircme GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated) Malwarebytes Labs Last updated May 10 2018
httpsblogmalwarebytescomthreat-analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Murphy Ian GandCrab Goes From Mob Attack to Surgical Strike Enterprise Times March 8 2019 httpswwwenterprisetimescouk20190308gandcrab-goes-from-mob-attack-to-surgical-
strike 2017 Cylance Threat Report httpspagescylancecom2018-03CylanceThreatReport2017html Kaspersky Cyber Pulse The State of Cybersecurity in Healthcare httpsgokasperskycomrs802-IJN-240imagesHealthcare-Survey-Reportpdf Fuentes Maria Rosario Cybercrime and Other Threats Faced by the Healthcare Industry Trend Micro httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf Solutionary SERT Q2 Report 88 Percent of All Ransomware Is Detected in Healthcare Industry httpwwwmarketwiredcompress-releasesolutionary-sert-q2-report-88-percent-all-
ransomware-is-detected-healthcare-industry-nyse-ntt-2145268htm
UNCLASSIFIED 18
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Krastev Ventsislav Killswitch File Now Available for GandCrab v412 Ransomware Sensors Tech Forum July 19 2018 httpssensorstechforumcomkillswitch-file-now-available-gandcrab-
v4-1-2-ransomware Boczan Tamas The Evolution of GandCrab Ransomware VMRay Cybersecurity Blog June 5 2018 (updated July 9 2018) httpswwwvmraycomcyber-security-bloggandcrab-ransomware-
evolution-analysis Malwarebytes Labs Malwarebytes Blog GandCrab ransomware distributed by RIG and GrandSoft exploit kits January 30 2018 (updated May 10 2018) httpsblogmalwarebytescomthreat-
analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Biasini Nick with contributions from Lister Nick and Marczewski Christopher Cisco Talos Blog Gandcrab Ransomware Walks its Way onto Compromised Sites May 9 2018
httpsblogtalosintelligencecom201805gandcrab-compromised-siteshtml Duncan Brad SANS Internet Storm Center InfoSec Handlers Dairy Blog Ransomware news GlobeImposter gets a facelift GandCrab is still out there March 7 2018
httpsiscsansedudiary23417 Cyber Security blog - Tools and Malware Analysis RE Gandcrab Downloader Theres More To This Than Meets The Eye November 8 2018 httpstccontreblogspotcom201811re-
gandcrab-downloader-theres-more-tohtml Europol Press Release Pay No More Universal GandCrab Decryption Tool Released for Free on No More Ransom Oct 28 2018 httpswwweuropoleuropaeunewsroomnewspay-no-
more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom VirusTotal GandCrab entry httpswwwvirustotalcomfile69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1ddetails
UNCLASSIFIED 19
UNCLASSIFIED TLPWHITE
3282019
Upcoming Briefsbull Exploit Landscapebull Dark web PHI Marketplace
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide their feedback to HC3HHSGOV
Requests for InformationDo you need information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV
20
UNCLASSIFIED
6212018
Questions
UNCLASSIFIED
UNCLASSIFIED
3282019
TLPWHITE
Image SC Magazine
- GandCrab Ransomware Update
- GandCrab ndash Agenda
- Ransomware ndash WhatWhy
- GandCrab ndash Introduction
- GandCrab ndash Updates
- GandCrab ndash Actor
- Example
- Example
- GandCrab ndash Ransom Notes
- Infection vectors and persistence
- GandCrab ndash Versions
- GandCrab ndash Indicators of compromise
- GandCrab ndash Yara rule
- GandCrab ndash Solutions
- GandCrab ndash Solutions (continued)
- Do not pay ransom
- References
- References
- References
- Slide Number 20
-
GandCrab ndash IntroductionGandcrab - Intro First identified on January 26 2018 Itrsquos a form of ransomware aggressively updated
ndash Over 500000 global infections since first release Offered as Ransomware-as-a-Service (RaaS)
ndash Operators arenrsquot necessarily technical Developers outsource attacks split profits
ndash Monetization Per PC not lump sumndash Typical ransoms $300 to $6000 (Dash)
Spread via common tacticsndash Malspamphishingndash Remote Desktop Protocol (RDP)ndash Virtual Network Computing (VNC)
Other functionsndash Can bypass some firewalls and AVsndash Can detect sandboxes and virtual machines
Used to target Windows systems in large organizations (big game hunting)
UNCLASSIFIED 4
UNCLASSIFIED TLPWHITE
3282019
Image SC Magazine
GandCrab ndash UpdatesWhatrsquos changed recently Version 52 is out
ndash Decryptors exist for all versions previous to 52 Better affiliate relationships
ndash Structured profitable long-term agreementsndash Separation between developers and operationsndash Incentive to use GandCrab
Big game huntingndash Increased reconnaissancendash Even more persistence against high-value
targetsndash High-value targetsndash ldquoFrom mob attack to surgical strikerdquo
UNCLASSIFIED 5
UNCLASSIFIED TLPWHITE
3282019
Image BestTechTips
GandCrab ndash ActorPINCHY SPIDER (GandCrab developers) Named by CrowdStrike
ndash ldquohellipthe latest eCrime adversaries to join the growing trend of targeted low-volumehigh-return ransomware deployments known as lsquobig game huntingrsquordquo
ndash Unknown country(ies) of operation or any nation-state affiliation Offered as RaaS Uses distributors to infect systems
ndash Allows for PINCHY SPIDER to focus on development vice infectionsndash Provides separation between victims and PINCHY SPIDERndash Splits profits (6040 and sometimes 7030)ndash Operators arenrsquot necessarily technical
UNCLASSIFIED 6
UNCLASSIFIED TLPWHITE
3282019
Image Crowdstrike
Example Screenshot of fake CDC e-mail
UNCLASSIFIED 7
UNCLASSIFIED TLPWHITE
3282019
Fake e-mail address attempting to look legitimate
Malicious attachments
Body of e-mail designed to look legitimate
Image httpsmyonlinesecuritycouk
Example
Macro A series of commands and instructions used in Microsoft Windows grouped together as a single command to automate a task and make people more productive
UNCLASSIFIED 8
UNCLASSIFIED TLPWHITE
3282019
Macros
Image httpsmyonlinesecuritycouk
GandCrab ndash Ransom NotesExample ransom notes Notification of compromise Expression of futility Compliance instructions
UNCLASSIFIED 9
UNCLASSIFIED TLPWHITE
3282019
Source Symantec
Source Malwarebytes
Infection vectors and persistenceInfection vectors Remote Desktop Protocol (RDP) Virtual Network Computing (VNC) Corporate spamphishingmalspam
ndash Necurs botnet Exploit kits
ndash Fallout RIG Magnitude GrandSoft Social Engineering
Once itrsquos on your system how does it stay there
Persistence Living off the land (both default and post-installation tools)
ndash Sysinternals ProcMonndash Process Hackerndash LAN Search Pro
UNCLASSIFIED 10
UNCLASSIFIED TLPWHITE
3282019
GandCrab ndash VersionsHow to identify the version
UNCLASSIFIED 11
UNCLASSIFIED TLPWHITE
3282019
VERSION EXTENSION RANSOM NOTE
1 GDCB Starts with mdash= GANDCRAB =mdash helliphelliphelliphelliphellip the extension GDCB
2 GDCB Starts with mdash= GANDCRAB =mdash helliphelliphelliphelliphellip the extension GDCB
3 CRAB Starts with mdash= GANDCRAB V3 =mdash helliphelliphellip the extension CRAB
4 KRAB Starts with mdash= GANDCRAB V4 =mdash helliphelliphellip the extension KRAB
5 ([A-Z]+) Starts with mdash= GANDCRAB V50 =mdash helliphelliphellip the extension UKCZA
501 ([A-Z]+) Starts with mdash= GANDCRAB V501 =mdash hellip the extension YIAQDG
502 ([A-Z]+) Starts withmdash= GANDCRAB V502 =mdash hellip the extension CQXGPMKNR
503 ([A-Z]+) Starts withmdash= GANDCRAB V503 =mdash hellip the extension HHFEHIOL
503 ([A-Z]+) Starts withmdash= GANDCRAB V504 =mdash hellip the extension BYACZCZI
505 ([A-Z]+) Starts withmdash= GANDCRAB V505 =mdash hellip the extension KZZXVWMLI
505 ([A-Z]+) Starts withmdash= GANDCRAB V51 =mdash hellip the extension IJDHRQJD
Source Bitdefender
GandCrab ndash Indicators of compromiseIndicators of compromise (IOCs)
UNCLASSIFIED 12
UNCLASSIFIED TLPWHITE
3282019
VersionType MD5 HashGandCrab v51 SHA256 0741e7c0b02f6ef0b28d00a7467bf91edb0cb0f6f20dc1fbed76119c7ae79b4f
GandCrab v52 SHA256 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9
GandCrab v52 SHA256 bd16b703cd20e622e3e70e71bb4c68d1d1a3e14462f4b09978bbbb14e41625dc
GandCrab v52 SHA256 d7ffa0d8566702474790d7cbbbf9d51e9937d82582f82e1a00ddb1c489700d62
GandCrab v52 SHA256 d860bdf0d56a66f0e1b502067d07bdb595f60ef8c43de6b9caf5492a429426d6
GandCrab v52 SHA256 f70d73b6c3f61f412567bf74d4f1fba052ddccf0f8b2e61a6c69de9c8c5e6ec1
GandCrab v52 SHA256 fb136c8360d1a5ab80f61109c55c5a788aa1d8796d1e75aca8c1a762b598d3f4
GandCrab ndash Yara ruleimport pe
rule gandcrab_win32_downloader_unpack meta
author = tccontredescription = detecting gandcrab downloaderdate = 2018-11-08sha256 = 7cb45951e8f8dd064b467dd55819c83d3d85359ef7a382c3bad9f9116282e2e4
strings$mz = 4d 5a
$s1 = open=_DeviceManagerexe fullword $s2 = Mozilla50 (Macintosh Intel Mac OS X 109 rv250) Gecko20100101 Firefox250 fullword
$c0 = DisableAntiSpyware fullword wide$c1 = DisableBehaviorMonitoring fullword wide$c2 = FirewallDisableNotify fullword wide$c3 = lsT80870405687060 fullword$c4 = RecycleBin fullword wide$c5 = autoruninf fullword wide
$code1 = 83 C8 20 83 F8 61 74 61 8B 45 FC 0F B7 00 83 C8 20 83 F8 62 74 53 $code2 = D1 E8 EB 07 D1 E8 35 20 83 B8 ED E2 EC AB
condition($mz at 0) and all of ($s) and 2 of ($c) and 1 of ($code)
UNCLASSIFIED 13
UNCLASSIFIED TLPWHITE
3282019
YARA A rule-based tool for malware analysts to identify and analyze malware
GandCrab ndash SolutionsContent filtering Deploys to mail server signature-based traffic blockingConfiguration management and strong password policy Periodically review all network hardware devices and applications for configurations develop and enforce
strong password policyEndpoint security Every system in the enterprise should be protectedNetwork traffic analysisNetflow and packet capture Real-time examination of system and network eventsData backup Network cloud redundancy is criticalDecryptors Bit Defender maintains a tool that can decrypt files encrypted by versions 1 4 and 501 through 51
ndash httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-freendash Requires Internet connection and ransom note
Employ a zero-day recovery approachhttpswwwnomoreransomorg
UNCLASSIFIED 14
UNCLASSIFIED TLPWHITE
3282019
Source blogmalwarebytescom
GandCrab ndash Solutions (continued)Infection vectors ndash GandCrab-specific countermeasures and mitigations Remote Desktop Protocol and Virtual Network Computing ndash Protect credentials and auditlog access Corporate spamphishingmalspam ndash User awareness training and content filtering Exploit kits ndash
ndash User awareness training (visiting untrustedsuspicious websites)ndash Whitelisting and blacklisting websitesndash Implementing intrusion detection technologies
Social Engineering ndash User awareness training
WE DO NOT RECOMMEND PAYING A RANSOM
UNCLASSIFIED 15
UNCLASSIFIED TLPWHITE
3282019
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
Do not pay ransom
We recommend not paying ransom No guarantee files are decrypted and available again It incentivizes future ransomware attacks
Norsk Hydro Suffered from ransomware attack on March 19 2019 Production management systems and equipment was rendered inoperable Described as ldquocripplingrdquo ldquodebilitatingrdquo and ldquodisastrousrdquo Reported $40 million loss in revenue
UNCLASSIFIED 16
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Palmer Danny This Malware Spreading Tool is Back With Some New Tricks ZDNet January 18 2019 httpswwwzdnetcomarticlethis-malware-spreading-tool-is-back-with-some-new-tricks Palmer Danny Ransomware Warning The Gang Behind this Virulent Malware Just Changed Tactics Again ZDNet March 7 2019 httpswwwzdnetcomarticleransomware-warning-the-
gang-behind-this-virulent-malware-just-changed-tactics-again Palmer Danny What is ransomware Everything You Need to Know About One of the Biggest Menaces on the Web ZDNet August 22 2018 httpswwwzdnetcomarticleransomware-an-
executive-guide-to-one-of-the-biggest-menaces-on-the-web Palmer Danny What is Ransomware Ransomware Gets Easier for Would-Be Crooks as Developers Offer Malware-As-A-Service ZDNet February 8 2018
httpswwwzdnetcomarticleransomware-gets-easier-for-would-be-crooks-easier-as-developers-offer-malware-as-a-service Palmer Danny Ransomware Crooks Test a New Way to Spread Their Malware ZDNet January 31 2018 httpswwwzdnetcomarticleransomware-crooks-test-a-new-way-to-spread-their-
malware Cimpanu Catalin Bitdefender Releases Third GandCrab Ransomware Free Decrypter in the Past Year ZDNet February 19 2019 httpswwwzdnetcomarticlebitdefender-releases-third-
gandcrab-ransomware-free-decrypter-in-the-past-year Botezatu Bogdan Thwarting GandCrab in the New Era of Agile Computer-Jackers Security Boulevard March 6 2019 httpssecurityboulevardcom201903thwarting-gandcrab-in-the-new-
era-of-agile-computer-jackers Moshailov Roy Threat Profile GandCrab Ransomware Morphisec February 23 2018 httpblogmorphiseccomthreat-profile-gandcrab-ransomware Threat Landscape Dashboard GandCrab 5 - Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-5-
ransomwarehtml GandCrab 4 ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-4-ransomwarehtml GandCrab ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-ransomwarehtml Barth Bradley Third Decryption Tool for GandCrab Ransomware Released to Public SC Magazine February 20 2019 httpswwwscmagazinecomhomesecurity-newsransomwarethird-
decryption-tool-for-gandcrab-ransomware-released-to-public The GandCrab Ransomware Mindset Checkpoint March 13 2018 httpsresearchcheckpointcomgandcrab-ransomware-mindset Heller Michael GandCrab ransomware adds NSA tools for faster spreading Tech Target Search Security July 11 2018 httpssearchsecuritytechtargetcomnews252444624GandCrab-
ransomware-adds-NSA-tools-for-faster-spreading Gandcrab Ransomware Actively Spreading in the Wild Soincwall Security News May 16 2018 httpssecuritynewssonicwallcomxmlpostgandcrab-ransomware-actively-spreading-in-the-
wild GandCrab Ransomware BtCIRT February 28 2019 httpswwwbtcirtbtgandcrab-ransomware GandCrab and Ursnif Campaign IBM X-Force Exchange httpsexchangexforceibmcloudcomcollectionGandCrab-and-Ursnif-Campaign-5ada0685f6645ba53c64955d80c90f04 GandCrab The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) January 31 2018 httpswwwcybernjgovthreat-profilesransomware-variantsgandcrab GandCrab The Malware Wiki httpmalwarewikiacomwikiGandCrab Paganini Pierluigi Experts Released a free Decryption Tool for GandCrab Ransomware Security Affairs October 25 2018 httpssecurityaffairscowordpress77392malwaregandcrab-
decryption-toolhtml Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049 GandCrab Ransomware Decryption Tool No More Ransom Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049
UNCLASSIFIED 17
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading FeeleyBrendon Hartley Bex and Frankoff Sergei PINCHY SPIDER Affiliates Adopt ldquoBig Game Huntingrdquo Tactics to Distribute GandCrab Ransomware March 6 2019
httpswwwcrowdstrikecomblogpinchy-spider-adopts-big-game-hunting Botezatu Bogdan New GandCrab v51 Decryptor Available Now Bit Defender February 19 2019 httpslabsbitdefendercom201902new-gandcrab-v5-1-decryptor-available-
nowcid=soc7Cc7ctw7CGandCrab Abrams Lawrence GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts BleepingComputer February 8 2018
httpswwwbleepingcomputercomnewssecuritygandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts Castillo Donald EGG Files in Spam Delivers GandCrab v43 Ransomware to South Korean Users Trend Micro August 20 2018
httpswwwtrendmicrocomvinfoussecuritynewscybercrime-and-digital-threats-egg-files-in-spam-delivers-gandcrab-v4-3-ransomware-to-south-korean-users Abrams Lawrence EITest HoeflerText Scam Distributing GandCrab amp Netsupport Manager February 28 2018 httpswwwbleepingcomputercomnewssecurityeitest-hoeflertext-scam-
distributing-gandcrab-and-netsupport-manager Abrams Lawrence GandCrab Ransomware Version 2 Released With New Crab Extension amp Other Changes March 6 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-
ransomware-version-2-released-with-new-crab-extension-and-other-changes Abrams Lawrence GandCrab V4 Released With the New KRAB Extension for Encrypted Files September 25 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v4-released-
with-the-new-krab-extension-for-encrypted-files Abrams Lawrence GandCrab V5 Released With Random Extensions and New HTML Ransom Note June 3 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v5-released-
with-random-extensions-and-new-html-ransom-note Abrams Lawrence Mail Attachment Builds Malware Downloader from Super Mario Image February 8 2019 httpswwwbleepingcomputercomnewssecuritymail-attachment-builds-malware-
downloader-from-super-mario-image Salvio Joie GandCrab V3 Accidentally Locks Systems with New lsquoChange Wallpaperrsquo Feature Fortinet Blog May 4 2018 httpswwwfortinetcomblogthreat-researchgandcrab-v3-
accidentally-locks-systems-with-new--change-wallpapehtml Costis Andrew Cramer Cathy Miner Emily Myers Jared CB TAU amp CB ThreatSight Threat Analysis GandCrab and Ursnif Campaign Carbon Black Threat Analysis Unit January 24 2019
httpswwwcarbonblackcom20190124carbon-black-tau-threatsight-analysis-gandcrab-and-ursnif-campaign Botezatu Bogdan GandCrab Ransomware decryption tool Bit Defender October 25 2018 httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-free Hioueras Vasilios and Segura Jeacuterocircme GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated) Malwarebytes Labs Last updated May 10 2018
httpsblogmalwarebytescomthreat-analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Murphy Ian GandCrab Goes From Mob Attack to Surgical Strike Enterprise Times March 8 2019 httpswwwenterprisetimescouk20190308gandcrab-goes-from-mob-attack-to-surgical-
strike 2017 Cylance Threat Report httpspagescylancecom2018-03CylanceThreatReport2017html Kaspersky Cyber Pulse The State of Cybersecurity in Healthcare httpsgokasperskycomrs802-IJN-240imagesHealthcare-Survey-Reportpdf Fuentes Maria Rosario Cybercrime and Other Threats Faced by the Healthcare Industry Trend Micro httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf Solutionary SERT Q2 Report 88 Percent of All Ransomware Is Detected in Healthcare Industry httpwwwmarketwiredcompress-releasesolutionary-sert-q2-report-88-percent-all-
ransomware-is-detected-healthcare-industry-nyse-ntt-2145268htm
UNCLASSIFIED 18
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Krastev Ventsislav Killswitch File Now Available for GandCrab v412 Ransomware Sensors Tech Forum July 19 2018 httpssensorstechforumcomkillswitch-file-now-available-gandcrab-
v4-1-2-ransomware Boczan Tamas The Evolution of GandCrab Ransomware VMRay Cybersecurity Blog June 5 2018 (updated July 9 2018) httpswwwvmraycomcyber-security-bloggandcrab-ransomware-
evolution-analysis Malwarebytes Labs Malwarebytes Blog GandCrab ransomware distributed by RIG and GrandSoft exploit kits January 30 2018 (updated May 10 2018) httpsblogmalwarebytescomthreat-
analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Biasini Nick with contributions from Lister Nick and Marczewski Christopher Cisco Talos Blog Gandcrab Ransomware Walks its Way onto Compromised Sites May 9 2018
httpsblogtalosintelligencecom201805gandcrab-compromised-siteshtml Duncan Brad SANS Internet Storm Center InfoSec Handlers Dairy Blog Ransomware news GlobeImposter gets a facelift GandCrab is still out there March 7 2018
httpsiscsansedudiary23417 Cyber Security blog - Tools and Malware Analysis RE Gandcrab Downloader Theres More To This Than Meets The Eye November 8 2018 httpstccontreblogspotcom201811re-
gandcrab-downloader-theres-more-tohtml Europol Press Release Pay No More Universal GandCrab Decryption Tool Released for Free on No More Ransom Oct 28 2018 httpswwweuropoleuropaeunewsroomnewspay-no-
more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom VirusTotal GandCrab entry httpswwwvirustotalcomfile69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1ddetails
UNCLASSIFIED 19
UNCLASSIFIED TLPWHITE
3282019
Upcoming Briefsbull Exploit Landscapebull Dark web PHI Marketplace
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide their feedback to HC3HHSGOV
Requests for InformationDo you need information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV
20
UNCLASSIFIED
6212018
Questions
UNCLASSIFIED
UNCLASSIFIED
3282019
TLPWHITE
Image SC Magazine
- GandCrab Ransomware Update
- GandCrab ndash Agenda
- Ransomware ndash WhatWhy
- GandCrab ndash Introduction
- GandCrab ndash Updates
- GandCrab ndash Actor
- Example
- Example
- GandCrab ndash Ransom Notes
- Infection vectors and persistence
- GandCrab ndash Versions
- GandCrab ndash Indicators of compromise
- GandCrab ndash Yara rule
- GandCrab ndash Solutions
- GandCrab ndash Solutions (continued)
- Do not pay ransom
- References
- References
- References
- Slide Number 20
-
GandCrab ndash UpdatesWhatrsquos changed recently Version 52 is out
ndash Decryptors exist for all versions previous to 52 Better affiliate relationships
ndash Structured profitable long-term agreementsndash Separation between developers and operationsndash Incentive to use GandCrab
Big game huntingndash Increased reconnaissancendash Even more persistence against high-value
targetsndash High-value targetsndash ldquoFrom mob attack to surgical strikerdquo
UNCLASSIFIED 5
UNCLASSIFIED TLPWHITE
3282019
Image BestTechTips
GandCrab ndash ActorPINCHY SPIDER (GandCrab developers) Named by CrowdStrike
ndash ldquohellipthe latest eCrime adversaries to join the growing trend of targeted low-volumehigh-return ransomware deployments known as lsquobig game huntingrsquordquo
ndash Unknown country(ies) of operation or any nation-state affiliation Offered as RaaS Uses distributors to infect systems
ndash Allows for PINCHY SPIDER to focus on development vice infectionsndash Provides separation between victims and PINCHY SPIDERndash Splits profits (6040 and sometimes 7030)ndash Operators arenrsquot necessarily technical
UNCLASSIFIED 6
UNCLASSIFIED TLPWHITE
3282019
Image Crowdstrike
Example Screenshot of fake CDC e-mail
UNCLASSIFIED 7
UNCLASSIFIED TLPWHITE
3282019
Fake e-mail address attempting to look legitimate
Malicious attachments
Body of e-mail designed to look legitimate
Image httpsmyonlinesecuritycouk
Example
Macro A series of commands and instructions used in Microsoft Windows grouped together as a single command to automate a task and make people more productive
UNCLASSIFIED 8
UNCLASSIFIED TLPWHITE
3282019
Macros
Image httpsmyonlinesecuritycouk
GandCrab ndash Ransom NotesExample ransom notes Notification of compromise Expression of futility Compliance instructions
UNCLASSIFIED 9
UNCLASSIFIED TLPWHITE
3282019
Source Symantec
Source Malwarebytes
Infection vectors and persistenceInfection vectors Remote Desktop Protocol (RDP) Virtual Network Computing (VNC) Corporate spamphishingmalspam
ndash Necurs botnet Exploit kits
ndash Fallout RIG Magnitude GrandSoft Social Engineering
Once itrsquos on your system how does it stay there
Persistence Living off the land (both default and post-installation tools)
ndash Sysinternals ProcMonndash Process Hackerndash LAN Search Pro
UNCLASSIFIED 10
UNCLASSIFIED TLPWHITE
3282019
GandCrab ndash VersionsHow to identify the version
UNCLASSIFIED 11
UNCLASSIFIED TLPWHITE
3282019
VERSION EXTENSION RANSOM NOTE
1 GDCB Starts with mdash= GANDCRAB =mdash helliphelliphelliphelliphellip the extension GDCB
2 GDCB Starts with mdash= GANDCRAB =mdash helliphelliphelliphelliphellip the extension GDCB
3 CRAB Starts with mdash= GANDCRAB V3 =mdash helliphelliphellip the extension CRAB
4 KRAB Starts with mdash= GANDCRAB V4 =mdash helliphelliphellip the extension KRAB
5 ([A-Z]+) Starts with mdash= GANDCRAB V50 =mdash helliphelliphellip the extension UKCZA
501 ([A-Z]+) Starts with mdash= GANDCRAB V501 =mdash hellip the extension YIAQDG
502 ([A-Z]+) Starts withmdash= GANDCRAB V502 =mdash hellip the extension CQXGPMKNR
503 ([A-Z]+) Starts withmdash= GANDCRAB V503 =mdash hellip the extension HHFEHIOL
503 ([A-Z]+) Starts withmdash= GANDCRAB V504 =mdash hellip the extension BYACZCZI
505 ([A-Z]+) Starts withmdash= GANDCRAB V505 =mdash hellip the extension KZZXVWMLI
505 ([A-Z]+) Starts withmdash= GANDCRAB V51 =mdash hellip the extension IJDHRQJD
Source Bitdefender
GandCrab ndash Indicators of compromiseIndicators of compromise (IOCs)
UNCLASSIFIED 12
UNCLASSIFIED TLPWHITE
3282019
VersionType MD5 HashGandCrab v51 SHA256 0741e7c0b02f6ef0b28d00a7467bf91edb0cb0f6f20dc1fbed76119c7ae79b4f
GandCrab v52 SHA256 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9
GandCrab v52 SHA256 bd16b703cd20e622e3e70e71bb4c68d1d1a3e14462f4b09978bbbb14e41625dc
GandCrab v52 SHA256 d7ffa0d8566702474790d7cbbbf9d51e9937d82582f82e1a00ddb1c489700d62
GandCrab v52 SHA256 d860bdf0d56a66f0e1b502067d07bdb595f60ef8c43de6b9caf5492a429426d6
GandCrab v52 SHA256 f70d73b6c3f61f412567bf74d4f1fba052ddccf0f8b2e61a6c69de9c8c5e6ec1
GandCrab v52 SHA256 fb136c8360d1a5ab80f61109c55c5a788aa1d8796d1e75aca8c1a762b598d3f4
GandCrab ndash Yara ruleimport pe
rule gandcrab_win32_downloader_unpack meta
author = tccontredescription = detecting gandcrab downloaderdate = 2018-11-08sha256 = 7cb45951e8f8dd064b467dd55819c83d3d85359ef7a382c3bad9f9116282e2e4
strings$mz = 4d 5a
$s1 = open=_DeviceManagerexe fullword $s2 = Mozilla50 (Macintosh Intel Mac OS X 109 rv250) Gecko20100101 Firefox250 fullword
$c0 = DisableAntiSpyware fullword wide$c1 = DisableBehaviorMonitoring fullword wide$c2 = FirewallDisableNotify fullword wide$c3 = lsT80870405687060 fullword$c4 = RecycleBin fullword wide$c5 = autoruninf fullword wide
$code1 = 83 C8 20 83 F8 61 74 61 8B 45 FC 0F B7 00 83 C8 20 83 F8 62 74 53 $code2 = D1 E8 EB 07 D1 E8 35 20 83 B8 ED E2 EC AB
condition($mz at 0) and all of ($s) and 2 of ($c) and 1 of ($code)
UNCLASSIFIED 13
UNCLASSIFIED TLPWHITE
3282019
YARA A rule-based tool for malware analysts to identify and analyze malware
GandCrab ndash SolutionsContent filtering Deploys to mail server signature-based traffic blockingConfiguration management and strong password policy Periodically review all network hardware devices and applications for configurations develop and enforce
strong password policyEndpoint security Every system in the enterprise should be protectedNetwork traffic analysisNetflow and packet capture Real-time examination of system and network eventsData backup Network cloud redundancy is criticalDecryptors Bit Defender maintains a tool that can decrypt files encrypted by versions 1 4 and 501 through 51
ndash httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-freendash Requires Internet connection and ransom note
Employ a zero-day recovery approachhttpswwwnomoreransomorg
UNCLASSIFIED 14
UNCLASSIFIED TLPWHITE
3282019
Source blogmalwarebytescom
GandCrab ndash Solutions (continued)Infection vectors ndash GandCrab-specific countermeasures and mitigations Remote Desktop Protocol and Virtual Network Computing ndash Protect credentials and auditlog access Corporate spamphishingmalspam ndash User awareness training and content filtering Exploit kits ndash
ndash User awareness training (visiting untrustedsuspicious websites)ndash Whitelisting and blacklisting websitesndash Implementing intrusion detection technologies
Social Engineering ndash User awareness training
WE DO NOT RECOMMEND PAYING A RANSOM
UNCLASSIFIED 15
UNCLASSIFIED TLPWHITE
3282019
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
Do not pay ransom
We recommend not paying ransom No guarantee files are decrypted and available again It incentivizes future ransomware attacks
Norsk Hydro Suffered from ransomware attack on March 19 2019 Production management systems and equipment was rendered inoperable Described as ldquocripplingrdquo ldquodebilitatingrdquo and ldquodisastrousrdquo Reported $40 million loss in revenue
UNCLASSIFIED 16
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Palmer Danny This Malware Spreading Tool is Back With Some New Tricks ZDNet January 18 2019 httpswwwzdnetcomarticlethis-malware-spreading-tool-is-back-with-some-new-tricks Palmer Danny Ransomware Warning The Gang Behind this Virulent Malware Just Changed Tactics Again ZDNet March 7 2019 httpswwwzdnetcomarticleransomware-warning-the-
gang-behind-this-virulent-malware-just-changed-tactics-again Palmer Danny What is ransomware Everything You Need to Know About One of the Biggest Menaces on the Web ZDNet August 22 2018 httpswwwzdnetcomarticleransomware-an-
executive-guide-to-one-of-the-biggest-menaces-on-the-web Palmer Danny What is Ransomware Ransomware Gets Easier for Would-Be Crooks as Developers Offer Malware-As-A-Service ZDNet February 8 2018
httpswwwzdnetcomarticleransomware-gets-easier-for-would-be-crooks-easier-as-developers-offer-malware-as-a-service Palmer Danny Ransomware Crooks Test a New Way to Spread Their Malware ZDNet January 31 2018 httpswwwzdnetcomarticleransomware-crooks-test-a-new-way-to-spread-their-
malware Cimpanu Catalin Bitdefender Releases Third GandCrab Ransomware Free Decrypter in the Past Year ZDNet February 19 2019 httpswwwzdnetcomarticlebitdefender-releases-third-
gandcrab-ransomware-free-decrypter-in-the-past-year Botezatu Bogdan Thwarting GandCrab in the New Era of Agile Computer-Jackers Security Boulevard March 6 2019 httpssecurityboulevardcom201903thwarting-gandcrab-in-the-new-
era-of-agile-computer-jackers Moshailov Roy Threat Profile GandCrab Ransomware Morphisec February 23 2018 httpblogmorphiseccomthreat-profile-gandcrab-ransomware Threat Landscape Dashboard GandCrab 5 - Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-5-
ransomwarehtml GandCrab 4 ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-4-ransomwarehtml GandCrab ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-ransomwarehtml Barth Bradley Third Decryption Tool for GandCrab Ransomware Released to Public SC Magazine February 20 2019 httpswwwscmagazinecomhomesecurity-newsransomwarethird-
decryption-tool-for-gandcrab-ransomware-released-to-public The GandCrab Ransomware Mindset Checkpoint March 13 2018 httpsresearchcheckpointcomgandcrab-ransomware-mindset Heller Michael GandCrab ransomware adds NSA tools for faster spreading Tech Target Search Security July 11 2018 httpssearchsecuritytechtargetcomnews252444624GandCrab-
ransomware-adds-NSA-tools-for-faster-spreading Gandcrab Ransomware Actively Spreading in the Wild Soincwall Security News May 16 2018 httpssecuritynewssonicwallcomxmlpostgandcrab-ransomware-actively-spreading-in-the-
wild GandCrab Ransomware BtCIRT February 28 2019 httpswwwbtcirtbtgandcrab-ransomware GandCrab and Ursnif Campaign IBM X-Force Exchange httpsexchangexforceibmcloudcomcollectionGandCrab-and-Ursnif-Campaign-5ada0685f6645ba53c64955d80c90f04 GandCrab The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) January 31 2018 httpswwwcybernjgovthreat-profilesransomware-variantsgandcrab GandCrab The Malware Wiki httpmalwarewikiacomwikiGandCrab Paganini Pierluigi Experts Released a free Decryption Tool for GandCrab Ransomware Security Affairs October 25 2018 httpssecurityaffairscowordpress77392malwaregandcrab-
decryption-toolhtml Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049 GandCrab Ransomware Decryption Tool No More Ransom Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049
UNCLASSIFIED 17
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading FeeleyBrendon Hartley Bex and Frankoff Sergei PINCHY SPIDER Affiliates Adopt ldquoBig Game Huntingrdquo Tactics to Distribute GandCrab Ransomware March 6 2019
httpswwwcrowdstrikecomblogpinchy-spider-adopts-big-game-hunting Botezatu Bogdan New GandCrab v51 Decryptor Available Now Bit Defender February 19 2019 httpslabsbitdefendercom201902new-gandcrab-v5-1-decryptor-available-
nowcid=soc7Cc7ctw7CGandCrab Abrams Lawrence GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts BleepingComputer February 8 2018
httpswwwbleepingcomputercomnewssecuritygandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts Castillo Donald EGG Files in Spam Delivers GandCrab v43 Ransomware to South Korean Users Trend Micro August 20 2018
httpswwwtrendmicrocomvinfoussecuritynewscybercrime-and-digital-threats-egg-files-in-spam-delivers-gandcrab-v4-3-ransomware-to-south-korean-users Abrams Lawrence EITest HoeflerText Scam Distributing GandCrab amp Netsupport Manager February 28 2018 httpswwwbleepingcomputercomnewssecurityeitest-hoeflertext-scam-
distributing-gandcrab-and-netsupport-manager Abrams Lawrence GandCrab Ransomware Version 2 Released With New Crab Extension amp Other Changes March 6 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-
ransomware-version-2-released-with-new-crab-extension-and-other-changes Abrams Lawrence GandCrab V4 Released With the New KRAB Extension for Encrypted Files September 25 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v4-released-
with-the-new-krab-extension-for-encrypted-files Abrams Lawrence GandCrab V5 Released With Random Extensions and New HTML Ransom Note June 3 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v5-released-
with-random-extensions-and-new-html-ransom-note Abrams Lawrence Mail Attachment Builds Malware Downloader from Super Mario Image February 8 2019 httpswwwbleepingcomputercomnewssecuritymail-attachment-builds-malware-
downloader-from-super-mario-image Salvio Joie GandCrab V3 Accidentally Locks Systems with New lsquoChange Wallpaperrsquo Feature Fortinet Blog May 4 2018 httpswwwfortinetcomblogthreat-researchgandcrab-v3-
accidentally-locks-systems-with-new--change-wallpapehtml Costis Andrew Cramer Cathy Miner Emily Myers Jared CB TAU amp CB ThreatSight Threat Analysis GandCrab and Ursnif Campaign Carbon Black Threat Analysis Unit January 24 2019
httpswwwcarbonblackcom20190124carbon-black-tau-threatsight-analysis-gandcrab-and-ursnif-campaign Botezatu Bogdan GandCrab Ransomware decryption tool Bit Defender October 25 2018 httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-free Hioueras Vasilios and Segura Jeacuterocircme GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated) Malwarebytes Labs Last updated May 10 2018
httpsblogmalwarebytescomthreat-analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Murphy Ian GandCrab Goes From Mob Attack to Surgical Strike Enterprise Times March 8 2019 httpswwwenterprisetimescouk20190308gandcrab-goes-from-mob-attack-to-surgical-
strike 2017 Cylance Threat Report httpspagescylancecom2018-03CylanceThreatReport2017html Kaspersky Cyber Pulse The State of Cybersecurity in Healthcare httpsgokasperskycomrs802-IJN-240imagesHealthcare-Survey-Reportpdf Fuentes Maria Rosario Cybercrime and Other Threats Faced by the Healthcare Industry Trend Micro httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf Solutionary SERT Q2 Report 88 Percent of All Ransomware Is Detected in Healthcare Industry httpwwwmarketwiredcompress-releasesolutionary-sert-q2-report-88-percent-all-
ransomware-is-detected-healthcare-industry-nyse-ntt-2145268htm
UNCLASSIFIED 18
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Krastev Ventsislav Killswitch File Now Available for GandCrab v412 Ransomware Sensors Tech Forum July 19 2018 httpssensorstechforumcomkillswitch-file-now-available-gandcrab-
v4-1-2-ransomware Boczan Tamas The Evolution of GandCrab Ransomware VMRay Cybersecurity Blog June 5 2018 (updated July 9 2018) httpswwwvmraycomcyber-security-bloggandcrab-ransomware-
evolution-analysis Malwarebytes Labs Malwarebytes Blog GandCrab ransomware distributed by RIG and GrandSoft exploit kits January 30 2018 (updated May 10 2018) httpsblogmalwarebytescomthreat-
analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Biasini Nick with contributions from Lister Nick and Marczewski Christopher Cisco Talos Blog Gandcrab Ransomware Walks its Way onto Compromised Sites May 9 2018
httpsblogtalosintelligencecom201805gandcrab-compromised-siteshtml Duncan Brad SANS Internet Storm Center InfoSec Handlers Dairy Blog Ransomware news GlobeImposter gets a facelift GandCrab is still out there March 7 2018
httpsiscsansedudiary23417 Cyber Security blog - Tools and Malware Analysis RE Gandcrab Downloader Theres More To This Than Meets The Eye November 8 2018 httpstccontreblogspotcom201811re-
gandcrab-downloader-theres-more-tohtml Europol Press Release Pay No More Universal GandCrab Decryption Tool Released for Free on No More Ransom Oct 28 2018 httpswwweuropoleuropaeunewsroomnewspay-no-
more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom VirusTotal GandCrab entry httpswwwvirustotalcomfile69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1ddetails
UNCLASSIFIED 19
UNCLASSIFIED TLPWHITE
3282019
Upcoming Briefsbull Exploit Landscapebull Dark web PHI Marketplace
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide their feedback to HC3HHSGOV
Requests for InformationDo you need information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV
20
UNCLASSIFIED
6212018
Questions
UNCLASSIFIED
UNCLASSIFIED
3282019
TLPWHITE
Image SC Magazine
- GandCrab Ransomware Update
- GandCrab ndash Agenda
- Ransomware ndash WhatWhy
- GandCrab ndash Introduction
- GandCrab ndash Updates
- GandCrab ndash Actor
- Example
- Example
- GandCrab ndash Ransom Notes
- Infection vectors and persistence
- GandCrab ndash Versions
- GandCrab ndash Indicators of compromise
- GandCrab ndash Yara rule
- GandCrab ndash Solutions
- GandCrab ndash Solutions (continued)
- Do not pay ransom
- References
- References
- References
- Slide Number 20
-
GandCrab ndash ActorPINCHY SPIDER (GandCrab developers) Named by CrowdStrike
ndash ldquohellipthe latest eCrime adversaries to join the growing trend of targeted low-volumehigh-return ransomware deployments known as lsquobig game huntingrsquordquo
ndash Unknown country(ies) of operation or any nation-state affiliation Offered as RaaS Uses distributors to infect systems
ndash Allows for PINCHY SPIDER to focus on development vice infectionsndash Provides separation between victims and PINCHY SPIDERndash Splits profits (6040 and sometimes 7030)ndash Operators arenrsquot necessarily technical
UNCLASSIFIED 6
UNCLASSIFIED TLPWHITE
3282019
Image Crowdstrike
Example Screenshot of fake CDC e-mail
UNCLASSIFIED 7
UNCLASSIFIED TLPWHITE
3282019
Fake e-mail address attempting to look legitimate
Malicious attachments
Body of e-mail designed to look legitimate
Image httpsmyonlinesecuritycouk
Example
Macro A series of commands and instructions used in Microsoft Windows grouped together as a single command to automate a task and make people more productive
UNCLASSIFIED 8
UNCLASSIFIED TLPWHITE
3282019
Macros
Image httpsmyonlinesecuritycouk
GandCrab ndash Ransom NotesExample ransom notes Notification of compromise Expression of futility Compliance instructions
UNCLASSIFIED 9
UNCLASSIFIED TLPWHITE
3282019
Source Symantec
Source Malwarebytes
Infection vectors and persistenceInfection vectors Remote Desktop Protocol (RDP) Virtual Network Computing (VNC) Corporate spamphishingmalspam
ndash Necurs botnet Exploit kits
ndash Fallout RIG Magnitude GrandSoft Social Engineering
Once itrsquos on your system how does it stay there
Persistence Living off the land (both default and post-installation tools)
ndash Sysinternals ProcMonndash Process Hackerndash LAN Search Pro
UNCLASSIFIED 10
UNCLASSIFIED TLPWHITE
3282019
GandCrab ndash VersionsHow to identify the version
UNCLASSIFIED 11
UNCLASSIFIED TLPWHITE
3282019
VERSION EXTENSION RANSOM NOTE
1 GDCB Starts with mdash= GANDCRAB =mdash helliphelliphelliphelliphellip the extension GDCB
2 GDCB Starts with mdash= GANDCRAB =mdash helliphelliphelliphelliphellip the extension GDCB
3 CRAB Starts with mdash= GANDCRAB V3 =mdash helliphelliphellip the extension CRAB
4 KRAB Starts with mdash= GANDCRAB V4 =mdash helliphelliphellip the extension KRAB
5 ([A-Z]+) Starts with mdash= GANDCRAB V50 =mdash helliphelliphellip the extension UKCZA
501 ([A-Z]+) Starts with mdash= GANDCRAB V501 =mdash hellip the extension YIAQDG
502 ([A-Z]+) Starts withmdash= GANDCRAB V502 =mdash hellip the extension CQXGPMKNR
503 ([A-Z]+) Starts withmdash= GANDCRAB V503 =mdash hellip the extension HHFEHIOL
503 ([A-Z]+) Starts withmdash= GANDCRAB V504 =mdash hellip the extension BYACZCZI
505 ([A-Z]+) Starts withmdash= GANDCRAB V505 =mdash hellip the extension KZZXVWMLI
505 ([A-Z]+) Starts withmdash= GANDCRAB V51 =mdash hellip the extension IJDHRQJD
Source Bitdefender
GandCrab ndash Indicators of compromiseIndicators of compromise (IOCs)
UNCLASSIFIED 12
UNCLASSIFIED TLPWHITE
3282019
VersionType MD5 HashGandCrab v51 SHA256 0741e7c0b02f6ef0b28d00a7467bf91edb0cb0f6f20dc1fbed76119c7ae79b4f
GandCrab v52 SHA256 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9
GandCrab v52 SHA256 bd16b703cd20e622e3e70e71bb4c68d1d1a3e14462f4b09978bbbb14e41625dc
GandCrab v52 SHA256 d7ffa0d8566702474790d7cbbbf9d51e9937d82582f82e1a00ddb1c489700d62
GandCrab v52 SHA256 d860bdf0d56a66f0e1b502067d07bdb595f60ef8c43de6b9caf5492a429426d6
GandCrab v52 SHA256 f70d73b6c3f61f412567bf74d4f1fba052ddccf0f8b2e61a6c69de9c8c5e6ec1
GandCrab v52 SHA256 fb136c8360d1a5ab80f61109c55c5a788aa1d8796d1e75aca8c1a762b598d3f4
GandCrab ndash Yara ruleimport pe
rule gandcrab_win32_downloader_unpack meta
author = tccontredescription = detecting gandcrab downloaderdate = 2018-11-08sha256 = 7cb45951e8f8dd064b467dd55819c83d3d85359ef7a382c3bad9f9116282e2e4
strings$mz = 4d 5a
$s1 = open=_DeviceManagerexe fullword $s2 = Mozilla50 (Macintosh Intel Mac OS X 109 rv250) Gecko20100101 Firefox250 fullword
$c0 = DisableAntiSpyware fullword wide$c1 = DisableBehaviorMonitoring fullword wide$c2 = FirewallDisableNotify fullword wide$c3 = lsT80870405687060 fullword$c4 = RecycleBin fullword wide$c5 = autoruninf fullword wide
$code1 = 83 C8 20 83 F8 61 74 61 8B 45 FC 0F B7 00 83 C8 20 83 F8 62 74 53 $code2 = D1 E8 EB 07 D1 E8 35 20 83 B8 ED E2 EC AB
condition($mz at 0) and all of ($s) and 2 of ($c) and 1 of ($code)
UNCLASSIFIED 13
UNCLASSIFIED TLPWHITE
3282019
YARA A rule-based tool for malware analysts to identify and analyze malware
GandCrab ndash SolutionsContent filtering Deploys to mail server signature-based traffic blockingConfiguration management and strong password policy Periodically review all network hardware devices and applications for configurations develop and enforce
strong password policyEndpoint security Every system in the enterprise should be protectedNetwork traffic analysisNetflow and packet capture Real-time examination of system and network eventsData backup Network cloud redundancy is criticalDecryptors Bit Defender maintains a tool that can decrypt files encrypted by versions 1 4 and 501 through 51
ndash httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-freendash Requires Internet connection and ransom note
Employ a zero-day recovery approachhttpswwwnomoreransomorg
UNCLASSIFIED 14
UNCLASSIFIED TLPWHITE
3282019
Source blogmalwarebytescom
GandCrab ndash Solutions (continued)Infection vectors ndash GandCrab-specific countermeasures and mitigations Remote Desktop Protocol and Virtual Network Computing ndash Protect credentials and auditlog access Corporate spamphishingmalspam ndash User awareness training and content filtering Exploit kits ndash
ndash User awareness training (visiting untrustedsuspicious websites)ndash Whitelisting and blacklisting websitesndash Implementing intrusion detection technologies
Social Engineering ndash User awareness training
WE DO NOT RECOMMEND PAYING A RANSOM
UNCLASSIFIED 15
UNCLASSIFIED TLPWHITE
3282019
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
Do not pay ransom
We recommend not paying ransom No guarantee files are decrypted and available again It incentivizes future ransomware attacks
Norsk Hydro Suffered from ransomware attack on March 19 2019 Production management systems and equipment was rendered inoperable Described as ldquocripplingrdquo ldquodebilitatingrdquo and ldquodisastrousrdquo Reported $40 million loss in revenue
UNCLASSIFIED 16
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Palmer Danny This Malware Spreading Tool is Back With Some New Tricks ZDNet January 18 2019 httpswwwzdnetcomarticlethis-malware-spreading-tool-is-back-with-some-new-tricks Palmer Danny Ransomware Warning The Gang Behind this Virulent Malware Just Changed Tactics Again ZDNet March 7 2019 httpswwwzdnetcomarticleransomware-warning-the-
gang-behind-this-virulent-malware-just-changed-tactics-again Palmer Danny What is ransomware Everything You Need to Know About One of the Biggest Menaces on the Web ZDNet August 22 2018 httpswwwzdnetcomarticleransomware-an-
executive-guide-to-one-of-the-biggest-menaces-on-the-web Palmer Danny What is Ransomware Ransomware Gets Easier for Would-Be Crooks as Developers Offer Malware-As-A-Service ZDNet February 8 2018
httpswwwzdnetcomarticleransomware-gets-easier-for-would-be-crooks-easier-as-developers-offer-malware-as-a-service Palmer Danny Ransomware Crooks Test a New Way to Spread Their Malware ZDNet January 31 2018 httpswwwzdnetcomarticleransomware-crooks-test-a-new-way-to-spread-their-
malware Cimpanu Catalin Bitdefender Releases Third GandCrab Ransomware Free Decrypter in the Past Year ZDNet February 19 2019 httpswwwzdnetcomarticlebitdefender-releases-third-
gandcrab-ransomware-free-decrypter-in-the-past-year Botezatu Bogdan Thwarting GandCrab in the New Era of Agile Computer-Jackers Security Boulevard March 6 2019 httpssecurityboulevardcom201903thwarting-gandcrab-in-the-new-
era-of-agile-computer-jackers Moshailov Roy Threat Profile GandCrab Ransomware Morphisec February 23 2018 httpblogmorphiseccomthreat-profile-gandcrab-ransomware Threat Landscape Dashboard GandCrab 5 - Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-5-
ransomwarehtml GandCrab 4 ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-4-ransomwarehtml GandCrab ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-ransomwarehtml Barth Bradley Third Decryption Tool for GandCrab Ransomware Released to Public SC Magazine February 20 2019 httpswwwscmagazinecomhomesecurity-newsransomwarethird-
decryption-tool-for-gandcrab-ransomware-released-to-public The GandCrab Ransomware Mindset Checkpoint March 13 2018 httpsresearchcheckpointcomgandcrab-ransomware-mindset Heller Michael GandCrab ransomware adds NSA tools for faster spreading Tech Target Search Security July 11 2018 httpssearchsecuritytechtargetcomnews252444624GandCrab-
ransomware-adds-NSA-tools-for-faster-spreading Gandcrab Ransomware Actively Spreading in the Wild Soincwall Security News May 16 2018 httpssecuritynewssonicwallcomxmlpostgandcrab-ransomware-actively-spreading-in-the-
wild GandCrab Ransomware BtCIRT February 28 2019 httpswwwbtcirtbtgandcrab-ransomware GandCrab and Ursnif Campaign IBM X-Force Exchange httpsexchangexforceibmcloudcomcollectionGandCrab-and-Ursnif-Campaign-5ada0685f6645ba53c64955d80c90f04 GandCrab The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) January 31 2018 httpswwwcybernjgovthreat-profilesransomware-variantsgandcrab GandCrab The Malware Wiki httpmalwarewikiacomwikiGandCrab Paganini Pierluigi Experts Released a free Decryption Tool for GandCrab Ransomware Security Affairs October 25 2018 httpssecurityaffairscowordpress77392malwaregandcrab-
decryption-toolhtml Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049 GandCrab Ransomware Decryption Tool No More Ransom Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049
UNCLASSIFIED 17
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading FeeleyBrendon Hartley Bex and Frankoff Sergei PINCHY SPIDER Affiliates Adopt ldquoBig Game Huntingrdquo Tactics to Distribute GandCrab Ransomware March 6 2019
httpswwwcrowdstrikecomblogpinchy-spider-adopts-big-game-hunting Botezatu Bogdan New GandCrab v51 Decryptor Available Now Bit Defender February 19 2019 httpslabsbitdefendercom201902new-gandcrab-v5-1-decryptor-available-
nowcid=soc7Cc7ctw7CGandCrab Abrams Lawrence GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts BleepingComputer February 8 2018
httpswwwbleepingcomputercomnewssecuritygandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts Castillo Donald EGG Files in Spam Delivers GandCrab v43 Ransomware to South Korean Users Trend Micro August 20 2018
httpswwwtrendmicrocomvinfoussecuritynewscybercrime-and-digital-threats-egg-files-in-spam-delivers-gandcrab-v4-3-ransomware-to-south-korean-users Abrams Lawrence EITest HoeflerText Scam Distributing GandCrab amp Netsupport Manager February 28 2018 httpswwwbleepingcomputercomnewssecurityeitest-hoeflertext-scam-
distributing-gandcrab-and-netsupport-manager Abrams Lawrence GandCrab Ransomware Version 2 Released With New Crab Extension amp Other Changes March 6 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-
ransomware-version-2-released-with-new-crab-extension-and-other-changes Abrams Lawrence GandCrab V4 Released With the New KRAB Extension for Encrypted Files September 25 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v4-released-
with-the-new-krab-extension-for-encrypted-files Abrams Lawrence GandCrab V5 Released With Random Extensions and New HTML Ransom Note June 3 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v5-released-
with-random-extensions-and-new-html-ransom-note Abrams Lawrence Mail Attachment Builds Malware Downloader from Super Mario Image February 8 2019 httpswwwbleepingcomputercomnewssecuritymail-attachment-builds-malware-
downloader-from-super-mario-image Salvio Joie GandCrab V3 Accidentally Locks Systems with New lsquoChange Wallpaperrsquo Feature Fortinet Blog May 4 2018 httpswwwfortinetcomblogthreat-researchgandcrab-v3-
accidentally-locks-systems-with-new--change-wallpapehtml Costis Andrew Cramer Cathy Miner Emily Myers Jared CB TAU amp CB ThreatSight Threat Analysis GandCrab and Ursnif Campaign Carbon Black Threat Analysis Unit January 24 2019
httpswwwcarbonblackcom20190124carbon-black-tau-threatsight-analysis-gandcrab-and-ursnif-campaign Botezatu Bogdan GandCrab Ransomware decryption tool Bit Defender October 25 2018 httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-free Hioueras Vasilios and Segura Jeacuterocircme GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated) Malwarebytes Labs Last updated May 10 2018
httpsblogmalwarebytescomthreat-analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Murphy Ian GandCrab Goes From Mob Attack to Surgical Strike Enterprise Times March 8 2019 httpswwwenterprisetimescouk20190308gandcrab-goes-from-mob-attack-to-surgical-
strike 2017 Cylance Threat Report httpspagescylancecom2018-03CylanceThreatReport2017html Kaspersky Cyber Pulse The State of Cybersecurity in Healthcare httpsgokasperskycomrs802-IJN-240imagesHealthcare-Survey-Reportpdf Fuentes Maria Rosario Cybercrime and Other Threats Faced by the Healthcare Industry Trend Micro httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf Solutionary SERT Q2 Report 88 Percent of All Ransomware Is Detected in Healthcare Industry httpwwwmarketwiredcompress-releasesolutionary-sert-q2-report-88-percent-all-
ransomware-is-detected-healthcare-industry-nyse-ntt-2145268htm
UNCLASSIFIED 18
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Krastev Ventsislav Killswitch File Now Available for GandCrab v412 Ransomware Sensors Tech Forum July 19 2018 httpssensorstechforumcomkillswitch-file-now-available-gandcrab-
v4-1-2-ransomware Boczan Tamas The Evolution of GandCrab Ransomware VMRay Cybersecurity Blog June 5 2018 (updated July 9 2018) httpswwwvmraycomcyber-security-bloggandcrab-ransomware-
evolution-analysis Malwarebytes Labs Malwarebytes Blog GandCrab ransomware distributed by RIG and GrandSoft exploit kits January 30 2018 (updated May 10 2018) httpsblogmalwarebytescomthreat-
analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Biasini Nick with contributions from Lister Nick and Marczewski Christopher Cisco Talos Blog Gandcrab Ransomware Walks its Way onto Compromised Sites May 9 2018
httpsblogtalosintelligencecom201805gandcrab-compromised-siteshtml Duncan Brad SANS Internet Storm Center InfoSec Handlers Dairy Blog Ransomware news GlobeImposter gets a facelift GandCrab is still out there March 7 2018
httpsiscsansedudiary23417 Cyber Security blog - Tools and Malware Analysis RE Gandcrab Downloader Theres More To This Than Meets The Eye November 8 2018 httpstccontreblogspotcom201811re-
gandcrab-downloader-theres-more-tohtml Europol Press Release Pay No More Universal GandCrab Decryption Tool Released for Free on No More Ransom Oct 28 2018 httpswwweuropoleuropaeunewsroomnewspay-no-
more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom VirusTotal GandCrab entry httpswwwvirustotalcomfile69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1ddetails
UNCLASSIFIED 19
UNCLASSIFIED TLPWHITE
3282019
Upcoming Briefsbull Exploit Landscapebull Dark web PHI Marketplace
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide their feedback to HC3HHSGOV
Requests for InformationDo you need information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV
20
UNCLASSIFIED
6212018
Questions
UNCLASSIFIED
UNCLASSIFIED
3282019
TLPWHITE
Image SC Magazine
- GandCrab Ransomware Update
- GandCrab ndash Agenda
- Ransomware ndash WhatWhy
- GandCrab ndash Introduction
- GandCrab ndash Updates
- GandCrab ndash Actor
- Example
- Example
- GandCrab ndash Ransom Notes
- Infection vectors and persistence
- GandCrab ndash Versions
- GandCrab ndash Indicators of compromise
- GandCrab ndash Yara rule
- GandCrab ndash Solutions
- GandCrab ndash Solutions (continued)
- Do not pay ransom
- References
- References
- References
- Slide Number 20
-
Example Screenshot of fake CDC e-mail
UNCLASSIFIED 7
UNCLASSIFIED TLPWHITE
3282019
Fake e-mail address attempting to look legitimate
Malicious attachments
Body of e-mail designed to look legitimate
Image httpsmyonlinesecuritycouk
Example
Macro A series of commands and instructions used in Microsoft Windows grouped together as a single command to automate a task and make people more productive
UNCLASSIFIED 8
UNCLASSIFIED TLPWHITE
3282019
Macros
Image httpsmyonlinesecuritycouk
GandCrab ndash Ransom NotesExample ransom notes Notification of compromise Expression of futility Compliance instructions
UNCLASSIFIED 9
UNCLASSIFIED TLPWHITE
3282019
Source Symantec
Source Malwarebytes
Infection vectors and persistenceInfection vectors Remote Desktop Protocol (RDP) Virtual Network Computing (VNC) Corporate spamphishingmalspam
ndash Necurs botnet Exploit kits
ndash Fallout RIG Magnitude GrandSoft Social Engineering
Once itrsquos on your system how does it stay there
Persistence Living off the land (both default and post-installation tools)
ndash Sysinternals ProcMonndash Process Hackerndash LAN Search Pro
UNCLASSIFIED 10
UNCLASSIFIED TLPWHITE
3282019
GandCrab ndash VersionsHow to identify the version
UNCLASSIFIED 11
UNCLASSIFIED TLPWHITE
3282019
VERSION EXTENSION RANSOM NOTE
1 GDCB Starts with mdash= GANDCRAB =mdash helliphelliphelliphelliphellip the extension GDCB
2 GDCB Starts with mdash= GANDCRAB =mdash helliphelliphelliphelliphellip the extension GDCB
3 CRAB Starts with mdash= GANDCRAB V3 =mdash helliphelliphellip the extension CRAB
4 KRAB Starts with mdash= GANDCRAB V4 =mdash helliphelliphellip the extension KRAB
5 ([A-Z]+) Starts with mdash= GANDCRAB V50 =mdash helliphelliphellip the extension UKCZA
501 ([A-Z]+) Starts with mdash= GANDCRAB V501 =mdash hellip the extension YIAQDG
502 ([A-Z]+) Starts withmdash= GANDCRAB V502 =mdash hellip the extension CQXGPMKNR
503 ([A-Z]+) Starts withmdash= GANDCRAB V503 =mdash hellip the extension HHFEHIOL
503 ([A-Z]+) Starts withmdash= GANDCRAB V504 =mdash hellip the extension BYACZCZI
505 ([A-Z]+) Starts withmdash= GANDCRAB V505 =mdash hellip the extension KZZXVWMLI
505 ([A-Z]+) Starts withmdash= GANDCRAB V51 =mdash hellip the extension IJDHRQJD
Source Bitdefender
GandCrab ndash Indicators of compromiseIndicators of compromise (IOCs)
UNCLASSIFIED 12
UNCLASSIFIED TLPWHITE
3282019
VersionType MD5 HashGandCrab v51 SHA256 0741e7c0b02f6ef0b28d00a7467bf91edb0cb0f6f20dc1fbed76119c7ae79b4f
GandCrab v52 SHA256 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9
GandCrab v52 SHA256 bd16b703cd20e622e3e70e71bb4c68d1d1a3e14462f4b09978bbbb14e41625dc
GandCrab v52 SHA256 d7ffa0d8566702474790d7cbbbf9d51e9937d82582f82e1a00ddb1c489700d62
GandCrab v52 SHA256 d860bdf0d56a66f0e1b502067d07bdb595f60ef8c43de6b9caf5492a429426d6
GandCrab v52 SHA256 f70d73b6c3f61f412567bf74d4f1fba052ddccf0f8b2e61a6c69de9c8c5e6ec1
GandCrab v52 SHA256 fb136c8360d1a5ab80f61109c55c5a788aa1d8796d1e75aca8c1a762b598d3f4
GandCrab ndash Yara ruleimport pe
rule gandcrab_win32_downloader_unpack meta
author = tccontredescription = detecting gandcrab downloaderdate = 2018-11-08sha256 = 7cb45951e8f8dd064b467dd55819c83d3d85359ef7a382c3bad9f9116282e2e4
strings$mz = 4d 5a
$s1 = open=_DeviceManagerexe fullword $s2 = Mozilla50 (Macintosh Intel Mac OS X 109 rv250) Gecko20100101 Firefox250 fullword
$c0 = DisableAntiSpyware fullword wide$c1 = DisableBehaviorMonitoring fullword wide$c2 = FirewallDisableNotify fullword wide$c3 = lsT80870405687060 fullword$c4 = RecycleBin fullword wide$c5 = autoruninf fullword wide
$code1 = 83 C8 20 83 F8 61 74 61 8B 45 FC 0F B7 00 83 C8 20 83 F8 62 74 53 $code2 = D1 E8 EB 07 D1 E8 35 20 83 B8 ED E2 EC AB
condition($mz at 0) and all of ($s) and 2 of ($c) and 1 of ($code)
UNCLASSIFIED 13
UNCLASSIFIED TLPWHITE
3282019
YARA A rule-based tool for malware analysts to identify and analyze malware
GandCrab ndash SolutionsContent filtering Deploys to mail server signature-based traffic blockingConfiguration management and strong password policy Periodically review all network hardware devices and applications for configurations develop and enforce
strong password policyEndpoint security Every system in the enterprise should be protectedNetwork traffic analysisNetflow and packet capture Real-time examination of system and network eventsData backup Network cloud redundancy is criticalDecryptors Bit Defender maintains a tool that can decrypt files encrypted by versions 1 4 and 501 through 51
ndash httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-freendash Requires Internet connection and ransom note
Employ a zero-day recovery approachhttpswwwnomoreransomorg
UNCLASSIFIED 14
UNCLASSIFIED TLPWHITE
3282019
Source blogmalwarebytescom
GandCrab ndash Solutions (continued)Infection vectors ndash GandCrab-specific countermeasures and mitigations Remote Desktop Protocol and Virtual Network Computing ndash Protect credentials and auditlog access Corporate spamphishingmalspam ndash User awareness training and content filtering Exploit kits ndash
ndash User awareness training (visiting untrustedsuspicious websites)ndash Whitelisting and blacklisting websitesndash Implementing intrusion detection technologies
Social Engineering ndash User awareness training
WE DO NOT RECOMMEND PAYING A RANSOM
UNCLASSIFIED 15
UNCLASSIFIED TLPWHITE
3282019
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
Do not pay ransom
We recommend not paying ransom No guarantee files are decrypted and available again It incentivizes future ransomware attacks
Norsk Hydro Suffered from ransomware attack on March 19 2019 Production management systems and equipment was rendered inoperable Described as ldquocripplingrdquo ldquodebilitatingrdquo and ldquodisastrousrdquo Reported $40 million loss in revenue
UNCLASSIFIED 16
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Palmer Danny This Malware Spreading Tool is Back With Some New Tricks ZDNet January 18 2019 httpswwwzdnetcomarticlethis-malware-spreading-tool-is-back-with-some-new-tricks Palmer Danny Ransomware Warning The Gang Behind this Virulent Malware Just Changed Tactics Again ZDNet March 7 2019 httpswwwzdnetcomarticleransomware-warning-the-
gang-behind-this-virulent-malware-just-changed-tactics-again Palmer Danny What is ransomware Everything You Need to Know About One of the Biggest Menaces on the Web ZDNet August 22 2018 httpswwwzdnetcomarticleransomware-an-
executive-guide-to-one-of-the-biggest-menaces-on-the-web Palmer Danny What is Ransomware Ransomware Gets Easier for Would-Be Crooks as Developers Offer Malware-As-A-Service ZDNet February 8 2018
httpswwwzdnetcomarticleransomware-gets-easier-for-would-be-crooks-easier-as-developers-offer-malware-as-a-service Palmer Danny Ransomware Crooks Test a New Way to Spread Their Malware ZDNet January 31 2018 httpswwwzdnetcomarticleransomware-crooks-test-a-new-way-to-spread-their-
malware Cimpanu Catalin Bitdefender Releases Third GandCrab Ransomware Free Decrypter in the Past Year ZDNet February 19 2019 httpswwwzdnetcomarticlebitdefender-releases-third-
gandcrab-ransomware-free-decrypter-in-the-past-year Botezatu Bogdan Thwarting GandCrab in the New Era of Agile Computer-Jackers Security Boulevard March 6 2019 httpssecurityboulevardcom201903thwarting-gandcrab-in-the-new-
era-of-agile-computer-jackers Moshailov Roy Threat Profile GandCrab Ransomware Morphisec February 23 2018 httpblogmorphiseccomthreat-profile-gandcrab-ransomware Threat Landscape Dashboard GandCrab 5 - Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-5-
ransomwarehtml GandCrab 4 ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-4-ransomwarehtml GandCrab ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-ransomwarehtml Barth Bradley Third Decryption Tool for GandCrab Ransomware Released to Public SC Magazine February 20 2019 httpswwwscmagazinecomhomesecurity-newsransomwarethird-
decryption-tool-for-gandcrab-ransomware-released-to-public The GandCrab Ransomware Mindset Checkpoint March 13 2018 httpsresearchcheckpointcomgandcrab-ransomware-mindset Heller Michael GandCrab ransomware adds NSA tools for faster spreading Tech Target Search Security July 11 2018 httpssearchsecuritytechtargetcomnews252444624GandCrab-
ransomware-adds-NSA-tools-for-faster-spreading Gandcrab Ransomware Actively Spreading in the Wild Soincwall Security News May 16 2018 httpssecuritynewssonicwallcomxmlpostgandcrab-ransomware-actively-spreading-in-the-
wild GandCrab Ransomware BtCIRT February 28 2019 httpswwwbtcirtbtgandcrab-ransomware GandCrab and Ursnif Campaign IBM X-Force Exchange httpsexchangexforceibmcloudcomcollectionGandCrab-and-Ursnif-Campaign-5ada0685f6645ba53c64955d80c90f04 GandCrab The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) January 31 2018 httpswwwcybernjgovthreat-profilesransomware-variantsgandcrab GandCrab The Malware Wiki httpmalwarewikiacomwikiGandCrab Paganini Pierluigi Experts Released a free Decryption Tool for GandCrab Ransomware Security Affairs October 25 2018 httpssecurityaffairscowordpress77392malwaregandcrab-
decryption-toolhtml Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049 GandCrab Ransomware Decryption Tool No More Ransom Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049
UNCLASSIFIED 17
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading FeeleyBrendon Hartley Bex and Frankoff Sergei PINCHY SPIDER Affiliates Adopt ldquoBig Game Huntingrdquo Tactics to Distribute GandCrab Ransomware March 6 2019
httpswwwcrowdstrikecomblogpinchy-spider-adopts-big-game-hunting Botezatu Bogdan New GandCrab v51 Decryptor Available Now Bit Defender February 19 2019 httpslabsbitdefendercom201902new-gandcrab-v5-1-decryptor-available-
nowcid=soc7Cc7ctw7CGandCrab Abrams Lawrence GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts BleepingComputer February 8 2018
httpswwwbleepingcomputercomnewssecuritygandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts Castillo Donald EGG Files in Spam Delivers GandCrab v43 Ransomware to South Korean Users Trend Micro August 20 2018
httpswwwtrendmicrocomvinfoussecuritynewscybercrime-and-digital-threats-egg-files-in-spam-delivers-gandcrab-v4-3-ransomware-to-south-korean-users Abrams Lawrence EITest HoeflerText Scam Distributing GandCrab amp Netsupport Manager February 28 2018 httpswwwbleepingcomputercomnewssecurityeitest-hoeflertext-scam-
distributing-gandcrab-and-netsupport-manager Abrams Lawrence GandCrab Ransomware Version 2 Released With New Crab Extension amp Other Changes March 6 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-
ransomware-version-2-released-with-new-crab-extension-and-other-changes Abrams Lawrence GandCrab V4 Released With the New KRAB Extension for Encrypted Files September 25 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v4-released-
with-the-new-krab-extension-for-encrypted-files Abrams Lawrence GandCrab V5 Released With Random Extensions and New HTML Ransom Note June 3 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v5-released-
with-random-extensions-and-new-html-ransom-note Abrams Lawrence Mail Attachment Builds Malware Downloader from Super Mario Image February 8 2019 httpswwwbleepingcomputercomnewssecuritymail-attachment-builds-malware-
downloader-from-super-mario-image Salvio Joie GandCrab V3 Accidentally Locks Systems with New lsquoChange Wallpaperrsquo Feature Fortinet Blog May 4 2018 httpswwwfortinetcomblogthreat-researchgandcrab-v3-
accidentally-locks-systems-with-new--change-wallpapehtml Costis Andrew Cramer Cathy Miner Emily Myers Jared CB TAU amp CB ThreatSight Threat Analysis GandCrab and Ursnif Campaign Carbon Black Threat Analysis Unit January 24 2019
httpswwwcarbonblackcom20190124carbon-black-tau-threatsight-analysis-gandcrab-and-ursnif-campaign Botezatu Bogdan GandCrab Ransomware decryption tool Bit Defender October 25 2018 httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-free Hioueras Vasilios and Segura Jeacuterocircme GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated) Malwarebytes Labs Last updated May 10 2018
httpsblogmalwarebytescomthreat-analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Murphy Ian GandCrab Goes From Mob Attack to Surgical Strike Enterprise Times March 8 2019 httpswwwenterprisetimescouk20190308gandcrab-goes-from-mob-attack-to-surgical-
strike 2017 Cylance Threat Report httpspagescylancecom2018-03CylanceThreatReport2017html Kaspersky Cyber Pulse The State of Cybersecurity in Healthcare httpsgokasperskycomrs802-IJN-240imagesHealthcare-Survey-Reportpdf Fuentes Maria Rosario Cybercrime and Other Threats Faced by the Healthcare Industry Trend Micro httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf Solutionary SERT Q2 Report 88 Percent of All Ransomware Is Detected in Healthcare Industry httpwwwmarketwiredcompress-releasesolutionary-sert-q2-report-88-percent-all-
ransomware-is-detected-healthcare-industry-nyse-ntt-2145268htm
UNCLASSIFIED 18
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Krastev Ventsislav Killswitch File Now Available for GandCrab v412 Ransomware Sensors Tech Forum July 19 2018 httpssensorstechforumcomkillswitch-file-now-available-gandcrab-
v4-1-2-ransomware Boczan Tamas The Evolution of GandCrab Ransomware VMRay Cybersecurity Blog June 5 2018 (updated July 9 2018) httpswwwvmraycomcyber-security-bloggandcrab-ransomware-
evolution-analysis Malwarebytes Labs Malwarebytes Blog GandCrab ransomware distributed by RIG and GrandSoft exploit kits January 30 2018 (updated May 10 2018) httpsblogmalwarebytescomthreat-
analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Biasini Nick with contributions from Lister Nick and Marczewski Christopher Cisco Talos Blog Gandcrab Ransomware Walks its Way onto Compromised Sites May 9 2018
httpsblogtalosintelligencecom201805gandcrab-compromised-siteshtml Duncan Brad SANS Internet Storm Center InfoSec Handlers Dairy Blog Ransomware news GlobeImposter gets a facelift GandCrab is still out there March 7 2018
httpsiscsansedudiary23417 Cyber Security blog - Tools and Malware Analysis RE Gandcrab Downloader Theres More To This Than Meets The Eye November 8 2018 httpstccontreblogspotcom201811re-
gandcrab-downloader-theres-more-tohtml Europol Press Release Pay No More Universal GandCrab Decryption Tool Released for Free on No More Ransom Oct 28 2018 httpswwweuropoleuropaeunewsroomnewspay-no-
more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom VirusTotal GandCrab entry httpswwwvirustotalcomfile69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1ddetails
UNCLASSIFIED 19
UNCLASSIFIED TLPWHITE
3282019
Upcoming Briefsbull Exploit Landscapebull Dark web PHI Marketplace
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide their feedback to HC3HHSGOV
Requests for InformationDo you need information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV
20
UNCLASSIFIED
6212018
Questions
UNCLASSIFIED
UNCLASSIFIED
3282019
TLPWHITE
Image SC Magazine
- GandCrab Ransomware Update
- GandCrab ndash Agenda
- Ransomware ndash WhatWhy
- GandCrab ndash Introduction
- GandCrab ndash Updates
- GandCrab ndash Actor
- Example
- Example
- GandCrab ndash Ransom Notes
- Infection vectors and persistence
- GandCrab ndash Versions
- GandCrab ndash Indicators of compromise
- GandCrab ndash Yara rule
- GandCrab ndash Solutions
- GandCrab ndash Solutions (continued)
- Do not pay ransom
- References
- References
- References
- Slide Number 20
-
Example
Macro A series of commands and instructions used in Microsoft Windows grouped together as a single command to automate a task and make people more productive
UNCLASSIFIED 8
UNCLASSIFIED TLPWHITE
3282019
Macros
Image httpsmyonlinesecuritycouk
GandCrab ndash Ransom NotesExample ransom notes Notification of compromise Expression of futility Compliance instructions
UNCLASSIFIED 9
UNCLASSIFIED TLPWHITE
3282019
Source Symantec
Source Malwarebytes
Infection vectors and persistenceInfection vectors Remote Desktop Protocol (RDP) Virtual Network Computing (VNC) Corporate spamphishingmalspam
ndash Necurs botnet Exploit kits
ndash Fallout RIG Magnitude GrandSoft Social Engineering
Once itrsquos on your system how does it stay there
Persistence Living off the land (both default and post-installation tools)
ndash Sysinternals ProcMonndash Process Hackerndash LAN Search Pro
UNCLASSIFIED 10
UNCLASSIFIED TLPWHITE
3282019
GandCrab ndash VersionsHow to identify the version
UNCLASSIFIED 11
UNCLASSIFIED TLPWHITE
3282019
VERSION EXTENSION RANSOM NOTE
1 GDCB Starts with mdash= GANDCRAB =mdash helliphelliphelliphelliphellip the extension GDCB
2 GDCB Starts with mdash= GANDCRAB =mdash helliphelliphelliphelliphellip the extension GDCB
3 CRAB Starts with mdash= GANDCRAB V3 =mdash helliphelliphellip the extension CRAB
4 KRAB Starts with mdash= GANDCRAB V4 =mdash helliphelliphellip the extension KRAB
5 ([A-Z]+) Starts with mdash= GANDCRAB V50 =mdash helliphelliphellip the extension UKCZA
501 ([A-Z]+) Starts with mdash= GANDCRAB V501 =mdash hellip the extension YIAQDG
502 ([A-Z]+) Starts withmdash= GANDCRAB V502 =mdash hellip the extension CQXGPMKNR
503 ([A-Z]+) Starts withmdash= GANDCRAB V503 =mdash hellip the extension HHFEHIOL
503 ([A-Z]+) Starts withmdash= GANDCRAB V504 =mdash hellip the extension BYACZCZI
505 ([A-Z]+) Starts withmdash= GANDCRAB V505 =mdash hellip the extension KZZXVWMLI
505 ([A-Z]+) Starts withmdash= GANDCRAB V51 =mdash hellip the extension IJDHRQJD
Source Bitdefender
GandCrab ndash Indicators of compromiseIndicators of compromise (IOCs)
UNCLASSIFIED 12
UNCLASSIFIED TLPWHITE
3282019
VersionType MD5 HashGandCrab v51 SHA256 0741e7c0b02f6ef0b28d00a7467bf91edb0cb0f6f20dc1fbed76119c7ae79b4f
GandCrab v52 SHA256 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9
GandCrab v52 SHA256 bd16b703cd20e622e3e70e71bb4c68d1d1a3e14462f4b09978bbbb14e41625dc
GandCrab v52 SHA256 d7ffa0d8566702474790d7cbbbf9d51e9937d82582f82e1a00ddb1c489700d62
GandCrab v52 SHA256 d860bdf0d56a66f0e1b502067d07bdb595f60ef8c43de6b9caf5492a429426d6
GandCrab v52 SHA256 f70d73b6c3f61f412567bf74d4f1fba052ddccf0f8b2e61a6c69de9c8c5e6ec1
GandCrab v52 SHA256 fb136c8360d1a5ab80f61109c55c5a788aa1d8796d1e75aca8c1a762b598d3f4
GandCrab ndash Yara ruleimport pe
rule gandcrab_win32_downloader_unpack meta
author = tccontredescription = detecting gandcrab downloaderdate = 2018-11-08sha256 = 7cb45951e8f8dd064b467dd55819c83d3d85359ef7a382c3bad9f9116282e2e4
strings$mz = 4d 5a
$s1 = open=_DeviceManagerexe fullword $s2 = Mozilla50 (Macintosh Intel Mac OS X 109 rv250) Gecko20100101 Firefox250 fullword
$c0 = DisableAntiSpyware fullword wide$c1 = DisableBehaviorMonitoring fullword wide$c2 = FirewallDisableNotify fullword wide$c3 = lsT80870405687060 fullword$c4 = RecycleBin fullword wide$c5 = autoruninf fullword wide
$code1 = 83 C8 20 83 F8 61 74 61 8B 45 FC 0F B7 00 83 C8 20 83 F8 62 74 53 $code2 = D1 E8 EB 07 D1 E8 35 20 83 B8 ED E2 EC AB
condition($mz at 0) and all of ($s) and 2 of ($c) and 1 of ($code)
UNCLASSIFIED 13
UNCLASSIFIED TLPWHITE
3282019
YARA A rule-based tool for malware analysts to identify and analyze malware
GandCrab ndash SolutionsContent filtering Deploys to mail server signature-based traffic blockingConfiguration management and strong password policy Periodically review all network hardware devices and applications for configurations develop and enforce
strong password policyEndpoint security Every system in the enterprise should be protectedNetwork traffic analysisNetflow and packet capture Real-time examination of system and network eventsData backup Network cloud redundancy is criticalDecryptors Bit Defender maintains a tool that can decrypt files encrypted by versions 1 4 and 501 through 51
ndash httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-freendash Requires Internet connection and ransom note
Employ a zero-day recovery approachhttpswwwnomoreransomorg
UNCLASSIFIED 14
UNCLASSIFIED TLPWHITE
3282019
Source blogmalwarebytescom
GandCrab ndash Solutions (continued)Infection vectors ndash GandCrab-specific countermeasures and mitigations Remote Desktop Protocol and Virtual Network Computing ndash Protect credentials and auditlog access Corporate spamphishingmalspam ndash User awareness training and content filtering Exploit kits ndash
ndash User awareness training (visiting untrustedsuspicious websites)ndash Whitelisting and blacklisting websitesndash Implementing intrusion detection technologies
Social Engineering ndash User awareness training
WE DO NOT RECOMMEND PAYING A RANSOM
UNCLASSIFIED 15
UNCLASSIFIED TLPWHITE
3282019
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
Do not pay ransom
We recommend not paying ransom No guarantee files are decrypted and available again It incentivizes future ransomware attacks
Norsk Hydro Suffered from ransomware attack on March 19 2019 Production management systems and equipment was rendered inoperable Described as ldquocripplingrdquo ldquodebilitatingrdquo and ldquodisastrousrdquo Reported $40 million loss in revenue
UNCLASSIFIED 16
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Palmer Danny This Malware Spreading Tool is Back With Some New Tricks ZDNet January 18 2019 httpswwwzdnetcomarticlethis-malware-spreading-tool-is-back-with-some-new-tricks Palmer Danny Ransomware Warning The Gang Behind this Virulent Malware Just Changed Tactics Again ZDNet March 7 2019 httpswwwzdnetcomarticleransomware-warning-the-
gang-behind-this-virulent-malware-just-changed-tactics-again Palmer Danny What is ransomware Everything You Need to Know About One of the Biggest Menaces on the Web ZDNet August 22 2018 httpswwwzdnetcomarticleransomware-an-
executive-guide-to-one-of-the-biggest-menaces-on-the-web Palmer Danny What is Ransomware Ransomware Gets Easier for Would-Be Crooks as Developers Offer Malware-As-A-Service ZDNet February 8 2018
httpswwwzdnetcomarticleransomware-gets-easier-for-would-be-crooks-easier-as-developers-offer-malware-as-a-service Palmer Danny Ransomware Crooks Test a New Way to Spread Their Malware ZDNet January 31 2018 httpswwwzdnetcomarticleransomware-crooks-test-a-new-way-to-spread-their-
malware Cimpanu Catalin Bitdefender Releases Third GandCrab Ransomware Free Decrypter in the Past Year ZDNet February 19 2019 httpswwwzdnetcomarticlebitdefender-releases-third-
gandcrab-ransomware-free-decrypter-in-the-past-year Botezatu Bogdan Thwarting GandCrab in the New Era of Agile Computer-Jackers Security Boulevard March 6 2019 httpssecurityboulevardcom201903thwarting-gandcrab-in-the-new-
era-of-agile-computer-jackers Moshailov Roy Threat Profile GandCrab Ransomware Morphisec February 23 2018 httpblogmorphiseccomthreat-profile-gandcrab-ransomware Threat Landscape Dashboard GandCrab 5 - Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-5-
ransomwarehtml GandCrab 4 ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-4-ransomwarehtml GandCrab ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-ransomwarehtml Barth Bradley Third Decryption Tool for GandCrab Ransomware Released to Public SC Magazine February 20 2019 httpswwwscmagazinecomhomesecurity-newsransomwarethird-
decryption-tool-for-gandcrab-ransomware-released-to-public The GandCrab Ransomware Mindset Checkpoint March 13 2018 httpsresearchcheckpointcomgandcrab-ransomware-mindset Heller Michael GandCrab ransomware adds NSA tools for faster spreading Tech Target Search Security July 11 2018 httpssearchsecuritytechtargetcomnews252444624GandCrab-
ransomware-adds-NSA-tools-for-faster-spreading Gandcrab Ransomware Actively Spreading in the Wild Soincwall Security News May 16 2018 httpssecuritynewssonicwallcomxmlpostgandcrab-ransomware-actively-spreading-in-the-
wild GandCrab Ransomware BtCIRT February 28 2019 httpswwwbtcirtbtgandcrab-ransomware GandCrab and Ursnif Campaign IBM X-Force Exchange httpsexchangexforceibmcloudcomcollectionGandCrab-and-Ursnif-Campaign-5ada0685f6645ba53c64955d80c90f04 GandCrab The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) January 31 2018 httpswwwcybernjgovthreat-profilesransomware-variantsgandcrab GandCrab The Malware Wiki httpmalwarewikiacomwikiGandCrab Paganini Pierluigi Experts Released a free Decryption Tool for GandCrab Ransomware Security Affairs October 25 2018 httpssecurityaffairscowordpress77392malwaregandcrab-
decryption-toolhtml Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049 GandCrab Ransomware Decryption Tool No More Ransom Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049
UNCLASSIFIED 17
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading FeeleyBrendon Hartley Bex and Frankoff Sergei PINCHY SPIDER Affiliates Adopt ldquoBig Game Huntingrdquo Tactics to Distribute GandCrab Ransomware March 6 2019
httpswwwcrowdstrikecomblogpinchy-spider-adopts-big-game-hunting Botezatu Bogdan New GandCrab v51 Decryptor Available Now Bit Defender February 19 2019 httpslabsbitdefendercom201902new-gandcrab-v5-1-decryptor-available-
nowcid=soc7Cc7ctw7CGandCrab Abrams Lawrence GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts BleepingComputer February 8 2018
httpswwwbleepingcomputercomnewssecuritygandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts Castillo Donald EGG Files in Spam Delivers GandCrab v43 Ransomware to South Korean Users Trend Micro August 20 2018
httpswwwtrendmicrocomvinfoussecuritynewscybercrime-and-digital-threats-egg-files-in-spam-delivers-gandcrab-v4-3-ransomware-to-south-korean-users Abrams Lawrence EITest HoeflerText Scam Distributing GandCrab amp Netsupport Manager February 28 2018 httpswwwbleepingcomputercomnewssecurityeitest-hoeflertext-scam-
distributing-gandcrab-and-netsupport-manager Abrams Lawrence GandCrab Ransomware Version 2 Released With New Crab Extension amp Other Changes March 6 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-
ransomware-version-2-released-with-new-crab-extension-and-other-changes Abrams Lawrence GandCrab V4 Released With the New KRAB Extension for Encrypted Files September 25 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v4-released-
with-the-new-krab-extension-for-encrypted-files Abrams Lawrence GandCrab V5 Released With Random Extensions and New HTML Ransom Note June 3 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v5-released-
with-random-extensions-and-new-html-ransom-note Abrams Lawrence Mail Attachment Builds Malware Downloader from Super Mario Image February 8 2019 httpswwwbleepingcomputercomnewssecuritymail-attachment-builds-malware-
downloader-from-super-mario-image Salvio Joie GandCrab V3 Accidentally Locks Systems with New lsquoChange Wallpaperrsquo Feature Fortinet Blog May 4 2018 httpswwwfortinetcomblogthreat-researchgandcrab-v3-
accidentally-locks-systems-with-new--change-wallpapehtml Costis Andrew Cramer Cathy Miner Emily Myers Jared CB TAU amp CB ThreatSight Threat Analysis GandCrab and Ursnif Campaign Carbon Black Threat Analysis Unit January 24 2019
httpswwwcarbonblackcom20190124carbon-black-tau-threatsight-analysis-gandcrab-and-ursnif-campaign Botezatu Bogdan GandCrab Ransomware decryption tool Bit Defender October 25 2018 httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-free Hioueras Vasilios and Segura Jeacuterocircme GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated) Malwarebytes Labs Last updated May 10 2018
httpsblogmalwarebytescomthreat-analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Murphy Ian GandCrab Goes From Mob Attack to Surgical Strike Enterprise Times March 8 2019 httpswwwenterprisetimescouk20190308gandcrab-goes-from-mob-attack-to-surgical-
strike 2017 Cylance Threat Report httpspagescylancecom2018-03CylanceThreatReport2017html Kaspersky Cyber Pulse The State of Cybersecurity in Healthcare httpsgokasperskycomrs802-IJN-240imagesHealthcare-Survey-Reportpdf Fuentes Maria Rosario Cybercrime and Other Threats Faced by the Healthcare Industry Trend Micro httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf Solutionary SERT Q2 Report 88 Percent of All Ransomware Is Detected in Healthcare Industry httpwwwmarketwiredcompress-releasesolutionary-sert-q2-report-88-percent-all-
ransomware-is-detected-healthcare-industry-nyse-ntt-2145268htm
UNCLASSIFIED 18
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Krastev Ventsislav Killswitch File Now Available for GandCrab v412 Ransomware Sensors Tech Forum July 19 2018 httpssensorstechforumcomkillswitch-file-now-available-gandcrab-
v4-1-2-ransomware Boczan Tamas The Evolution of GandCrab Ransomware VMRay Cybersecurity Blog June 5 2018 (updated July 9 2018) httpswwwvmraycomcyber-security-bloggandcrab-ransomware-
evolution-analysis Malwarebytes Labs Malwarebytes Blog GandCrab ransomware distributed by RIG and GrandSoft exploit kits January 30 2018 (updated May 10 2018) httpsblogmalwarebytescomthreat-
analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Biasini Nick with contributions from Lister Nick and Marczewski Christopher Cisco Talos Blog Gandcrab Ransomware Walks its Way onto Compromised Sites May 9 2018
httpsblogtalosintelligencecom201805gandcrab-compromised-siteshtml Duncan Brad SANS Internet Storm Center InfoSec Handlers Dairy Blog Ransomware news GlobeImposter gets a facelift GandCrab is still out there March 7 2018
httpsiscsansedudiary23417 Cyber Security blog - Tools and Malware Analysis RE Gandcrab Downloader Theres More To This Than Meets The Eye November 8 2018 httpstccontreblogspotcom201811re-
gandcrab-downloader-theres-more-tohtml Europol Press Release Pay No More Universal GandCrab Decryption Tool Released for Free on No More Ransom Oct 28 2018 httpswwweuropoleuropaeunewsroomnewspay-no-
more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom VirusTotal GandCrab entry httpswwwvirustotalcomfile69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1ddetails
UNCLASSIFIED 19
UNCLASSIFIED TLPWHITE
3282019
Upcoming Briefsbull Exploit Landscapebull Dark web PHI Marketplace
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide their feedback to HC3HHSGOV
Requests for InformationDo you need information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV
20
UNCLASSIFIED
6212018
Questions
UNCLASSIFIED
UNCLASSIFIED
3282019
TLPWHITE
Image SC Magazine
- GandCrab Ransomware Update
- GandCrab ndash Agenda
- Ransomware ndash WhatWhy
- GandCrab ndash Introduction
- GandCrab ndash Updates
- GandCrab ndash Actor
- Example
- Example
- GandCrab ndash Ransom Notes
- Infection vectors and persistence
- GandCrab ndash Versions
- GandCrab ndash Indicators of compromise
- GandCrab ndash Yara rule
- GandCrab ndash Solutions
- GandCrab ndash Solutions (continued)
- Do not pay ransom
- References
- References
- References
- Slide Number 20
-
GandCrab ndash Ransom NotesExample ransom notes Notification of compromise Expression of futility Compliance instructions
UNCLASSIFIED 9
UNCLASSIFIED TLPWHITE
3282019
Source Symantec
Source Malwarebytes
Infection vectors and persistenceInfection vectors Remote Desktop Protocol (RDP) Virtual Network Computing (VNC) Corporate spamphishingmalspam
ndash Necurs botnet Exploit kits
ndash Fallout RIG Magnitude GrandSoft Social Engineering
Once itrsquos on your system how does it stay there
Persistence Living off the land (both default and post-installation tools)
ndash Sysinternals ProcMonndash Process Hackerndash LAN Search Pro
UNCLASSIFIED 10
UNCLASSIFIED TLPWHITE
3282019
GandCrab ndash VersionsHow to identify the version
UNCLASSIFIED 11
UNCLASSIFIED TLPWHITE
3282019
VERSION EXTENSION RANSOM NOTE
1 GDCB Starts with mdash= GANDCRAB =mdash helliphelliphelliphelliphellip the extension GDCB
2 GDCB Starts with mdash= GANDCRAB =mdash helliphelliphelliphelliphellip the extension GDCB
3 CRAB Starts with mdash= GANDCRAB V3 =mdash helliphelliphellip the extension CRAB
4 KRAB Starts with mdash= GANDCRAB V4 =mdash helliphelliphellip the extension KRAB
5 ([A-Z]+) Starts with mdash= GANDCRAB V50 =mdash helliphelliphellip the extension UKCZA
501 ([A-Z]+) Starts with mdash= GANDCRAB V501 =mdash hellip the extension YIAQDG
502 ([A-Z]+) Starts withmdash= GANDCRAB V502 =mdash hellip the extension CQXGPMKNR
503 ([A-Z]+) Starts withmdash= GANDCRAB V503 =mdash hellip the extension HHFEHIOL
503 ([A-Z]+) Starts withmdash= GANDCRAB V504 =mdash hellip the extension BYACZCZI
505 ([A-Z]+) Starts withmdash= GANDCRAB V505 =mdash hellip the extension KZZXVWMLI
505 ([A-Z]+) Starts withmdash= GANDCRAB V51 =mdash hellip the extension IJDHRQJD
Source Bitdefender
GandCrab ndash Indicators of compromiseIndicators of compromise (IOCs)
UNCLASSIFIED 12
UNCLASSIFIED TLPWHITE
3282019
VersionType MD5 HashGandCrab v51 SHA256 0741e7c0b02f6ef0b28d00a7467bf91edb0cb0f6f20dc1fbed76119c7ae79b4f
GandCrab v52 SHA256 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9
GandCrab v52 SHA256 bd16b703cd20e622e3e70e71bb4c68d1d1a3e14462f4b09978bbbb14e41625dc
GandCrab v52 SHA256 d7ffa0d8566702474790d7cbbbf9d51e9937d82582f82e1a00ddb1c489700d62
GandCrab v52 SHA256 d860bdf0d56a66f0e1b502067d07bdb595f60ef8c43de6b9caf5492a429426d6
GandCrab v52 SHA256 f70d73b6c3f61f412567bf74d4f1fba052ddccf0f8b2e61a6c69de9c8c5e6ec1
GandCrab v52 SHA256 fb136c8360d1a5ab80f61109c55c5a788aa1d8796d1e75aca8c1a762b598d3f4
GandCrab ndash Yara ruleimport pe
rule gandcrab_win32_downloader_unpack meta
author = tccontredescription = detecting gandcrab downloaderdate = 2018-11-08sha256 = 7cb45951e8f8dd064b467dd55819c83d3d85359ef7a382c3bad9f9116282e2e4
strings$mz = 4d 5a
$s1 = open=_DeviceManagerexe fullword $s2 = Mozilla50 (Macintosh Intel Mac OS X 109 rv250) Gecko20100101 Firefox250 fullword
$c0 = DisableAntiSpyware fullword wide$c1 = DisableBehaviorMonitoring fullword wide$c2 = FirewallDisableNotify fullword wide$c3 = lsT80870405687060 fullword$c4 = RecycleBin fullword wide$c5 = autoruninf fullword wide
$code1 = 83 C8 20 83 F8 61 74 61 8B 45 FC 0F B7 00 83 C8 20 83 F8 62 74 53 $code2 = D1 E8 EB 07 D1 E8 35 20 83 B8 ED E2 EC AB
condition($mz at 0) and all of ($s) and 2 of ($c) and 1 of ($code)
UNCLASSIFIED 13
UNCLASSIFIED TLPWHITE
3282019
YARA A rule-based tool for malware analysts to identify and analyze malware
GandCrab ndash SolutionsContent filtering Deploys to mail server signature-based traffic blockingConfiguration management and strong password policy Periodically review all network hardware devices and applications for configurations develop and enforce
strong password policyEndpoint security Every system in the enterprise should be protectedNetwork traffic analysisNetflow and packet capture Real-time examination of system and network eventsData backup Network cloud redundancy is criticalDecryptors Bit Defender maintains a tool that can decrypt files encrypted by versions 1 4 and 501 through 51
ndash httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-freendash Requires Internet connection and ransom note
Employ a zero-day recovery approachhttpswwwnomoreransomorg
UNCLASSIFIED 14
UNCLASSIFIED TLPWHITE
3282019
Source blogmalwarebytescom
GandCrab ndash Solutions (continued)Infection vectors ndash GandCrab-specific countermeasures and mitigations Remote Desktop Protocol and Virtual Network Computing ndash Protect credentials and auditlog access Corporate spamphishingmalspam ndash User awareness training and content filtering Exploit kits ndash
ndash User awareness training (visiting untrustedsuspicious websites)ndash Whitelisting and blacklisting websitesndash Implementing intrusion detection technologies
Social Engineering ndash User awareness training
WE DO NOT RECOMMEND PAYING A RANSOM
UNCLASSIFIED 15
UNCLASSIFIED TLPWHITE
3282019
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
Do not pay ransom
We recommend not paying ransom No guarantee files are decrypted and available again It incentivizes future ransomware attacks
Norsk Hydro Suffered from ransomware attack on March 19 2019 Production management systems and equipment was rendered inoperable Described as ldquocripplingrdquo ldquodebilitatingrdquo and ldquodisastrousrdquo Reported $40 million loss in revenue
UNCLASSIFIED 16
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Palmer Danny This Malware Spreading Tool is Back With Some New Tricks ZDNet January 18 2019 httpswwwzdnetcomarticlethis-malware-spreading-tool-is-back-with-some-new-tricks Palmer Danny Ransomware Warning The Gang Behind this Virulent Malware Just Changed Tactics Again ZDNet March 7 2019 httpswwwzdnetcomarticleransomware-warning-the-
gang-behind-this-virulent-malware-just-changed-tactics-again Palmer Danny What is ransomware Everything You Need to Know About One of the Biggest Menaces on the Web ZDNet August 22 2018 httpswwwzdnetcomarticleransomware-an-
executive-guide-to-one-of-the-biggest-menaces-on-the-web Palmer Danny What is Ransomware Ransomware Gets Easier for Would-Be Crooks as Developers Offer Malware-As-A-Service ZDNet February 8 2018
httpswwwzdnetcomarticleransomware-gets-easier-for-would-be-crooks-easier-as-developers-offer-malware-as-a-service Palmer Danny Ransomware Crooks Test a New Way to Spread Their Malware ZDNet January 31 2018 httpswwwzdnetcomarticleransomware-crooks-test-a-new-way-to-spread-their-
malware Cimpanu Catalin Bitdefender Releases Third GandCrab Ransomware Free Decrypter in the Past Year ZDNet February 19 2019 httpswwwzdnetcomarticlebitdefender-releases-third-
gandcrab-ransomware-free-decrypter-in-the-past-year Botezatu Bogdan Thwarting GandCrab in the New Era of Agile Computer-Jackers Security Boulevard March 6 2019 httpssecurityboulevardcom201903thwarting-gandcrab-in-the-new-
era-of-agile-computer-jackers Moshailov Roy Threat Profile GandCrab Ransomware Morphisec February 23 2018 httpblogmorphiseccomthreat-profile-gandcrab-ransomware Threat Landscape Dashboard GandCrab 5 - Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-5-
ransomwarehtml GandCrab 4 ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-4-ransomwarehtml GandCrab ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-ransomwarehtml Barth Bradley Third Decryption Tool for GandCrab Ransomware Released to Public SC Magazine February 20 2019 httpswwwscmagazinecomhomesecurity-newsransomwarethird-
decryption-tool-for-gandcrab-ransomware-released-to-public The GandCrab Ransomware Mindset Checkpoint March 13 2018 httpsresearchcheckpointcomgandcrab-ransomware-mindset Heller Michael GandCrab ransomware adds NSA tools for faster spreading Tech Target Search Security July 11 2018 httpssearchsecuritytechtargetcomnews252444624GandCrab-
ransomware-adds-NSA-tools-for-faster-spreading Gandcrab Ransomware Actively Spreading in the Wild Soincwall Security News May 16 2018 httpssecuritynewssonicwallcomxmlpostgandcrab-ransomware-actively-spreading-in-the-
wild GandCrab Ransomware BtCIRT February 28 2019 httpswwwbtcirtbtgandcrab-ransomware GandCrab and Ursnif Campaign IBM X-Force Exchange httpsexchangexforceibmcloudcomcollectionGandCrab-and-Ursnif-Campaign-5ada0685f6645ba53c64955d80c90f04 GandCrab The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) January 31 2018 httpswwwcybernjgovthreat-profilesransomware-variantsgandcrab GandCrab The Malware Wiki httpmalwarewikiacomwikiGandCrab Paganini Pierluigi Experts Released a free Decryption Tool for GandCrab Ransomware Security Affairs October 25 2018 httpssecurityaffairscowordpress77392malwaregandcrab-
decryption-toolhtml Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049 GandCrab Ransomware Decryption Tool No More Ransom Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049
UNCLASSIFIED 17
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading FeeleyBrendon Hartley Bex and Frankoff Sergei PINCHY SPIDER Affiliates Adopt ldquoBig Game Huntingrdquo Tactics to Distribute GandCrab Ransomware March 6 2019
httpswwwcrowdstrikecomblogpinchy-spider-adopts-big-game-hunting Botezatu Bogdan New GandCrab v51 Decryptor Available Now Bit Defender February 19 2019 httpslabsbitdefendercom201902new-gandcrab-v5-1-decryptor-available-
nowcid=soc7Cc7ctw7CGandCrab Abrams Lawrence GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts BleepingComputer February 8 2018
httpswwwbleepingcomputercomnewssecuritygandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts Castillo Donald EGG Files in Spam Delivers GandCrab v43 Ransomware to South Korean Users Trend Micro August 20 2018
httpswwwtrendmicrocomvinfoussecuritynewscybercrime-and-digital-threats-egg-files-in-spam-delivers-gandcrab-v4-3-ransomware-to-south-korean-users Abrams Lawrence EITest HoeflerText Scam Distributing GandCrab amp Netsupport Manager February 28 2018 httpswwwbleepingcomputercomnewssecurityeitest-hoeflertext-scam-
distributing-gandcrab-and-netsupport-manager Abrams Lawrence GandCrab Ransomware Version 2 Released With New Crab Extension amp Other Changes March 6 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-
ransomware-version-2-released-with-new-crab-extension-and-other-changes Abrams Lawrence GandCrab V4 Released With the New KRAB Extension for Encrypted Files September 25 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v4-released-
with-the-new-krab-extension-for-encrypted-files Abrams Lawrence GandCrab V5 Released With Random Extensions and New HTML Ransom Note June 3 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v5-released-
with-random-extensions-and-new-html-ransom-note Abrams Lawrence Mail Attachment Builds Malware Downloader from Super Mario Image February 8 2019 httpswwwbleepingcomputercomnewssecuritymail-attachment-builds-malware-
downloader-from-super-mario-image Salvio Joie GandCrab V3 Accidentally Locks Systems with New lsquoChange Wallpaperrsquo Feature Fortinet Blog May 4 2018 httpswwwfortinetcomblogthreat-researchgandcrab-v3-
accidentally-locks-systems-with-new--change-wallpapehtml Costis Andrew Cramer Cathy Miner Emily Myers Jared CB TAU amp CB ThreatSight Threat Analysis GandCrab and Ursnif Campaign Carbon Black Threat Analysis Unit January 24 2019
httpswwwcarbonblackcom20190124carbon-black-tau-threatsight-analysis-gandcrab-and-ursnif-campaign Botezatu Bogdan GandCrab Ransomware decryption tool Bit Defender October 25 2018 httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-free Hioueras Vasilios and Segura Jeacuterocircme GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated) Malwarebytes Labs Last updated May 10 2018
httpsblogmalwarebytescomthreat-analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Murphy Ian GandCrab Goes From Mob Attack to Surgical Strike Enterprise Times March 8 2019 httpswwwenterprisetimescouk20190308gandcrab-goes-from-mob-attack-to-surgical-
strike 2017 Cylance Threat Report httpspagescylancecom2018-03CylanceThreatReport2017html Kaspersky Cyber Pulse The State of Cybersecurity in Healthcare httpsgokasperskycomrs802-IJN-240imagesHealthcare-Survey-Reportpdf Fuentes Maria Rosario Cybercrime and Other Threats Faced by the Healthcare Industry Trend Micro httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf Solutionary SERT Q2 Report 88 Percent of All Ransomware Is Detected in Healthcare Industry httpwwwmarketwiredcompress-releasesolutionary-sert-q2-report-88-percent-all-
ransomware-is-detected-healthcare-industry-nyse-ntt-2145268htm
UNCLASSIFIED 18
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Krastev Ventsislav Killswitch File Now Available for GandCrab v412 Ransomware Sensors Tech Forum July 19 2018 httpssensorstechforumcomkillswitch-file-now-available-gandcrab-
v4-1-2-ransomware Boczan Tamas The Evolution of GandCrab Ransomware VMRay Cybersecurity Blog June 5 2018 (updated July 9 2018) httpswwwvmraycomcyber-security-bloggandcrab-ransomware-
evolution-analysis Malwarebytes Labs Malwarebytes Blog GandCrab ransomware distributed by RIG and GrandSoft exploit kits January 30 2018 (updated May 10 2018) httpsblogmalwarebytescomthreat-
analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Biasini Nick with contributions from Lister Nick and Marczewski Christopher Cisco Talos Blog Gandcrab Ransomware Walks its Way onto Compromised Sites May 9 2018
httpsblogtalosintelligencecom201805gandcrab-compromised-siteshtml Duncan Brad SANS Internet Storm Center InfoSec Handlers Dairy Blog Ransomware news GlobeImposter gets a facelift GandCrab is still out there March 7 2018
httpsiscsansedudiary23417 Cyber Security blog - Tools and Malware Analysis RE Gandcrab Downloader Theres More To This Than Meets The Eye November 8 2018 httpstccontreblogspotcom201811re-
gandcrab-downloader-theres-more-tohtml Europol Press Release Pay No More Universal GandCrab Decryption Tool Released for Free on No More Ransom Oct 28 2018 httpswwweuropoleuropaeunewsroomnewspay-no-
more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom VirusTotal GandCrab entry httpswwwvirustotalcomfile69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1ddetails
UNCLASSIFIED 19
UNCLASSIFIED TLPWHITE
3282019
Upcoming Briefsbull Exploit Landscapebull Dark web PHI Marketplace
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide their feedback to HC3HHSGOV
Requests for InformationDo you need information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV
20
UNCLASSIFIED
6212018
Questions
UNCLASSIFIED
UNCLASSIFIED
3282019
TLPWHITE
Image SC Magazine
- GandCrab Ransomware Update
- GandCrab ndash Agenda
- Ransomware ndash WhatWhy
- GandCrab ndash Introduction
- GandCrab ndash Updates
- GandCrab ndash Actor
- Example
- Example
- GandCrab ndash Ransom Notes
- Infection vectors and persistence
- GandCrab ndash Versions
- GandCrab ndash Indicators of compromise
- GandCrab ndash Yara rule
- GandCrab ndash Solutions
- GandCrab ndash Solutions (continued)
- Do not pay ransom
- References
- References
- References
- Slide Number 20
-
Infection vectors and persistenceInfection vectors Remote Desktop Protocol (RDP) Virtual Network Computing (VNC) Corporate spamphishingmalspam
ndash Necurs botnet Exploit kits
ndash Fallout RIG Magnitude GrandSoft Social Engineering
Once itrsquos on your system how does it stay there
Persistence Living off the land (both default and post-installation tools)
ndash Sysinternals ProcMonndash Process Hackerndash LAN Search Pro
UNCLASSIFIED 10
UNCLASSIFIED TLPWHITE
3282019
GandCrab ndash VersionsHow to identify the version
UNCLASSIFIED 11
UNCLASSIFIED TLPWHITE
3282019
VERSION EXTENSION RANSOM NOTE
1 GDCB Starts with mdash= GANDCRAB =mdash helliphelliphelliphelliphellip the extension GDCB
2 GDCB Starts with mdash= GANDCRAB =mdash helliphelliphelliphelliphellip the extension GDCB
3 CRAB Starts with mdash= GANDCRAB V3 =mdash helliphelliphellip the extension CRAB
4 KRAB Starts with mdash= GANDCRAB V4 =mdash helliphelliphellip the extension KRAB
5 ([A-Z]+) Starts with mdash= GANDCRAB V50 =mdash helliphelliphellip the extension UKCZA
501 ([A-Z]+) Starts with mdash= GANDCRAB V501 =mdash hellip the extension YIAQDG
502 ([A-Z]+) Starts withmdash= GANDCRAB V502 =mdash hellip the extension CQXGPMKNR
503 ([A-Z]+) Starts withmdash= GANDCRAB V503 =mdash hellip the extension HHFEHIOL
503 ([A-Z]+) Starts withmdash= GANDCRAB V504 =mdash hellip the extension BYACZCZI
505 ([A-Z]+) Starts withmdash= GANDCRAB V505 =mdash hellip the extension KZZXVWMLI
505 ([A-Z]+) Starts withmdash= GANDCRAB V51 =mdash hellip the extension IJDHRQJD
Source Bitdefender
GandCrab ndash Indicators of compromiseIndicators of compromise (IOCs)
UNCLASSIFIED 12
UNCLASSIFIED TLPWHITE
3282019
VersionType MD5 HashGandCrab v51 SHA256 0741e7c0b02f6ef0b28d00a7467bf91edb0cb0f6f20dc1fbed76119c7ae79b4f
GandCrab v52 SHA256 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9
GandCrab v52 SHA256 bd16b703cd20e622e3e70e71bb4c68d1d1a3e14462f4b09978bbbb14e41625dc
GandCrab v52 SHA256 d7ffa0d8566702474790d7cbbbf9d51e9937d82582f82e1a00ddb1c489700d62
GandCrab v52 SHA256 d860bdf0d56a66f0e1b502067d07bdb595f60ef8c43de6b9caf5492a429426d6
GandCrab v52 SHA256 f70d73b6c3f61f412567bf74d4f1fba052ddccf0f8b2e61a6c69de9c8c5e6ec1
GandCrab v52 SHA256 fb136c8360d1a5ab80f61109c55c5a788aa1d8796d1e75aca8c1a762b598d3f4
GandCrab ndash Yara ruleimport pe
rule gandcrab_win32_downloader_unpack meta
author = tccontredescription = detecting gandcrab downloaderdate = 2018-11-08sha256 = 7cb45951e8f8dd064b467dd55819c83d3d85359ef7a382c3bad9f9116282e2e4
strings$mz = 4d 5a
$s1 = open=_DeviceManagerexe fullword $s2 = Mozilla50 (Macintosh Intel Mac OS X 109 rv250) Gecko20100101 Firefox250 fullword
$c0 = DisableAntiSpyware fullword wide$c1 = DisableBehaviorMonitoring fullword wide$c2 = FirewallDisableNotify fullword wide$c3 = lsT80870405687060 fullword$c4 = RecycleBin fullword wide$c5 = autoruninf fullword wide
$code1 = 83 C8 20 83 F8 61 74 61 8B 45 FC 0F B7 00 83 C8 20 83 F8 62 74 53 $code2 = D1 E8 EB 07 D1 E8 35 20 83 B8 ED E2 EC AB
condition($mz at 0) and all of ($s) and 2 of ($c) and 1 of ($code)
UNCLASSIFIED 13
UNCLASSIFIED TLPWHITE
3282019
YARA A rule-based tool for malware analysts to identify and analyze malware
GandCrab ndash SolutionsContent filtering Deploys to mail server signature-based traffic blockingConfiguration management and strong password policy Periodically review all network hardware devices and applications for configurations develop and enforce
strong password policyEndpoint security Every system in the enterprise should be protectedNetwork traffic analysisNetflow and packet capture Real-time examination of system and network eventsData backup Network cloud redundancy is criticalDecryptors Bit Defender maintains a tool that can decrypt files encrypted by versions 1 4 and 501 through 51
ndash httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-freendash Requires Internet connection and ransom note
Employ a zero-day recovery approachhttpswwwnomoreransomorg
UNCLASSIFIED 14
UNCLASSIFIED TLPWHITE
3282019
Source blogmalwarebytescom
GandCrab ndash Solutions (continued)Infection vectors ndash GandCrab-specific countermeasures and mitigations Remote Desktop Protocol and Virtual Network Computing ndash Protect credentials and auditlog access Corporate spamphishingmalspam ndash User awareness training and content filtering Exploit kits ndash
ndash User awareness training (visiting untrustedsuspicious websites)ndash Whitelisting and blacklisting websitesndash Implementing intrusion detection technologies
Social Engineering ndash User awareness training
WE DO NOT RECOMMEND PAYING A RANSOM
UNCLASSIFIED 15
UNCLASSIFIED TLPWHITE
3282019
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
Do not pay ransom
We recommend not paying ransom No guarantee files are decrypted and available again It incentivizes future ransomware attacks
Norsk Hydro Suffered from ransomware attack on March 19 2019 Production management systems and equipment was rendered inoperable Described as ldquocripplingrdquo ldquodebilitatingrdquo and ldquodisastrousrdquo Reported $40 million loss in revenue
UNCLASSIFIED 16
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Palmer Danny This Malware Spreading Tool is Back With Some New Tricks ZDNet January 18 2019 httpswwwzdnetcomarticlethis-malware-spreading-tool-is-back-with-some-new-tricks Palmer Danny Ransomware Warning The Gang Behind this Virulent Malware Just Changed Tactics Again ZDNet March 7 2019 httpswwwzdnetcomarticleransomware-warning-the-
gang-behind-this-virulent-malware-just-changed-tactics-again Palmer Danny What is ransomware Everything You Need to Know About One of the Biggest Menaces on the Web ZDNet August 22 2018 httpswwwzdnetcomarticleransomware-an-
executive-guide-to-one-of-the-biggest-menaces-on-the-web Palmer Danny What is Ransomware Ransomware Gets Easier for Would-Be Crooks as Developers Offer Malware-As-A-Service ZDNet February 8 2018
httpswwwzdnetcomarticleransomware-gets-easier-for-would-be-crooks-easier-as-developers-offer-malware-as-a-service Palmer Danny Ransomware Crooks Test a New Way to Spread Their Malware ZDNet January 31 2018 httpswwwzdnetcomarticleransomware-crooks-test-a-new-way-to-spread-their-
malware Cimpanu Catalin Bitdefender Releases Third GandCrab Ransomware Free Decrypter in the Past Year ZDNet February 19 2019 httpswwwzdnetcomarticlebitdefender-releases-third-
gandcrab-ransomware-free-decrypter-in-the-past-year Botezatu Bogdan Thwarting GandCrab in the New Era of Agile Computer-Jackers Security Boulevard March 6 2019 httpssecurityboulevardcom201903thwarting-gandcrab-in-the-new-
era-of-agile-computer-jackers Moshailov Roy Threat Profile GandCrab Ransomware Morphisec February 23 2018 httpblogmorphiseccomthreat-profile-gandcrab-ransomware Threat Landscape Dashboard GandCrab 5 - Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-5-
ransomwarehtml GandCrab 4 ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-4-ransomwarehtml GandCrab ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-ransomwarehtml Barth Bradley Third Decryption Tool for GandCrab Ransomware Released to Public SC Magazine February 20 2019 httpswwwscmagazinecomhomesecurity-newsransomwarethird-
decryption-tool-for-gandcrab-ransomware-released-to-public The GandCrab Ransomware Mindset Checkpoint March 13 2018 httpsresearchcheckpointcomgandcrab-ransomware-mindset Heller Michael GandCrab ransomware adds NSA tools for faster spreading Tech Target Search Security July 11 2018 httpssearchsecuritytechtargetcomnews252444624GandCrab-
ransomware-adds-NSA-tools-for-faster-spreading Gandcrab Ransomware Actively Spreading in the Wild Soincwall Security News May 16 2018 httpssecuritynewssonicwallcomxmlpostgandcrab-ransomware-actively-spreading-in-the-
wild GandCrab Ransomware BtCIRT February 28 2019 httpswwwbtcirtbtgandcrab-ransomware GandCrab and Ursnif Campaign IBM X-Force Exchange httpsexchangexforceibmcloudcomcollectionGandCrab-and-Ursnif-Campaign-5ada0685f6645ba53c64955d80c90f04 GandCrab The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) January 31 2018 httpswwwcybernjgovthreat-profilesransomware-variantsgandcrab GandCrab The Malware Wiki httpmalwarewikiacomwikiGandCrab Paganini Pierluigi Experts Released a free Decryption Tool for GandCrab Ransomware Security Affairs October 25 2018 httpssecurityaffairscowordpress77392malwaregandcrab-
decryption-toolhtml Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049 GandCrab Ransomware Decryption Tool No More Ransom Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049
UNCLASSIFIED 17
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading FeeleyBrendon Hartley Bex and Frankoff Sergei PINCHY SPIDER Affiliates Adopt ldquoBig Game Huntingrdquo Tactics to Distribute GandCrab Ransomware March 6 2019
httpswwwcrowdstrikecomblogpinchy-spider-adopts-big-game-hunting Botezatu Bogdan New GandCrab v51 Decryptor Available Now Bit Defender February 19 2019 httpslabsbitdefendercom201902new-gandcrab-v5-1-decryptor-available-
nowcid=soc7Cc7ctw7CGandCrab Abrams Lawrence GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts BleepingComputer February 8 2018
httpswwwbleepingcomputercomnewssecuritygandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts Castillo Donald EGG Files in Spam Delivers GandCrab v43 Ransomware to South Korean Users Trend Micro August 20 2018
httpswwwtrendmicrocomvinfoussecuritynewscybercrime-and-digital-threats-egg-files-in-spam-delivers-gandcrab-v4-3-ransomware-to-south-korean-users Abrams Lawrence EITest HoeflerText Scam Distributing GandCrab amp Netsupport Manager February 28 2018 httpswwwbleepingcomputercomnewssecurityeitest-hoeflertext-scam-
distributing-gandcrab-and-netsupport-manager Abrams Lawrence GandCrab Ransomware Version 2 Released With New Crab Extension amp Other Changes March 6 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-
ransomware-version-2-released-with-new-crab-extension-and-other-changes Abrams Lawrence GandCrab V4 Released With the New KRAB Extension for Encrypted Files September 25 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v4-released-
with-the-new-krab-extension-for-encrypted-files Abrams Lawrence GandCrab V5 Released With Random Extensions and New HTML Ransom Note June 3 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v5-released-
with-random-extensions-and-new-html-ransom-note Abrams Lawrence Mail Attachment Builds Malware Downloader from Super Mario Image February 8 2019 httpswwwbleepingcomputercomnewssecuritymail-attachment-builds-malware-
downloader-from-super-mario-image Salvio Joie GandCrab V3 Accidentally Locks Systems with New lsquoChange Wallpaperrsquo Feature Fortinet Blog May 4 2018 httpswwwfortinetcomblogthreat-researchgandcrab-v3-
accidentally-locks-systems-with-new--change-wallpapehtml Costis Andrew Cramer Cathy Miner Emily Myers Jared CB TAU amp CB ThreatSight Threat Analysis GandCrab and Ursnif Campaign Carbon Black Threat Analysis Unit January 24 2019
httpswwwcarbonblackcom20190124carbon-black-tau-threatsight-analysis-gandcrab-and-ursnif-campaign Botezatu Bogdan GandCrab Ransomware decryption tool Bit Defender October 25 2018 httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-free Hioueras Vasilios and Segura Jeacuterocircme GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated) Malwarebytes Labs Last updated May 10 2018
httpsblogmalwarebytescomthreat-analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Murphy Ian GandCrab Goes From Mob Attack to Surgical Strike Enterprise Times March 8 2019 httpswwwenterprisetimescouk20190308gandcrab-goes-from-mob-attack-to-surgical-
strike 2017 Cylance Threat Report httpspagescylancecom2018-03CylanceThreatReport2017html Kaspersky Cyber Pulse The State of Cybersecurity in Healthcare httpsgokasperskycomrs802-IJN-240imagesHealthcare-Survey-Reportpdf Fuentes Maria Rosario Cybercrime and Other Threats Faced by the Healthcare Industry Trend Micro httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf Solutionary SERT Q2 Report 88 Percent of All Ransomware Is Detected in Healthcare Industry httpwwwmarketwiredcompress-releasesolutionary-sert-q2-report-88-percent-all-
ransomware-is-detected-healthcare-industry-nyse-ntt-2145268htm
UNCLASSIFIED 18
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Krastev Ventsislav Killswitch File Now Available for GandCrab v412 Ransomware Sensors Tech Forum July 19 2018 httpssensorstechforumcomkillswitch-file-now-available-gandcrab-
v4-1-2-ransomware Boczan Tamas The Evolution of GandCrab Ransomware VMRay Cybersecurity Blog June 5 2018 (updated July 9 2018) httpswwwvmraycomcyber-security-bloggandcrab-ransomware-
evolution-analysis Malwarebytes Labs Malwarebytes Blog GandCrab ransomware distributed by RIG and GrandSoft exploit kits January 30 2018 (updated May 10 2018) httpsblogmalwarebytescomthreat-
analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Biasini Nick with contributions from Lister Nick and Marczewski Christopher Cisco Talos Blog Gandcrab Ransomware Walks its Way onto Compromised Sites May 9 2018
httpsblogtalosintelligencecom201805gandcrab-compromised-siteshtml Duncan Brad SANS Internet Storm Center InfoSec Handlers Dairy Blog Ransomware news GlobeImposter gets a facelift GandCrab is still out there March 7 2018
httpsiscsansedudiary23417 Cyber Security blog - Tools and Malware Analysis RE Gandcrab Downloader Theres More To This Than Meets The Eye November 8 2018 httpstccontreblogspotcom201811re-
gandcrab-downloader-theres-more-tohtml Europol Press Release Pay No More Universal GandCrab Decryption Tool Released for Free on No More Ransom Oct 28 2018 httpswwweuropoleuropaeunewsroomnewspay-no-
more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom VirusTotal GandCrab entry httpswwwvirustotalcomfile69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1ddetails
UNCLASSIFIED 19
UNCLASSIFIED TLPWHITE
3282019
Upcoming Briefsbull Exploit Landscapebull Dark web PHI Marketplace
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide their feedback to HC3HHSGOV
Requests for InformationDo you need information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV
20
UNCLASSIFIED
6212018
Questions
UNCLASSIFIED
UNCLASSIFIED
3282019
TLPWHITE
Image SC Magazine
- GandCrab Ransomware Update
- GandCrab ndash Agenda
- Ransomware ndash WhatWhy
- GandCrab ndash Introduction
- GandCrab ndash Updates
- GandCrab ndash Actor
- Example
- Example
- GandCrab ndash Ransom Notes
- Infection vectors and persistence
- GandCrab ndash Versions
- GandCrab ndash Indicators of compromise
- GandCrab ndash Yara rule
- GandCrab ndash Solutions
- GandCrab ndash Solutions (continued)
- Do not pay ransom
- References
- References
- References
- Slide Number 20
-
GandCrab ndash VersionsHow to identify the version
UNCLASSIFIED 11
UNCLASSIFIED TLPWHITE
3282019
VERSION EXTENSION RANSOM NOTE
1 GDCB Starts with mdash= GANDCRAB =mdash helliphelliphelliphelliphellip the extension GDCB
2 GDCB Starts with mdash= GANDCRAB =mdash helliphelliphelliphelliphellip the extension GDCB
3 CRAB Starts with mdash= GANDCRAB V3 =mdash helliphelliphellip the extension CRAB
4 KRAB Starts with mdash= GANDCRAB V4 =mdash helliphelliphellip the extension KRAB
5 ([A-Z]+) Starts with mdash= GANDCRAB V50 =mdash helliphelliphellip the extension UKCZA
501 ([A-Z]+) Starts with mdash= GANDCRAB V501 =mdash hellip the extension YIAQDG
502 ([A-Z]+) Starts withmdash= GANDCRAB V502 =mdash hellip the extension CQXGPMKNR
503 ([A-Z]+) Starts withmdash= GANDCRAB V503 =mdash hellip the extension HHFEHIOL
503 ([A-Z]+) Starts withmdash= GANDCRAB V504 =mdash hellip the extension BYACZCZI
505 ([A-Z]+) Starts withmdash= GANDCRAB V505 =mdash hellip the extension KZZXVWMLI
505 ([A-Z]+) Starts withmdash= GANDCRAB V51 =mdash hellip the extension IJDHRQJD
Source Bitdefender
GandCrab ndash Indicators of compromiseIndicators of compromise (IOCs)
UNCLASSIFIED 12
UNCLASSIFIED TLPWHITE
3282019
VersionType MD5 HashGandCrab v51 SHA256 0741e7c0b02f6ef0b28d00a7467bf91edb0cb0f6f20dc1fbed76119c7ae79b4f
GandCrab v52 SHA256 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9
GandCrab v52 SHA256 bd16b703cd20e622e3e70e71bb4c68d1d1a3e14462f4b09978bbbb14e41625dc
GandCrab v52 SHA256 d7ffa0d8566702474790d7cbbbf9d51e9937d82582f82e1a00ddb1c489700d62
GandCrab v52 SHA256 d860bdf0d56a66f0e1b502067d07bdb595f60ef8c43de6b9caf5492a429426d6
GandCrab v52 SHA256 f70d73b6c3f61f412567bf74d4f1fba052ddccf0f8b2e61a6c69de9c8c5e6ec1
GandCrab v52 SHA256 fb136c8360d1a5ab80f61109c55c5a788aa1d8796d1e75aca8c1a762b598d3f4
GandCrab ndash Yara ruleimport pe
rule gandcrab_win32_downloader_unpack meta
author = tccontredescription = detecting gandcrab downloaderdate = 2018-11-08sha256 = 7cb45951e8f8dd064b467dd55819c83d3d85359ef7a382c3bad9f9116282e2e4
strings$mz = 4d 5a
$s1 = open=_DeviceManagerexe fullword $s2 = Mozilla50 (Macintosh Intel Mac OS X 109 rv250) Gecko20100101 Firefox250 fullword
$c0 = DisableAntiSpyware fullword wide$c1 = DisableBehaviorMonitoring fullword wide$c2 = FirewallDisableNotify fullword wide$c3 = lsT80870405687060 fullword$c4 = RecycleBin fullword wide$c5 = autoruninf fullword wide
$code1 = 83 C8 20 83 F8 61 74 61 8B 45 FC 0F B7 00 83 C8 20 83 F8 62 74 53 $code2 = D1 E8 EB 07 D1 E8 35 20 83 B8 ED E2 EC AB
condition($mz at 0) and all of ($s) and 2 of ($c) and 1 of ($code)
UNCLASSIFIED 13
UNCLASSIFIED TLPWHITE
3282019
YARA A rule-based tool for malware analysts to identify and analyze malware
GandCrab ndash SolutionsContent filtering Deploys to mail server signature-based traffic blockingConfiguration management and strong password policy Periodically review all network hardware devices and applications for configurations develop and enforce
strong password policyEndpoint security Every system in the enterprise should be protectedNetwork traffic analysisNetflow and packet capture Real-time examination of system and network eventsData backup Network cloud redundancy is criticalDecryptors Bit Defender maintains a tool that can decrypt files encrypted by versions 1 4 and 501 through 51
ndash httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-freendash Requires Internet connection and ransom note
Employ a zero-day recovery approachhttpswwwnomoreransomorg
UNCLASSIFIED 14
UNCLASSIFIED TLPWHITE
3282019
Source blogmalwarebytescom
GandCrab ndash Solutions (continued)Infection vectors ndash GandCrab-specific countermeasures and mitigations Remote Desktop Protocol and Virtual Network Computing ndash Protect credentials and auditlog access Corporate spamphishingmalspam ndash User awareness training and content filtering Exploit kits ndash
ndash User awareness training (visiting untrustedsuspicious websites)ndash Whitelisting and blacklisting websitesndash Implementing intrusion detection technologies
Social Engineering ndash User awareness training
WE DO NOT RECOMMEND PAYING A RANSOM
UNCLASSIFIED 15
UNCLASSIFIED TLPWHITE
3282019
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
Do not pay ransom
We recommend not paying ransom No guarantee files are decrypted and available again It incentivizes future ransomware attacks
Norsk Hydro Suffered from ransomware attack on March 19 2019 Production management systems and equipment was rendered inoperable Described as ldquocripplingrdquo ldquodebilitatingrdquo and ldquodisastrousrdquo Reported $40 million loss in revenue
UNCLASSIFIED 16
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Palmer Danny This Malware Spreading Tool is Back With Some New Tricks ZDNet January 18 2019 httpswwwzdnetcomarticlethis-malware-spreading-tool-is-back-with-some-new-tricks Palmer Danny Ransomware Warning The Gang Behind this Virulent Malware Just Changed Tactics Again ZDNet March 7 2019 httpswwwzdnetcomarticleransomware-warning-the-
gang-behind-this-virulent-malware-just-changed-tactics-again Palmer Danny What is ransomware Everything You Need to Know About One of the Biggest Menaces on the Web ZDNet August 22 2018 httpswwwzdnetcomarticleransomware-an-
executive-guide-to-one-of-the-biggest-menaces-on-the-web Palmer Danny What is Ransomware Ransomware Gets Easier for Would-Be Crooks as Developers Offer Malware-As-A-Service ZDNet February 8 2018
httpswwwzdnetcomarticleransomware-gets-easier-for-would-be-crooks-easier-as-developers-offer-malware-as-a-service Palmer Danny Ransomware Crooks Test a New Way to Spread Their Malware ZDNet January 31 2018 httpswwwzdnetcomarticleransomware-crooks-test-a-new-way-to-spread-their-
malware Cimpanu Catalin Bitdefender Releases Third GandCrab Ransomware Free Decrypter in the Past Year ZDNet February 19 2019 httpswwwzdnetcomarticlebitdefender-releases-third-
gandcrab-ransomware-free-decrypter-in-the-past-year Botezatu Bogdan Thwarting GandCrab in the New Era of Agile Computer-Jackers Security Boulevard March 6 2019 httpssecurityboulevardcom201903thwarting-gandcrab-in-the-new-
era-of-agile-computer-jackers Moshailov Roy Threat Profile GandCrab Ransomware Morphisec February 23 2018 httpblogmorphiseccomthreat-profile-gandcrab-ransomware Threat Landscape Dashboard GandCrab 5 - Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-5-
ransomwarehtml GandCrab 4 ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-4-ransomwarehtml GandCrab ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-ransomwarehtml Barth Bradley Third Decryption Tool for GandCrab Ransomware Released to Public SC Magazine February 20 2019 httpswwwscmagazinecomhomesecurity-newsransomwarethird-
decryption-tool-for-gandcrab-ransomware-released-to-public The GandCrab Ransomware Mindset Checkpoint March 13 2018 httpsresearchcheckpointcomgandcrab-ransomware-mindset Heller Michael GandCrab ransomware adds NSA tools for faster spreading Tech Target Search Security July 11 2018 httpssearchsecuritytechtargetcomnews252444624GandCrab-
ransomware-adds-NSA-tools-for-faster-spreading Gandcrab Ransomware Actively Spreading in the Wild Soincwall Security News May 16 2018 httpssecuritynewssonicwallcomxmlpostgandcrab-ransomware-actively-spreading-in-the-
wild GandCrab Ransomware BtCIRT February 28 2019 httpswwwbtcirtbtgandcrab-ransomware GandCrab and Ursnif Campaign IBM X-Force Exchange httpsexchangexforceibmcloudcomcollectionGandCrab-and-Ursnif-Campaign-5ada0685f6645ba53c64955d80c90f04 GandCrab The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) January 31 2018 httpswwwcybernjgovthreat-profilesransomware-variantsgandcrab GandCrab The Malware Wiki httpmalwarewikiacomwikiGandCrab Paganini Pierluigi Experts Released a free Decryption Tool for GandCrab Ransomware Security Affairs October 25 2018 httpssecurityaffairscowordpress77392malwaregandcrab-
decryption-toolhtml Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049 GandCrab Ransomware Decryption Tool No More Ransom Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049
UNCLASSIFIED 17
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading FeeleyBrendon Hartley Bex and Frankoff Sergei PINCHY SPIDER Affiliates Adopt ldquoBig Game Huntingrdquo Tactics to Distribute GandCrab Ransomware March 6 2019
httpswwwcrowdstrikecomblogpinchy-spider-adopts-big-game-hunting Botezatu Bogdan New GandCrab v51 Decryptor Available Now Bit Defender February 19 2019 httpslabsbitdefendercom201902new-gandcrab-v5-1-decryptor-available-
nowcid=soc7Cc7ctw7CGandCrab Abrams Lawrence GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts BleepingComputer February 8 2018
httpswwwbleepingcomputercomnewssecuritygandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts Castillo Donald EGG Files in Spam Delivers GandCrab v43 Ransomware to South Korean Users Trend Micro August 20 2018
httpswwwtrendmicrocomvinfoussecuritynewscybercrime-and-digital-threats-egg-files-in-spam-delivers-gandcrab-v4-3-ransomware-to-south-korean-users Abrams Lawrence EITest HoeflerText Scam Distributing GandCrab amp Netsupport Manager February 28 2018 httpswwwbleepingcomputercomnewssecurityeitest-hoeflertext-scam-
distributing-gandcrab-and-netsupport-manager Abrams Lawrence GandCrab Ransomware Version 2 Released With New Crab Extension amp Other Changes March 6 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-
ransomware-version-2-released-with-new-crab-extension-and-other-changes Abrams Lawrence GandCrab V4 Released With the New KRAB Extension for Encrypted Files September 25 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v4-released-
with-the-new-krab-extension-for-encrypted-files Abrams Lawrence GandCrab V5 Released With Random Extensions and New HTML Ransom Note June 3 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v5-released-
with-random-extensions-and-new-html-ransom-note Abrams Lawrence Mail Attachment Builds Malware Downloader from Super Mario Image February 8 2019 httpswwwbleepingcomputercomnewssecuritymail-attachment-builds-malware-
downloader-from-super-mario-image Salvio Joie GandCrab V3 Accidentally Locks Systems with New lsquoChange Wallpaperrsquo Feature Fortinet Blog May 4 2018 httpswwwfortinetcomblogthreat-researchgandcrab-v3-
accidentally-locks-systems-with-new--change-wallpapehtml Costis Andrew Cramer Cathy Miner Emily Myers Jared CB TAU amp CB ThreatSight Threat Analysis GandCrab and Ursnif Campaign Carbon Black Threat Analysis Unit January 24 2019
httpswwwcarbonblackcom20190124carbon-black-tau-threatsight-analysis-gandcrab-and-ursnif-campaign Botezatu Bogdan GandCrab Ransomware decryption tool Bit Defender October 25 2018 httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-free Hioueras Vasilios and Segura Jeacuterocircme GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated) Malwarebytes Labs Last updated May 10 2018
httpsblogmalwarebytescomthreat-analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Murphy Ian GandCrab Goes From Mob Attack to Surgical Strike Enterprise Times March 8 2019 httpswwwenterprisetimescouk20190308gandcrab-goes-from-mob-attack-to-surgical-
strike 2017 Cylance Threat Report httpspagescylancecom2018-03CylanceThreatReport2017html Kaspersky Cyber Pulse The State of Cybersecurity in Healthcare httpsgokasperskycomrs802-IJN-240imagesHealthcare-Survey-Reportpdf Fuentes Maria Rosario Cybercrime and Other Threats Faced by the Healthcare Industry Trend Micro httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf Solutionary SERT Q2 Report 88 Percent of All Ransomware Is Detected in Healthcare Industry httpwwwmarketwiredcompress-releasesolutionary-sert-q2-report-88-percent-all-
ransomware-is-detected-healthcare-industry-nyse-ntt-2145268htm
UNCLASSIFIED 18
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Krastev Ventsislav Killswitch File Now Available for GandCrab v412 Ransomware Sensors Tech Forum July 19 2018 httpssensorstechforumcomkillswitch-file-now-available-gandcrab-
v4-1-2-ransomware Boczan Tamas The Evolution of GandCrab Ransomware VMRay Cybersecurity Blog June 5 2018 (updated July 9 2018) httpswwwvmraycomcyber-security-bloggandcrab-ransomware-
evolution-analysis Malwarebytes Labs Malwarebytes Blog GandCrab ransomware distributed by RIG and GrandSoft exploit kits January 30 2018 (updated May 10 2018) httpsblogmalwarebytescomthreat-
analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Biasini Nick with contributions from Lister Nick and Marczewski Christopher Cisco Talos Blog Gandcrab Ransomware Walks its Way onto Compromised Sites May 9 2018
httpsblogtalosintelligencecom201805gandcrab-compromised-siteshtml Duncan Brad SANS Internet Storm Center InfoSec Handlers Dairy Blog Ransomware news GlobeImposter gets a facelift GandCrab is still out there March 7 2018
httpsiscsansedudiary23417 Cyber Security blog - Tools and Malware Analysis RE Gandcrab Downloader Theres More To This Than Meets The Eye November 8 2018 httpstccontreblogspotcom201811re-
gandcrab-downloader-theres-more-tohtml Europol Press Release Pay No More Universal GandCrab Decryption Tool Released for Free on No More Ransom Oct 28 2018 httpswwweuropoleuropaeunewsroomnewspay-no-
more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom VirusTotal GandCrab entry httpswwwvirustotalcomfile69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1ddetails
UNCLASSIFIED 19
UNCLASSIFIED TLPWHITE
3282019
Upcoming Briefsbull Exploit Landscapebull Dark web PHI Marketplace
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide their feedback to HC3HHSGOV
Requests for InformationDo you need information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV
20
UNCLASSIFIED
6212018
Questions
UNCLASSIFIED
UNCLASSIFIED
3282019
TLPWHITE
Image SC Magazine
- GandCrab Ransomware Update
- GandCrab ndash Agenda
- Ransomware ndash WhatWhy
- GandCrab ndash Introduction
- GandCrab ndash Updates
- GandCrab ndash Actor
- Example
- Example
- GandCrab ndash Ransom Notes
- Infection vectors and persistence
- GandCrab ndash Versions
- GandCrab ndash Indicators of compromise
- GandCrab ndash Yara rule
- GandCrab ndash Solutions
- GandCrab ndash Solutions (continued)
- Do not pay ransom
- References
- References
- References
- Slide Number 20
-
GandCrab ndash Indicators of compromiseIndicators of compromise (IOCs)
UNCLASSIFIED 12
UNCLASSIFIED TLPWHITE
3282019
VersionType MD5 HashGandCrab v51 SHA256 0741e7c0b02f6ef0b28d00a7467bf91edb0cb0f6f20dc1fbed76119c7ae79b4f
GandCrab v52 SHA256 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9
GandCrab v52 SHA256 bd16b703cd20e622e3e70e71bb4c68d1d1a3e14462f4b09978bbbb14e41625dc
GandCrab v52 SHA256 d7ffa0d8566702474790d7cbbbf9d51e9937d82582f82e1a00ddb1c489700d62
GandCrab v52 SHA256 d860bdf0d56a66f0e1b502067d07bdb595f60ef8c43de6b9caf5492a429426d6
GandCrab v52 SHA256 f70d73b6c3f61f412567bf74d4f1fba052ddccf0f8b2e61a6c69de9c8c5e6ec1
GandCrab v52 SHA256 fb136c8360d1a5ab80f61109c55c5a788aa1d8796d1e75aca8c1a762b598d3f4
GandCrab ndash Yara ruleimport pe
rule gandcrab_win32_downloader_unpack meta
author = tccontredescription = detecting gandcrab downloaderdate = 2018-11-08sha256 = 7cb45951e8f8dd064b467dd55819c83d3d85359ef7a382c3bad9f9116282e2e4
strings$mz = 4d 5a
$s1 = open=_DeviceManagerexe fullword $s2 = Mozilla50 (Macintosh Intel Mac OS X 109 rv250) Gecko20100101 Firefox250 fullword
$c0 = DisableAntiSpyware fullword wide$c1 = DisableBehaviorMonitoring fullword wide$c2 = FirewallDisableNotify fullword wide$c3 = lsT80870405687060 fullword$c4 = RecycleBin fullword wide$c5 = autoruninf fullword wide
$code1 = 83 C8 20 83 F8 61 74 61 8B 45 FC 0F B7 00 83 C8 20 83 F8 62 74 53 $code2 = D1 E8 EB 07 D1 E8 35 20 83 B8 ED E2 EC AB
condition($mz at 0) and all of ($s) and 2 of ($c) and 1 of ($code)
UNCLASSIFIED 13
UNCLASSIFIED TLPWHITE
3282019
YARA A rule-based tool for malware analysts to identify and analyze malware
GandCrab ndash SolutionsContent filtering Deploys to mail server signature-based traffic blockingConfiguration management and strong password policy Periodically review all network hardware devices and applications for configurations develop and enforce
strong password policyEndpoint security Every system in the enterprise should be protectedNetwork traffic analysisNetflow and packet capture Real-time examination of system and network eventsData backup Network cloud redundancy is criticalDecryptors Bit Defender maintains a tool that can decrypt files encrypted by versions 1 4 and 501 through 51
ndash httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-freendash Requires Internet connection and ransom note
Employ a zero-day recovery approachhttpswwwnomoreransomorg
UNCLASSIFIED 14
UNCLASSIFIED TLPWHITE
3282019
Source blogmalwarebytescom
GandCrab ndash Solutions (continued)Infection vectors ndash GandCrab-specific countermeasures and mitigations Remote Desktop Protocol and Virtual Network Computing ndash Protect credentials and auditlog access Corporate spamphishingmalspam ndash User awareness training and content filtering Exploit kits ndash
ndash User awareness training (visiting untrustedsuspicious websites)ndash Whitelisting and blacklisting websitesndash Implementing intrusion detection technologies
Social Engineering ndash User awareness training
WE DO NOT RECOMMEND PAYING A RANSOM
UNCLASSIFIED 15
UNCLASSIFIED TLPWHITE
3282019
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
Do not pay ransom
We recommend not paying ransom No guarantee files are decrypted and available again It incentivizes future ransomware attacks
Norsk Hydro Suffered from ransomware attack on March 19 2019 Production management systems and equipment was rendered inoperable Described as ldquocripplingrdquo ldquodebilitatingrdquo and ldquodisastrousrdquo Reported $40 million loss in revenue
UNCLASSIFIED 16
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Palmer Danny This Malware Spreading Tool is Back With Some New Tricks ZDNet January 18 2019 httpswwwzdnetcomarticlethis-malware-spreading-tool-is-back-with-some-new-tricks Palmer Danny Ransomware Warning The Gang Behind this Virulent Malware Just Changed Tactics Again ZDNet March 7 2019 httpswwwzdnetcomarticleransomware-warning-the-
gang-behind-this-virulent-malware-just-changed-tactics-again Palmer Danny What is ransomware Everything You Need to Know About One of the Biggest Menaces on the Web ZDNet August 22 2018 httpswwwzdnetcomarticleransomware-an-
executive-guide-to-one-of-the-biggest-menaces-on-the-web Palmer Danny What is Ransomware Ransomware Gets Easier for Would-Be Crooks as Developers Offer Malware-As-A-Service ZDNet February 8 2018
httpswwwzdnetcomarticleransomware-gets-easier-for-would-be-crooks-easier-as-developers-offer-malware-as-a-service Palmer Danny Ransomware Crooks Test a New Way to Spread Their Malware ZDNet January 31 2018 httpswwwzdnetcomarticleransomware-crooks-test-a-new-way-to-spread-their-
malware Cimpanu Catalin Bitdefender Releases Third GandCrab Ransomware Free Decrypter in the Past Year ZDNet February 19 2019 httpswwwzdnetcomarticlebitdefender-releases-third-
gandcrab-ransomware-free-decrypter-in-the-past-year Botezatu Bogdan Thwarting GandCrab in the New Era of Agile Computer-Jackers Security Boulevard March 6 2019 httpssecurityboulevardcom201903thwarting-gandcrab-in-the-new-
era-of-agile-computer-jackers Moshailov Roy Threat Profile GandCrab Ransomware Morphisec February 23 2018 httpblogmorphiseccomthreat-profile-gandcrab-ransomware Threat Landscape Dashboard GandCrab 5 - Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-5-
ransomwarehtml GandCrab 4 ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-4-ransomwarehtml GandCrab ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-ransomwarehtml Barth Bradley Third Decryption Tool for GandCrab Ransomware Released to Public SC Magazine February 20 2019 httpswwwscmagazinecomhomesecurity-newsransomwarethird-
decryption-tool-for-gandcrab-ransomware-released-to-public The GandCrab Ransomware Mindset Checkpoint March 13 2018 httpsresearchcheckpointcomgandcrab-ransomware-mindset Heller Michael GandCrab ransomware adds NSA tools for faster spreading Tech Target Search Security July 11 2018 httpssearchsecuritytechtargetcomnews252444624GandCrab-
ransomware-adds-NSA-tools-for-faster-spreading Gandcrab Ransomware Actively Spreading in the Wild Soincwall Security News May 16 2018 httpssecuritynewssonicwallcomxmlpostgandcrab-ransomware-actively-spreading-in-the-
wild GandCrab Ransomware BtCIRT February 28 2019 httpswwwbtcirtbtgandcrab-ransomware GandCrab and Ursnif Campaign IBM X-Force Exchange httpsexchangexforceibmcloudcomcollectionGandCrab-and-Ursnif-Campaign-5ada0685f6645ba53c64955d80c90f04 GandCrab The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) January 31 2018 httpswwwcybernjgovthreat-profilesransomware-variantsgandcrab GandCrab The Malware Wiki httpmalwarewikiacomwikiGandCrab Paganini Pierluigi Experts Released a free Decryption Tool for GandCrab Ransomware Security Affairs October 25 2018 httpssecurityaffairscowordpress77392malwaregandcrab-
decryption-toolhtml Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049 GandCrab Ransomware Decryption Tool No More Ransom Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049
UNCLASSIFIED 17
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading FeeleyBrendon Hartley Bex and Frankoff Sergei PINCHY SPIDER Affiliates Adopt ldquoBig Game Huntingrdquo Tactics to Distribute GandCrab Ransomware March 6 2019
httpswwwcrowdstrikecomblogpinchy-spider-adopts-big-game-hunting Botezatu Bogdan New GandCrab v51 Decryptor Available Now Bit Defender February 19 2019 httpslabsbitdefendercom201902new-gandcrab-v5-1-decryptor-available-
nowcid=soc7Cc7ctw7CGandCrab Abrams Lawrence GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts BleepingComputer February 8 2018
httpswwwbleepingcomputercomnewssecuritygandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts Castillo Donald EGG Files in Spam Delivers GandCrab v43 Ransomware to South Korean Users Trend Micro August 20 2018
httpswwwtrendmicrocomvinfoussecuritynewscybercrime-and-digital-threats-egg-files-in-spam-delivers-gandcrab-v4-3-ransomware-to-south-korean-users Abrams Lawrence EITest HoeflerText Scam Distributing GandCrab amp Netsupport Manager February 28 2018 httpswwwbleepingcomputercomnewssecurityeitest-hoeflertext-scam-
distributing-gandcrab-and-netsupport-manager Abrams Lawrence GandCrab Ransomware Version 2 Released With New Crab Extension amp Other Changes March 6 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-
ransomware-version-2-released-with-new-crab-extension-and-other-changes Abrams Lawrence GandCrab V4 Released With the New KRAB Extension for Encrypted Files September 25 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v4-released-
with-the-new-krab-extension-for-encrypted-files Abrams Lawrence GandCrab V5 Released With Random Extensions and New HTML Ransom Note June 3 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v5-released-
with-random-extensions-and-new-html-ransom-note Abrams Lawrence Mail Attachment Builds Malware Downloader from Super Mario Image February 8 2019 httpswwwbleepingcomputercomnewssecuritymail-attachment-builds-malware-
downloader-from-super-mario-image Salvio Joie GandCrab V3 Accidentally Locks Systems with New lsquoChange Wallpaperrsquo Feature Fortinet Blog May 4 2018 httpswwwfortinetcomblogthreat-researchgandcrab-v3-
accidentally-locks-systems-with-new--change-wallpapehtml Costis Andrew Cramer Cathy Miner Emily Myers Jared CB TAU amp CB ThreatSight Threat Analysis GandCrab and Ursnif Campaign Carbon Black Threat Analysis Unit January 24 2019
httpswwwcarbonblackcom20190124carbon-black-tau-threatsight-analysis-gandcrab-and-ursnif-campaign Botezatu Bogdan GandCrab Ransomware decryption tool Bit Defender October 25 2018 httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-free Hioueras Vasilios and Segura Jeacuterocircme GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated) Malwarebytes Labs Last updated May 10 2018
httpsblogmalwarebytescomthreat-analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Murphy Ian GandCrab Goes From Mob Attack to Surgical Strike Enterprise Times March 8 2019 httpswwwenterprisetimescouk20190308gandcrab-goes-from-mob-attack-to-surgical-
strike 2017 Cylance Threat Report httpspagescylancecom2018-03CylanceThreatReport2017html Kaspersky Cyber Pulse The State of Cybersecurity in Healthcare httpsgokasperskycomrs802-IJN-240imagesHealthcare-Survey-Reportpdf Fuentes Maria Rosario Cybercrime and Other Threats Faced by the Healthcare Industry Trend Micro httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf Solutionary SERT Q2 Report 88 Percent of All Ransomware Is Detected in Healthcare Industry httpwwwmarketwiredcompress-releasesolutionary-sert-q2-report-88-percent-all-
ransomware-is-detected-healthcare-industry-nyse-ntt-2145268htm
UNCLASSIFIED 18
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Krastev Ventsislav Killswitch File Now Available for GandCrab v412 Ransomware Sensors Tech Forum July 19 2018 httpssensorstechforumcomkillswitch-file-now-available-gandcrab-
v4-1-2-ransomware Boczan Tamas The Evolution of GandCrab Ransomware VMRay Cybersecurity Blog June 5 2018 (updated July 9 2018) httpswwwvmraycomcyber-security-bloggandcrab-ransomware-
evolution-analysis Malwarebytes Labs Malwarebytes Blog GandCrab ransomware distributed by RIG and GrandSoft exploit kits January 30 2018 (updated May 10 2018) httpsblogmalwarebytescomthreat-
analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Biasini Nick with contributions from Lister Nick and Marczewski Christopher Cisco Talos Blog Gandcrab Ransomware Walks its Way onto Compromised Sites May 9 2018
httpsblogtalosintelligencecom201805gandcrab-compromised-siteshtml Duncan Brad SANS Internet Storm Center InfoSec Handlers Dairy Blog Ransomware news GlobeImposter gets a facelift GandCrab is still out there March 7 2018
httpsiscsansedudiary23417 Cyber Security blog - Tools and Malware Analysis RE Gandcrab Downloader Theres More To This Than Meets The Eye November 8 2018 httpstccontreblogspotcom201811re-
gandcrab-downloader-theres-more-tohtml Europol Press Release Pay No More Universal GandCrab Decryption Tool Released for Free on No More Ransom Oct 28 2018 httpswwweuropoleuropaeunewsroomnewspay-no-
more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom VirusTotal GandCrab entry httpswwwvirustotalcomfile69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1ddetails
UNCLASSIFIED 19
UNCLASSIFIED TLPWHITE
3282019
Upcoming Briefsbull Exploit Landscapebull Dark web PHI Marketplace
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide their feedback to HC3HHSGOV
Requests for InformationDo you need information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV
20
UNCLASSIFIED
6212018
Questions
UNCLASSIFIED
UNCLASSIFIED
3282019
TLPWHITE
Image SC Magazine
- GandCrab Ransomware Update
- GandCrab ndash Agenda
- Ransomware ndash WhatWhy
- GandCrab ndash Introduction
- GandCrab ndash Updates
- GandCrab ndash Actor
- Example
- Example
- GandCrab ndash Ransom Notes
- Infection vectors and persistence
- GandCrab ndash Versions
- GandCrab ndash Indicators of compromise
- GandCrab ndash Yara rule
- GandCrab ndash Solutions
- GandCrab ndash Solutions (continued)
- Do not pay ransom
- References
- References
- References
- Slide Number 20
-
GandCrab ndash Yara ruleimport pe
rule gandcrab_win32_downloader_unpack meta
author = tccontredescription = detecting gandcrab downloaderdate = 2018-11-08sha256 = 7cb45951e8f8dd064b467dd55819c83d3d85359ef7a382c3bad9f9116282e2e4
strings$mz = 4d 5a
$s1 = open=_DeviceManagerexe fullword $s2 = Mozilla50 (Macintosh Intel Mac OS X 109 rv250) Gecko20100101 Firefox250 fullword
$c0 = DisableAntiSpyware fullword wide$c1 = DisableBehaviorMonitoring fullword wide$c2 = FirewallDisableNotify fullword wide$c3 = lsT80870405687060 fullword$c4 = RecycleBin fullword wide$c5 = autoruninf fullword wide
$code1 = 83 C8 20 83 F8 61 74 61 8B 45 FC 0F B7 00 83 C8 20 83 F8 62 74 53 $code2 = D1 E8 EB 07 D1 E8 35 20 83 B8 ED E2 EC AB
condition($mz at 0) and all of ($s) and 2 of ($c) and 1 of ($code)
UNCLASSIFIED 13
UNCLASSIFIED TLPWHITE
3282019
YARA A rule-based tool for malware analysts to identify and analyze malware
GandCrab ndash SolutionsContent filtering Deploys to mail server signature-based traffic blockingConfiguration management and strong password policy Periodically review all network hardware devices and applications for configurations develop and enforce
strong password policyEndpoint security Every system in the enterprise should be protectedNetwork traffic analysisNetflow and packet capture Real-time examination of system and network eventsData backup Network cloud redundancy is criticalDecryptors Bit Defender maintains a tool that can decrypt files encrypted by versions 1 4 and 501 through 51
ndash httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-freendash Requires Internet connection and ransom note
Employ a zero-day recovery approachhttpswwwnomoreransomorg
UNCLASSIFIED 14
UNCLASSIFIED TLPWHITE
3282019
Source blogmalwarebytescom
GandCrab ndash Solutions (continued)Infection vectors ndash GandCrab-specific countermeasures and mitigations Remote Desktop Protocol and Virtual Network Computing ndash Protect credentials and auditlog access Corporate spamphishingmalspam ndash User awareness training and content filtering Exploit kits ndash
ndash User awareness training (visiting untrustedsuspicious websites)ndash Whitelisting and blacklisting websitesndash Implementing intrusion detection technologies
Social Engineering ndash User awareness training
WE DO NOT RECOMMEND PAYING A RANSOM
UNCLASSIFIED 15
UNCLASSIFIED TLPWHITE
3282019
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
Do not pay ransom
We recommend not paying ransom No guarantee files are decrypted and available again It incentivizes future ransomware attacks
Norsk Hydro Suffered from ransomware attack on March 19 2019 Production management systems and equipment was rendered inoperable Described as ldquocripplingrdquo ldquodebilitatingrdquo and ldquodisastrousrdquo Reported $40 million loss in revenue
UNCLASSIFIED 16
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Palmer Danny This Malware Spreading Tool is Back With Some New Tricks ZDNet January 18 2019 httpswwwzdnetcomarticlethis-malware-spreading-tool-is-back-with-some-new-tricks Palmer Danny Ransomware Warning The Gang Behind this Virulent Malware Just Changed Tactics Again ZDNet March 7 2019 httpswwwzdnetcomarticleransomware-warning-the-
gang-behind-this-virulent-malware-just-changed-tactics-again Palmer Danny What is ransomware Everything You Need to Know About One of the Biggest Menaces on the Web ZDNet August 22 2018 httpswwwzdnetcomarticleransomware-an-
executive-guide-to-one-of-the-biggest-menaces-on-the-web Palmer Danny What is Ransomware Ransomware Gets Easier for Would-Be Crooks as Developers Offer Malware-As-A-Service ZDNet February 8 2018
httpswwwzdnetcomarticleransomware-gets-easier-for-would-be-crooks-easier-as-developers-offer-malware-as-a-service Palmer Danny Ransomware Crooks Test a New Way to Spread Their Malware ZDNet January 31 2018 httpswwwzdnetcomarticleransomware-crooks-test-a-new-way-to-spread-their-
malware Cimpanu Catalin Bitdefender Releases Third GandCrab Ransomware Free Decrypter in the Past Year ZDNet February 19 2019 httpswwwzdnetcomarticlebitdefender-releases-third-
gandcrab-ransomware-free-decrypter-in-the-past-year Botezatu Bogdan Thwarting GandCrab in the New Era of Agile Computer-Jackers Security Boulevard March 6 2019 httpssecurityboulevardcom201903thwarting-gandcrab-in-the-new-
era-of-agile-computer-jackers Moshailov Roy Threat Profile GandCrab Ransomware Morphisec February 23 2018 httpblogmorphiseccomthreat-profile-gandcrab-ransomware Threat Landscape Dashboard GandCrab 5 - Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-5-
ransomwarehtml GandCrab 4 ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-4-ransomwarehtml GandCrab ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-ransomwarehtml Barth Bradley Third Decryption Tool for GandCrab Ransomware Released to Public SC Magazine February 20 2019 httpswwwscmagazinecomhomesecurity-newsransomwarethird-
decryption-tool-for-gandcrab-ransomware-released-to-public The GandCrab Ransomware Mindset Checkpoint March 13 2018 httpsresearchcheckpointcomgandcrab-ransomware-mindset Heller Michael GandCrab ransomware adds NSA tools for faster spreading Tech Target Search Security July 11 2018 httpssearchsecuritytechtargetcomnews252444624GandCrab-
ransomware-adds-NSA-tools-for-faster-spreading Gandcrab Ransomware Actively Spreading in the Wild Soincwall Security News May 16 2018 httpssecuritynewssonicwallcomxmlpostgandcrab-ransomware-actively-spreading-in-the-
wild GandCrab Ransomware BtCIRT February 28 2019 httpswwwbtcirtbtgandcrab-ransomware GandCrab and Ursnif Campaign IBM X-Force Exchange httpsexchangexforceibmcloudcomcollectionGandCrab-and-Ursnif-Campaign-5ada0685f6645ba53c64955d80c90f04 GandCrab The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) January 31 2018 httpswwwcybernjgovthreat-profilesransomware-variantsgandcrab GandCrab The Malware Wiki httpmalwarewikiacomwikiGandCrab Paganini Pierluigi Experts Released a free Decryption Tool for GandCrab Ransomware Security Affairs October 25 2018 httpssecurityaffairscowordpress77392malwaregandcrab-
decryption-toolhtml Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049 GandCrab Ransomware Decryption Tool No More Ransom Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049
UNCLASSIFIED 17
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading FeeleyBrendon Hartley Bex and Frankoff Sergei PINCHY SPIDER Affiliates Adopt ldquoBig Game Huntingrdquo Tactics to Distribute GandCrab Ransomware March 6 2019
httpswwwcrowdstrikecomblogpinchy-spider-adopts-big-game-hunting Botezatu Bogdan New GandCrab v51 Decryptor Available Now Bit Defender February 19 2019 httpslabsbitdefendercom201902new-gandcrab-v5-1-decryptor-available-
nowcid=soc7Cc7ctw7CGandCrab Abrams Lawrence GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts BleepingComputer February 8 2018
httpswwwbleepingcomputercomnewssecuritygandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts Castillo Donald EGG Files in Spam Delivers GandCrab v43 Ransomware to South Korean Users Trend Micro August 20 2018
httpswwwtrendmicrocomvinfoussecuritynewscybercrime-and-digital-threats-egg-files-in-spam-delivers-gandcrab-v4-3-ransomware-to-south-korean-users Abrams Lawrence EITest HoeflerText Scam Distributing GandCrab amp Netsupport Manager February 28 2018 httpswwwbleepingcomputercomnewssecurityeitest-hoeflertext-scam-
distributing-gandcrab-and-netsupport-manager Abrams Lawrence GandCrab Ransomware Version 2 Released With New Crab Extension amp Other Changes March 6 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-
ransomware-version-2-released-with-new-crab-extension-and-other-changes Abrams Lawrence GandCrab V4 Released With the New KRAB Extension for Encrypted Files September 25 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v4-released-
with-the-new-krab-extension-for-encrypted-files Abrams Lawrence GandCrab V5 Released With Random Extensions and New HTML Ransom Note June 3 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v5-released-
with-random-extensions-and-new-html-ransom-note Abrams Lawrence Mail Attachment Builds Malware Downloader from Super Mario Image February 8 2019 httpswwwbleepingcomputercomnewssecuritymail-attachment-builds-malware-
downloader-from-super-mario-image Salvio Joie GandCrab V3 Accidentally Locks Systems with New lsquoChange Wallpaperrsquo Feature Fortinet Blog May 4 2018 httpswwwfortinetcomblogthreat-researchgandcrab-v3-
accidentally-locks-systems-with-new--change-wallpapehtml Costis Andrew Cramer Cathy Miner Emily Myers Jared CB TAU amp CB ThreatSight Threat Analysis GandCrab and Ursnif Campaign Carbon Black Threat Analysis Unit January 24 2019
httpswwwcarbonblackcom20190124carbon-black-tau-threatsight-analysis-gandcrab-and-ursnif-campaign Botezatu Bogdan GandCrab Ransomware decryption tool Bit Defender October 25 2018 httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-free Hioueras Vasilios and Segura Jeacuterocircme GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated) Malwarebytes Labs Last updated May 10 2018
httpsblogmalwarebytescomthreat-analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Murphy Ian GandCrab Goes From Mob Attack to Surgical Strike Enterprise Times March 8 2019 httpswwwenterprisetimescouk20190308gandcrab-goes-from-mob-attack-to-surgical-
strike 2017 Cylance Threat Report httpspagescylancecom2018-03CylanceThreatReport2017html Kaspersky Cyber Pulse The State of Cybersecurity in Healthcare httpsgokasperskycomrs802-IJN-240imagesHealthcare-Survey-Reportpdf Fuentes Maria Rosario Cybercrime and Other Threats Faced by the Healthcare Industry Trend Micro httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf Solutionary SERT Q2 Report 88 Percent of All Ransomware Is Detected in Healthcare Industry httpwwwmarketwiredcompress-releasesolutionary-sert-q2-report-88-percent-all-
ransomware-is-detected-healthcare-industry-nyse-ntt-2145268htm
UNCLASSIFIED 18
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Krastev Ventsislav Killswitch File Now Available for GandCrab v412 Ransomware Sensors Tech Forum July 19 2018 httpssensorstechforumcomkillswitch-file-now-available-gandcrab-
v4-1-2-ransomware Boczan Tamas The Evolution of GandCrab Ransomware VMRay Cybersecurity Blog June 5 2018 (updated July 9 2018) httpswwwvmraycomcyber-security-bloggandcrab-ransomware-
evolution-analysis Malwarebytes Labs Malwarebytes Blog GandCrab ransomware distributed by RIG and GrandSoft exploit kits January 30 2018 (updated May 10 2018) httpsblogmalwarebytescomthreat-
analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Biasini Nick with contributions from Lister Nick and Marczewski Christopher Cisco Talos Blog Gandcrab Ransomware Walks its Way onto Compromised Sites May 9 2018
httpsblogtalosintelligencecom201805gandcrab-compromised-siteshtml Duncan Brad SANS Internet Storm Center InfoSec Handlers Dairy Blog Ransomware news GlobeImposter gets a facelift GandCrab is still out there March 7 2018
httpsiscsansedudiary23417 Cyber Security blog - Tools and Malware Analysis RE Gandcrab Downloader Theres More To This Than Meets The Eye November 8 2018 httpstccontreblogspotcom201811re-
gandcrab-downloader-theres-more-tohtml Europol Press Release Pay No More Universal GandCrab Decryption Tool Released for Free on No More Ransom Oct 28 2018 httpswwweuropoleuropaeunewsroomnewspay-no-
more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom VirusTotal GandCrab entry httpswwwvirustotalcomfile69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1ddetails
UNCLASSIFIED 19
UNCLASSIFIED TLPWHITE
3282019
Upcoming Briefsbull Exploit Landscapebull Dark web PHI Marketplace
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide their feedback to HC3HHSGOV
Requests for InformationDo you need information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV
20
UNCLASSIFIED
6212018
Questions
UNCLASSIFIED
UNCLASSIFIED
3282019
TLPWHITE
Image SC Magazine
- GandCrab Ransomware Update
- GandCrab ndash Agenda
- Ransomware ndash WhatWhy
- GandCrab ndash Introduction
- GandCrab ndash Updates
- GandCrab ndash Actor
- Example
- Example
- GandCrab ndash Ransom Notes
- Infection vectors and persistence
- GandCrab ndash Versions
- GandCrab ndash Indicators of compromise
- GandCrab ndash Yara rule
- GandCrab ndash Solutions
- GandCrab ndash Solutions (continued)
- Do not pay ransom
- References
- References
- References
- Slide Number 20
-
GandCrab ndash SolutionsContent filtering Deploys to mail server signature-based traffic blockingConfiguration management and strong password policy Periodically review all network hardware devices and applications for configurations develop and enforce
strong password policyEndpoint security Every system in the enterprise should be protectedNetwork traffic analysisNetflow and packet capture Real-time examination of system and network eventsData backup Network cloud redundancy is criticalDecryptors Bit Defender maintains a tool that can decrypt files encrypted by versions 1 4 and 501 through 51
ndash httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-freendash Requires Internet connection and ransom note
Employ a zero-day recovery approachhttpswwwnomoreransomorg
UNCLASSIFIED 14
UNCLASSIFIED TLPWHITE
3282019
Source blogmalwarebytescom
GandCrab ndash Solutions (continued)Infection vectors ndash GandCrab-specific countermeasures and mitigations Remote Desktop Protocol and Virtual Network Computing ndash Protect credentials and auditlog access Corporate spamphishingmalspam ndash User awareness training and content filtering Exploit kits ndash
ndash User awareness training (visiting untrustedsuspicious websites)ndash Whitelisting and blacklisting websitesndash Implementing intrusion detection technologies
Social Engineering ndash User awareness training
WE DO NOT RECOMMEND PAYING A RANSOM
UNCLASSIFIED 15
UNCLASSIFIED TLPWHITE
3282019
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
Do not pay ransom
We recommend not paying ransom No guarantee files are decrypted and available again It incentivizes future ransomware attacks
Norsk Hydro Suffered from ransomware attack on March 19 2019 Production management systems and equipment was rendered inoperable Described as ldquocripplingrdquo ldquodebilitatingrdquo and ldquodisastrousrdquo Reported $40 million loss in revenue
UNCLASSIFIED 16
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Palmer Danny This Malware Spreading Tool is Back With Some New Tricks ZDNet January 18 2019 httpswwwzdnetcomarticlethis-malware-spreading-tool-is-back-with-some-new-tricks Palmer Danny Ransomware Warning The Gang Behind this Virulent Malware Just Changed Tactics Again ZDNet March 7 2019 httpswwwzdnetcomarticleransomware-warning-the-
gang-behind-this-virulent-malware-just-changed-tactics-again Palmer Danny What is ransomware Everything You Need to Know About One of the Biggest Menaces on the Web ZDNet August 22 2018 httpswwwzdnetcomarticleransomware-an-
executive-guide-to-one-of-the-biggest-menaces-on-the-web Palmer Danny What is Ransomware Ransomware Gets Easier for Would-Be Crooks as Developers Offer Malware-As-A-Service ZDNet February 8 2018
httpswwwzdnetcomarticleransomware-gets-easier-for-would-be-crooks-easier-as-developers-offer-malware-as-a-service Palmer Danny Ransomware Crooks Test a New Way to Spread Their Malware ZDNet January 31 2018 httpswwwzdnetcomarticleransomware-crooks-test-a-new-way-to-spread-their-
malware Cimpanu Catalin Bitdefender Releases Third GandCrab Ransomware Free Decrypter in the Past Year ZDNet February 19 2019 httpswwwzdnetcomarticlebitdefender-releases-third-
gandcrab-ransomware-free-decrypter-in-the-past-year Botezatu Bogdan Thwarting GandCrab in the New Era of Agile Computer-Jackers Security Boulevard March 6 2019 httpssecurityboulevardcom201903thwarting-gandcrab-in-the-new-
era-of-agile-computer-jackers Moshailov Roy Threat Profile GandCrab Ransomware Morphisec February 23 2018 httpblogmorphiseccomthreat-profile-gandcrab-ransomware Threat Landscape Dashboard GandCrab 5 - Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-5-
ransomwarehtml GandCrab 4 ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-4-ransomwarehtml GandCrab ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-ransomwarehtml Barth Bradley Third Decryption Tool for GandCrab Ransomware Released to Public SC Magazine February 20 2019 httpswwwscmagazinecomhomesecurity-newsransomwarethird-
decryption-tool-for-gandcrab-ransomware-released-to-public The GandCrab Ransomware Mindset Checkpoint March 13 2018 httpsresearchcheckpointcomgandcrab-ransomware-mindset Heller Michael GandCrab ransomware adds NSA tools for faster spreading Tech Target Search Security July 11 2018 httpssearchsecuritytechtargetcomnews252444624GandCrab-
ransomware-adds-NSA-tools-for-faster-spreading Gandcrab Ransomware Actively Spreading in the Wild Soincwall Security News May 16 2018 httpssecuritynewssonicwallcomxmlpostgandcrab-ransomware-actively-spreading-in-the-
wild GandCrab Ransomware BtCIRT February 28 2019 httpswwwbtcirtbtgandcrab-ransomware GandCrab and Ursnif Campaign IBM X-Force Exchange httpsexchangexforceibmcloudcomcollectionGandCrab-and-Ursnif-Campaign-5ada0685f6645ba53c64955d80c90f04 GandCrab The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) January 31 2018 httpswwwcybernjgovthreat-profilesransomware-variantsgandcrab GandCrab The Malware Wiki httpmalwarewikiacomwikiGandCrab Paganini Pierluigi Experts Released a free Decryption Tool for GandCrab Ransomware Security Affairs October 25 2018 httpssecurityaffairscowordpress77392malwaregandcrab-
decryption-toolhtml Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049 GandCrab Ransomware Decryption Tool No More Ransom Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049
UNCLASSIFIED 17
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading FeeleyBrendon Hartley Bex and Frankoff Sergei PINCHY SPIDER Affiliates Adopt ldquoBig Game Huntingrdquo Tactics to Distribute GandCrab Ransomware March 6 2019
httpswwwcrowdstrikecomblogpinchy-spider-adopts-big-game-hunting Botezatu Bogdan New GandCrab v51 Decryptor Available Now Bit Defender February 19 2019 httpslabsbitdefendercom201902new-gandcrab-v5-1-decryptor-available-
nowcid=soc7Cc7ctw7CGandCrab Abrams Lawrence GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts BleepingComputer February 8 2018
httpswwwbleepingcomputercomnewssecuritygandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts Castillo Donald EGG Files in Spam Delivers GandCrab v43 Ransomware to South Korean Users Trend Micro August 20 2018
httpswwwtrendmicrocomvinfoussecuritynewscybercrime-and-digital-threats-egg-files-in-spam-delivers-gandcrab-v4-3-ransomware-to-south-korean-users Abrams Lawrence EITest HoeflerText Scam Distributing GandCrab amp Netsupport Manager February 28 2018 httpswwwbleepingcomputercomnewssecurityeitest-hoeflertext-scam-
distributing-gandcrab-and-netsupport-manager Abrams Lawrence GandCrab Ransomware Version 2 Released With New Crab Extension amp Other Changes March 6 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-
ransomware-version-2-released-with-new-crab-extension-and-other-changes Abrams Lawrence GandCrab V4 Released With the New KRAB Extension for Encrypted Files September 25 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v4-released-
with-the-new-krab-extension-for-encrypted-files Abrams Lawrence GandCrab V5 Released With Random Extensions and New HTML Ransom Note June 3 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v5-released-
with-random-extensions-and-new-html-ransom-note Abrams Lawrence Mail Attachment Builds Malware Downloader from Super Mario Image February 8 2019 httpswwwbleepingcomputercomnewssecuritymail-attachment-builds-malware-
downloader-from-super-mario-image Salvio Joie GandCrab V3 Accidentally Locks Systems with New lsquoChange Wallpaperrsquo Feature Fortinet Blog May 4 2018 httpswwwfortinetcomblogthreat-researchgandcrab-v3-
accidentally-locks-systems-with-new--change-wallpapehtml Costis Andrew Cramer Cathy Miner Emily Myers Jared CB TAU amp CB ThreatSight Threat Analysis GandCrab and Ursnif Campaign Carbon Black Threat Analysis Unit January 24 2019
httpswwwcarbonblackcom20190124carbon-black-tau-threatsight-analysis-gandcrab-and-ursnif-campaign Botezatu Bogdan GandCrab Ransomware decryption tool Bit Defender October 25 2018 httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-free Hioueras Vasilios and Segura Jeacuterocircme GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated) Malwarebytes Labs Last updated May 10 2018
httpsblogmalwarebytescomthreat-analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Murphy Ian GandCrab Goes From Mob Attack to Surgical Strike Enterprise Times March 8 2019 httpswwwenterprisetimescouk20190308gandcrab-goes-from-mob-attack-to-surgical-
strike 2017 Cylance Threat Report httpspagescylancecom2018-03CylanceThreatReport2017html Kaspersky Cyber Pulse The State of Cybersecurity in Healthcare httpsgokasperskycomrs802-IJN-240imagesHealthcare-Survey-Reportpdf Fuentes Maria Rosario Cybercrime and Other Threats Faced by the Healthcare Industry Trend Micro httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf Solutionary SERT Q2 Report 88 Percent of All Ransomware Is Detected in Healthcare Industry httpwwwmarketwiredcompress-releasesolutionary-sert-q2-report-88-percent-all-
ransomware-is-detected-healthcare-industry-nyse-ntt-2145268htm
UNCLASSIFIED 18
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Krastev Ventsislav Killswitch File Now Available for GandCrab v412 Ransomware Sensors Tech Forum July 19 2018 httpssensorstechforumcomkillswitch-file-now-available-gandcrab-
v4-1-2-ransomware Boczan Tamas The Evolution of GandCrab Ransomware VMRay Cybersecurity Blog June 5 2018 (updated July 9 2018) httpswwwvmraycomcyber-security-bloggandcrab-ransomware-
evolution-analysis Malwarebytes Labs Malwarebytes Blog GandCrab ransomware distributed by RIG and GrandSoft exploit kits January 30 2018 (updated May 10 2018) httpsblogmalwarebytescomthreat-
analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Biasini Nick with contributions from Lister Nick and Marczewski Christopher Cisco Talos Blog Gandcrab Ransomware Walks its Way onto Compromised Sites May 9 2018
httpsblogtalosintelligencecom201805gandcrab-compromised-siteshtml Duncan Brad SANS Internet Storm Center InfoSec Handlers Dairy Blog Ransomware news GlobeImposter gets a facelift GandCrab is still out there March 7 2018
httpsiscsansedudiary23417 Cyber Security blog - Tools and Malware Analysis RE Gandcrab Downloader Theres More To This Than Meets The Eye November 8 2018 httpstccontreblogspotcom201811re-
gandcrab-downloader-theres-more-tohtml Europol Press Release Pay No More Universal GandCrab Decryption Tool Released for Free on No More Ransom Oct 28 2018 httpswwweuropoleuropaeunewsroomnewspay-no-
more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom VirusTotal GandCrab entry httpswwwvirustotalcomfile69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1ddetails
UNCLASSIFIED 19
UNCLASSIFIED TLPWHITE
3282019
Upcoming Briefsbull Exploit Landscapebull Dark web PHI Marketplace
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide their feedback to HC3HHSGOV
Requests for InformationDo you need information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV
20
UNCLASSIFIED
6212018
Questions
UNCLASSIFIED
UNCLASSIFIED
3282019
TLPWHITE
Image SC Magazine
- GandCrab Ransomware Update
- GandCrab ndash Agenda
- Ransomware ndash WhatWhy
- GandCrab ndash Introduction
- GandCrab ndash Updates
- GandCrab ndash Actor
- Example
- Example
- GandCrab ndash Ransom Notes
- Infection vectors and persistence
- GandCrab ndash Versions
- GandCrab ndash Indicators of compromise
- GandCrab ndash Yara rule
- GandCrab ndash Solutions
- GandCrab ndash Solutions (continued)
- Do not pay ransom
- References
- References
- References
- Slide Number 20
-
GandCrab ndash Solutions (continued)Infection vectors ndash GandCrab-specific countermeasures and mitigations Remote Desktop Protocol and Virtual Network Computing ndash Protect credentials and auditlog access Corporate spamphishingmalspam ndash User awareness training and content filtering Exploit kits ndash
ndash User awareness training (visiting untrustedsuspicious websites)ndash Whitelisting and blacklisting websitesndash Implementing intrusion detection technologies
Social Engineering ndash User awareness training
WE DO NOT RECOMMEND PAYING A RANSOM
UNCLASSIFIED 15
UNCLASSIFIED TLPWHITE
3282019
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
Do not pay ransom
We recommend not paying ransom No guarantee files are decrypted and available again It incentivizes future ransomware attacks
Norsk Hydro Suffered from ransomware attack on March 19 2019 Production management systems and equipment was rendered inoperable Described as ldquocripplingrdquo ldquodebilitatingrdquo and ldquodisastrousrdquo Reported $40 million loss in revenue
UNCLASSIFIED 16
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Palmer Danny This Malware Spreading Tool is Back With Some New Tricks ZDNet January 18 2019 httpswwwzdnetcomarticlethis-malware-spreading-tool-is-back-with-some-new-tricks Palmer Danny Ransomware Warning The Gang Behind this Virulent Malware Just Changed Tactics Again ZDNet March 7 2019 httpswwwzdnetcomarticleransomware-warning-the-
gang-behind-this-virulent-malware-just-changed-tactics-again Palmer Danny What is ransomware Everything You Need to Know About One of the Biggest Menaces on the Web ZDNet August 22 2018 httpswwwzdnetcomarticleransomware-an-
executive-guide-to-one-of-the-biggest-menaces-on-the-web Palmer Danny What is Ransomware Ransomware Gets Easier for Would-Be Crooks as Developers Offer Malware-As-A-Service ZDNet February 8 2018
httpswwwzdnetcomarticleransomware-gets-easier-for-would-be-crooks-easier-as-developers-offer-malware-as-a-service Palmer Danny Ransomware Crooks Test a New Way to Spread Their Malware ZDNet January 31 2018 httpswwwzdnetcomarticleransomware-crooks-test-a-new-way-to-spread-their-
malware Cimpanu Catalin Bitdefender Releases Third GandCrab Ransomware Free Decrypter in the Past Year ZDNet February 19 2019 httpswwwzdnetcomarticlebitdefender-releases-third-
gandcrab-ransomware-free-decrypter-in-the-past-year Botezatu Bogdan Thwarting GandCrab in the New Era of Agile Computer-Jackers Security Boulevard March 6 2019 httpssecurityboulevardcom201903thwarting-gandcrab-in-the-new-
era-of-agile-computer-jackers Moshailov Roy Threat Profile GandCrab Ransomware Morphisec February 23 2018 httpblogmorphiseccomthreat-profile-gandcrab-ransomware Threat Landscape Dashboard GandCrab 5 - Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-5-
ransomwarehtml GandCrab 4 ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-4-ransomwarehtml GandCrab ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-ransomwarehtml Barth Bradley Third Decryption Tool for GandCrab Ransomware Released to Public SC Magazine February 20 2019 httpswwwscmagazinecomhomesecurity-newsransomwarethird-
decryption-tool-for-gandcrab-ransomware-released-to-public The GandCrab Ransomware Mindset Checkpoint March 13 2018 httpsresearchcheckpointcomgandcrab-ransomware-mindset Heller Michael GandCrab ransomware adds NSA tools for faster spreading Tech Target Search Security July 11 2018 httpssearchsecuritytechtargetcomnews252444624GandCrab-
ransomware-adds-NSA-tools-for-faster-spreading Gandcrab Ransomware Actively Spreading in the Wild Soincwall Security News May 16 2018 httpssecuritynewssonicwallcomxmlpostgandcrab-ransomware-actively-spreading-in-the-
wild GandCrab Ransomware BtCIRT February 28 2019 httpswwwbtcirtbtgandcrab-ransomware GandCrab and Ursnif Campaign IBM X-Force Exchange httpsexchangexforceibmcloudcomcollectionGandCrab-and-Ursnif-Campaign-5ada0685f6645ba53c64955d80c90f04 GandCrab The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) January 31 2018 httpswwwcybernjgovthreat-profilesransomware-variantsgandcrab GandCrab The Malware Wiki httpmalwarewikiacomwikiGandCrab Paganini Pierluigi Experts Released a free Decryption Tool for GandCrab Ransomware Security Affairs October 25 2018 httpssecurityaffairscowordpress77392malwaregandcrab-
decryption-toolhtml Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049 GandCrab Ransomware Decryption Tool No More Ransom Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049
UNCLASSIFIED 17
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading FeeleyBrendon Hartley Bex and Frankoff Sergei PINCHY SPIDER Affiliates Adopt ldquoBig Game Huntingrdquo Tactics to Distribute GandCrab Ransomware March 6 2019
httpswwwcrowdstrikecomblogpinchy-spider-adopts-big-game-hunting Botezatu Bogdan New GandCrab v51 Decryptor Available Now Bit Defender February 19 2019 httpslabsbitdefendercom201902new-gandcrab-v5-1-decryptor-available-
nowcid=soc7Cc7ctw7CGandCrab Abrams Lawrence GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts BleepingComputer February 8 2018
httpswwwbleepingcomputercomnewssecuritygandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts Castillo Donald EGG Files in Spam Delivers GandCrab v43 Ransomware to South Korean Users Trend Micro August 20 2018
httpswwwtrendmicrocomvinfoussecuritynewscybercrime-and-digital-threats-egg-files-in-spam-delivers-gandcrab-v4-3-ransomware-to-south-korean-users Abrams Lawrence EITest HoeflerText Scam Distributing GandCrab amp Netsupport Manager February 28 2018 httpswwwbleepingcomputercomnewssecurityeitest-hoeflertext-scam-
distributing-gandcrab-and-netsupport-manager Abrams Lawrence GandCrab Ransomware Version 2 Released With New Crab Extension amp Other Changes March 6 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-
ransomware-version-2-released-with-new-crab-extension-and-other-changes Abrams Lawrence GandCrab V4 Released With the New KRAB Extension for Encrypted Files September 25 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v4-released-
with-the-new-krab-extension-for-encrypted-files Abrams Lawrence GandCrab V5 Released With Random Extensions and New HTML Ransom Note June 3 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v5-released-
with-random-extensions-and-new-html-ransom-note Abrams Lawrence Mail Attachment Builds Malware Downloader from Super Mario Image February 8 2019 httpswwwbleepingcomputercomnewssecuritymail-attachment-builds-malware-
downloader-from-super-mario-image Salvio Joie GandCrab V3 Accidentally Locks Systems with New lsquoChange Wallpaperrsquo Feature Fortinet Blog May 4 2018 httpswwwfortinetcomblogthreat-researchgandcrab-v3-
accidentally-locks-systems-with-new--change-wallpapehtml Costis Andrew Cramer Cathy Miner Emily Myers Jared CB TAU amp CB ThreatSight Threat Analysis GandCrab and Ursnif Campaign Carbon Black Threat Analysis Unit January 24 2019
httpswwwcarbonblackcom20190124carbon-black-tau-threatsight-analysis-gandcrab-and-ursnif-campaign Botezatu Bogdan GandCrab Ransomware decryption tool Bit Defender October 25 2018 httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-free Hioueras Vasilios and Segura Jeacuterocircme GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated) Malwarebytes Labs Last updated May 10 2018
httpsblogmalwarebytescomthreat-analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Murphy Ian GandCrab Goes From Mob Attack to Surgical Strike Enterprise Times March 8 2019 httpswwwenterprisetimescouk20190308gandcrab-goes-from-mob-attack-to-surgical-
strike 2017 Cylance Threat Report httpspagescylancecom2018-03CylanceThreatReport2017html Kaspersky Cyber Pulse The State of Cybersecurity in Healthcare httpsgokasperskycomrs802-IJN-240imagesHealthcare-Survey-Reportpdf Fuentes Maria Rosario Cybercrime and Other Threats Faced by the Healthcare Industry Trend Micro httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf Solutionary SERT Q2 Report 88 Percent of All Ransomware Is Detected in Healthcare Industry httpwwwmarketwiredcompress-releasesolutionary-sert-q2-report-88-percent-all-
ransomware-is-detected-healthcare-industry-nyse-ntt-2145268htm
UNCLASSIFIED 18
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Krastev Ventsislav Killswitch File Now Available for GandCrab v412 Ransomware Sensors Tech Forum July 19 2018 httpssensorstechforumcomkillswitch-file-now-available-gandcrab-
v4-1-2-ransomware Boczan Tamas The Evolution of GandCrab Ransomware VMRay Cybersecurity Blog June 5 2018 (updated July 9 2018) httpswwwvmraycomcyber-security-bloggandcrab-ransomware-
evolution-analysis Malwarebytes Labs Malwarebytes Blog GandCrab ransomware distributed by RIG and GrandSoft exploit kits January 30 2018 (updated May 10 2018) httpsblogmalwarebytescomthreat-
analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Biasini Nick with contributions from Lister Nick and Marczewski Christopher Cisco Talos Blog Gandcrab Ransomware Walks its Way onto Compromised Sites May 9 2018
httpsblogtalosintelligencecom201805gandcrab-compromised-siteshtml Duncan Brad SANS Internet Storm Center InfoSec Handlers Dairy Blog Ransomware news GlobeImposter gets a facelift GandCrab is still out there March 7 2018
httpsiscsansedudiary23417 Cyber Security blog - Tools and Malware Analysis RE Gandcrab Downloader Theres More To This Than Meets The Eye November 8 2018 httpstccontreblogspotcom201811re-
gandcrab-downloader-theres-more-tohtml Europol Press Release Pay No More Universal GandCrab Decryption Tool Released for Free on No More Ransom Oct 28 2018 httpswwweuropoleuropaeunewsroomnewspay-no-
more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom VirusTotal GandCrab entry httpswwwvirustotalcomfile69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1ddetails
UNCLASSIFIED 19
UNCLASSIFIED TLPWHITE
3282019
Upcoming Briefsbull Exploit Landscapebull Dark web PHI Marketplace
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide their feedback to HC3HHSGOV
Requests for InformationDo you need information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV
20
UNCLASSIFIED
6212018
Questions
UNCLASSIFIED
UNCLASSIFIED
3282019
TLPWHITE
Image SC Magazine
- GandCrab Ransomware Update
- GandCrab ndash Agenda
- Ransomware ndash WhatWhy
- GandCrab ndash Introduction
- GandCrab ndash Updates
- GandCrab ndash Actor
- Example
- Example
- GandCrab ndash Ransom Notes
- Infection vectors and persistence
- GandCrab ndash Versions
- GandCrab ndash Indicators of compromise
- GandCrab ndash Yara rule
- GandCrab ndash Solutions
- GandCrab ndash Solutions (continued)
- Do not pay ransom
- References
- References
- References
- Slide Number 20
-
Do not pay ransom
We recommend not paying ransom No guarantee files are decrypted and available again It incentivizes future ransomware attacks
Norsk Hydro Suffered from ransomware attack on March 19 2019 Production management systems and equipment was rendered inoperable Described as ldquocripplingrdquo ldquodebilitatingrdquo and ldquodisastrousrdquo Reported $40 million loss in revenue
UNCLASSIFIED 16
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Palmer Danny This Malware Spreading Tool is Back With Some New Tricks ZDNet January 18 2019 httpswwwzdnetcomarticlethis-malware-spreading-tool-is-back-with-some-new-tricks Palmer Danny Ransomware Warning The Gang Behind this Virulent Malware Just Changed Tactics Again ZDNet March 7 2019 httpswwwzdnetcomarticleransomware-warning-the-
gang-behind-this-virulent-malware-just-changed-tactics-again Palmer Danny What is ransomware Everything You Need to Know About One of the Biggest Menaces on the Web ZDNet August 22 2018 httpswwwzdnetcomarticleransomware-an-
executive-guide-to-one-of-the-biggest-menaces-on-the-web Palmer Danny What is Ransomware Ransomware Gets Easier for Would-Be Crooks as Developers Offer Malware-As-A-Service ZDNet February 8 2018
httpswwwzdnetcomarticleransomware-gets-easier-for-would-be-crooks-easier-as-developers-offer-malware-as-a-service Palmer Danny Ransomware Crooks Test a New Way to Spread Their Malware ZDNet January 31 2018 httpswwwzdnetcomarticleransomware-crooks-test-a-new-way-to-spread-their-
malware Cimpanu Catalin Bitdefender Releases Third GandCrab Ransomware Free Decrypter in the Past Year ZDNet February 19 2019 httpswwwzdnetcomarticlebitdefender-releases-third-
gandcrab-ransomware-free-decrypter-in-the-past-year Botezatu Bogdan Thwarting GandCrab in the New Era of Agile Computer-Jackers Security Boulevard March 6 2019 httpssecurityboulevardcom201903thwarting-gandcrab-in-the-new-
era-of-agile-computer-jackers Moshailov Roy Threat Profile GandCrab Ransomware Morphisec February 23 2018 httpblogmorphiseccomthreat-profile-gandcrab-ransomware Threat Landscape Dashboard GandCrab 5 - Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-5-
ransomwarehtml GandCrab 4 ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-4-ransomwarehtml GandCrab ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-ransomwarehtml Barth Bradley Third Decryption Tool for GandCrab Ransomware Released to Public SC Magazine February 20 2019 httpswwwscmagazinecomhomesecurity-newsransomwarethird-
decryption-tool-for-gandcrab-ransomware-released-to-public The GandCrab Ransomware Mindset Checkpoint March 13 2018 httpsresearchcheckpointcomgandcrab-ransomware-mindset Heller Michael GandCrab ransomware adds NSA tools for faster spreading Tech Target Search Security July 11 2018 httpssearchsecuritytechtargetcomnews252444624GandCrab-
ransomware-adds-NSA-tools-for-faster-spreading Gandcrab Ransomware Actively Spreading in the Wild Soincwall Security News May 16 2018 httpssecuritynewssonicwallcomxmlpostgandcrab-ransomware-actively-spreading-in-the-
wild GandCrab Ransomware BtCIRT February 28 2019 httpswwwbtcirtbtgandcrab-ransomware GandCrab and Ursnif Campaign IBM X-Force Exchange httpsexchangexforceibmcloudcomcollectionGandCrab-and-Ursnif-Campaign-5ada0685f6645ba53c64955d80c90f04 GandCrab The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) January 31 2018 httpswwwcybernjgovthreat-profilesransomware-variantsgandcrab GandCrab The Malware Wiki httpmalwarewikiacomwikiGandCrab Paganini Pierluigi Experts Released a free Decryption Tool for GandCrab Ransomware Security Affairs October 25 2018 httpssecurityaffairscowordpress77392malwaregandcrab-
decryption-toolhtml Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049 GandCrab Ransomware Decryption Tool No More Ransom Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049
UNCLASSIFIED 17
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading FeeleyBrendon Hartley Bex and Frankoff Sergei PINCHY SPIDER Affiliates Adopt ldquoBig Game Huntingrdquo Tactics to Distribute GandCrab Ransomware March 6 2019
httpswwwcrowdstrikecomblogpinchy-spider-adopts-big-game-hunting Botezatu Bogdan New GandCrab v51 Decryptor Available Now Bit Defender February 19 2019 httpslabsbitdefendercom201902new-gandcrab-v5-1-decryptor-available-
nowcid=soc7Cc7ctw7CGandCrab Abrams Lawrence GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts BleepingComputer February 8 2018
httpswwwbleepingcomputercomnewssecuritygandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts Castillo Donald EGG Files in Spam Delivers GandCrab v43 Ransomware to South Korean Users Trend Micro August 20 2018
httpswwwtrendmicrocomvinfoussecuritynewscybercrime-and-digital-threats-egg-files-in-spam-delivers-gandcrab-v4-3-ransomware-to-south-korean-users Abrams Lawrence EITest HoeflerText Scam Distributing GandCrab amp Netsupport Manager February 28 2018 httpswwwbleepingcomputercomnewssecurityeitest-hoeflertext-scam-
distributing-gandcrab-and-netsupport-manager Abrams Lawrence GandCrab Ransomware Version 2 Released With New Crab Extension amp Other Changes March 6 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-
ransomware-version-2-released-with-new-crab-extension-and-other-changes Abrams Lawrence GandCrab V4 Released With the New KRAB Extension for Encrypted Files September 25 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v4-released-
with-the-new-krab-extension-for-encrypted-files Abrams Lawrence GandCrab V5 Released With Random Extensions and New HTML Ransom Note June 3 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v5-released-
with-random-extensions-and-new-html-ransom-note Abrams Lawrence Mail Attachment Builds Malware Downloader from Super Mario Image February 8 2019 httpswwwbleepingcomputercomnewssecuritymail-attachment-builds-malware-
downloader-from-super-mario-image Salvio Joie GandCrab V3 Accidentally Locks Systems with New lsquoChange Wallpaperrsquo Feature Fortinet Blog May 4 2018 httpswwwfortinetcomblogthreat-researchgandcrab-v3-
accidentally-locks-systems-with-new--change-wallpapehtml Costis Andrew Cramer Cathy Miner Emily Myers Jared CB TAU amp CB ThreatSight Threat Analysis GandCrab and Ursnif Campaign Carbon Black Threat Analysis Unit January 24 2019
httpswwwcarbonblackcom20190124carbon-black-tau-threatsight-analysis-gandcrab-and-ursnif-campaign Botezatu Bogdan GandCrab Ransomware decryption tool Bit Defender October 25 2018 httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-free Hioueras Vasilios and Segura Jeacuterocircme GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated) Malwarebytes Labs Last updated May 10 2018
httpsblogmalwarebytescomthreat-analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Murphy Ian GandCrab Goes From Mob Attack to Surgical Strike Enterprise Times March 8 2019 httpswwwenterprisetimescouk20190308gandcrab-goes-from-mob-attack-to-surgical-
strike 2017 Cylance Threat Report httpspagescylancecom2018-03CylanceThreatReport2017html Kaspersky Cyber Pulse The State of Cybersecurity in Healthcare httpsgokasperskycomrs802-IJN-240imagesHealthcare-Survey-Reportpdf Fuentes Maria Rosario Cybercrime and Other Threats Faced by the Healthcare Industry Trend Micro httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf Solutionary SERT Q2 Report 88 Percent of All Ransomware Is Detected in Healthcare Industry httpwwwmarketwiredcompress-releasesolutionary-sert-q2-report-88-percent-all-
ransomware-is-detected-healthcare-industry-nyse-ntt-2145268htm
UNCLASSIFIED 18
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Krastev Ventsislav Killswitch File Now Available for GandCrab v412 Ransomware Sensors Tech Forum July 19 2018 httpssensorstechforumcomkillswitch-file-now-available-gandcrab-
v4-1-2-ransomware Boczan Tamas The Evolution of GandCrab Ransomware VMRay Cybersecurity Blog June 5 2018 (updated July 9 2018) httpswwwvmraycomcyber-security-bloggandcrab-ransomware-
evolution-analysis Malwarebytes Labs Malwarebytes Blog GandCrab ransomware distributed by RIG and GrandSoft exploit kits January 30 2018 (updated May 10 2018) httpsblogmalwarebytescomthreat-
analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Biasini Nick with contributions from Lister Nick and Marczewski Christopher Cisco Talos Blog Gandcrab Ransomware Walks its Way onto Compromised Sites May 9 2018
httpsblogtalosintelligencecom201805gandcrab-compromised-siteshtml Duncan Brad SANS Internet Storm Center InfoSec Handlers Dairy Blog Ransomware news GlobeImposter gets a facelift GandCrab is still out there March 7 2018
httpsiscsansedudiary23417 Cyber Security blog - Tools and Malware Analysis RE Gandcrab Downloader Theres More To This Than Meets The Eye November 8 2018 httpstccontreblogspotcom201811re-
gandcrab-downloader-theres-more-tohtml Europol Press Release Pay No More Universal GandCrab Decryption Tool Released for Free on No More Ransom Oct 28 2018 httpswwweuropoleuropaeunewsroomnewspay-no-
more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom VirusTotal GandCrab entry httpswwwvirustotalcomfile69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1ddetails
UNCLASSIFIED 19
UNCLASSIFIED TLPWHITE
3282019
Upcoming Briefsbull Exploit Landscapebull Dark web PHI Marketplace
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide their feedback to HC3HHSGOV
Requests for InformationDo you need information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV
20
UNCLASSIFIED
6212018
Questions
UNCLASSIFIED
UNCLASSIFIED
3282019
TLPWHITE
Image SC Magazine
- GandCrab Ransomware Update
- GandCrab ndash Agenda
- Ransomware ndash WhatWhy
- GandCrab ndash Introduction
- GandCrab ndash Updates
- GandCrab ndash Actor
- Example
- Example
- GandCrab ndash Ransom Notes
- Infection vectors and persistence
- GandCrab ndash Versions
- GandCrab ndash Indicators of compromise
- GandCrab ndash Yara rule
- GandCrab ndash Solutions
- GandCrab ndash Solutions (continued)
- Do not pay ransom
- References
- References
- References
- Slide Number 20
-
ReferencesReferencesFurther Reading Palmer Danny This Malware Spreading Tool is Back With Some New Tricks ZDNet January 18 2019 httpswwwzdnetcomarticlethis-malware-spreading-tool-is-back-with-some-new-tricks Palmer Danny Ransomware Warning The Gang Behind this Virulent Malware Just Changed Tactics Again ZDNet March 7 2019 httpswwwzdnetcomarticleransomware-warning-the-
gang-behind-this-virulent-malware-just-changed-tactics-again Palmer Danny What is ransomware Everything You Need to Know About One of the Biggest Menaces on the Web ZDNet August 22 2018 httpswwwzdnetcomarticleransomware-an-
executive-guide-to-one-of-the-biggest-menaces-on-the-web Palmer Danny What is Ransomware Ransomware Gets Easier for Would-Be Crooks as Developers Offer Malware-As-A-Service ZDNet February 8 2018
httpswwwzdnetcomarticleransomware-gets-easier-for-would-be-crooks-easier-as-developers-offer-malware-as-a-service Palmer Danny Ransomware Crooks Test a New Way to Spread Their Malware ZDNet January 31 2018 httpswwwzdnetcomarticleransomware-crooks-test-a-new-way-to-spread-their-
malware Cimpanu Catalin Bitdefender Releases Third GandCrab Ransomware Free Decrypter in the Past Year ZDNet February 19 2019 httpswwwzdnetcomarticlebitdefender-releases-third-
gandcrab-ransomware-free-decrypter-in-the-past-year Botezatu Bogdan Thwarting GandCrab in the New Era of Agile Computer-Jackers Security Boulevard March 6 2019 httpssecurityboulevardcom201903thwarting-gandcrab-in-the-new-
era-of-agile-computer-jackers Moshailov Roy Threat Profile GandCrab Ransomware Morphisec February 23 2018 httpblogmorphiseccomthreat-profile-gandcrab-ransomware Threat Landscape Dashboard GandCrab 5 - Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-5-
ransomwarehtml GandCrab 4 ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-4-ransomwarehtml GandCrab ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-ransomwarehtml Barth Bradley Third Decryption Tool for GandCrab Ransomware Released to Public SC Magazine February 20 2019 httpswwwscmagazinecomhomesecurity-newsransomwarethird-
decryption-tool-for-gandcrab-ransomware-released-to-public The GandCrab Ransomware Mindset Checkpoint March 13 2018 httpsresearchcheckpointcomgandcrab-ransomware-mindset Heller Michael GandCrab ransomware adds NSA tools for faster spreading Tech Target Search Security July 11 2018 httpssearchsecuritytechtargetcomnews252444624GandCrab-
ransomware-adds-NSA-tools-for-faster-spreading Gandcrab Ransomware Actively Spreading in the Wild Soincwall Security News May 16 2018 httpssecuritynewssonicwallcomxmlpostgandcrab-ransomware-actively-spreading-in-the-
wild GandCrab Ransomware BtCIRT February 28 2019 httpswwwbtcirtbtgandcrab-ransomware GandCrab and Ursnif Campaign IBM X-Force Exchange httpsexchangexforceibmcloudcomcollectionGandCrab-and-Ursnif-Campaign-5ada0685f6645ba53c64955d80c90f04 GandCrab The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) January 31 2018 httpswwwcybernjgovthreat-profilesransomware-variantsgandcrab GandCrab The Malware Wiki httpmalwarewikiacomwikiGandCrab Paganini Pierluigi Experts Released a free Decryption Tool for GandCrab Ransomware Security Affairs October 25 2018 httpssecurityaffairscowordpress77392malwaregandcrab-
decryption-toolhtml Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049 GandCrab Ransomware Decryption Tool No More Ransom Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049
UNCLASSIFIED 17
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading FeeleyBrendon Hartley Bex and Frankoff Sergei PINCHY SPIDER Affiliates Adopt ldquoBig Game Huntingrdquo Tactics to Distribute GandCrab Ransomware March 6 2019
httpswwwcrowdstrikecomblogpinchy-spider-adopts-big-game-hunting Botezatu Bogdan New GandCrab v51 Decryptor Available Now Bit Defender February 19 2019 httpslabsbitdefendercom201902new-gandcrab-v5-1-decryptor-available-
nowcid=soc7Cc7ctw7CGandCrab Abrams Lawrence GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts BleepingComputer February 8 2018
httpswwwbleepingcomputercomnewssecuritygandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts Castillo Donald EGG Files in Spam Delivers GandCrab v43 Ransomware to South Korean Users Trend Micro August 20 2018
httpswwwtrendmicrocomvinfoussecuritynewscybercrime-and-digital-threats-egg-files-in-spam-delivers-gandcrab-v4-3-ransomware-to-south-korean-users Abrams Lawrence EITest HoeflerText Scam Distributing GandCrab amp Netsupport Manager February 28 2018 httpswwwbleepingcomputercomnewssecurityeitest-hoeflertext-scam-
distributing-gandcrab-and-netsupport-manager Abrams Lawrence GandCrab Ransomware Version 2 Released With New Crab Extension amp Other Changes March 6 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-
ransomware-version-2-released-with-new-crab-extension-and-other-changes Abrams Lawrence GandCrab V4 Released With the New KRAB Extension for Encrypted Files September 25 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v4-released-
with-the-new-krab-extension-for-encrypted-files Abrams Lawrence GandCrab V5 Released With Random Extensions and New HTML Ransom Note June 3 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v5-released-
with-random-extensions-and-new-html-ransom-note Abrams Lawrence Mail Attachment Builds Malware Downloader from Super Mario Image February 8 2019 httpswwwbleepingcomputercomnewssecuritymail-attachment-builds-malware-
downloader-from-super-mario-image Salvio Joie GandCrab V3 Accidentally Locks Systems with New lsquoChange Wallpaperrsquo Feature Fortinet Blog May 4 2018 httpswwwfortinetcomblogthreat-researchgandcrab-v3-
accidentally-locks-systems-with-new--change-wallpapehtml Costis Andrew Cramer Cathy Miner Emily Myers Jared CB TAU amp CB ThreatSight Threat Analysis GandCrab and Ursnif Campaign Carbon Black Threat Analysis Unit January 24 2019
httpswwwcarbonblackcom20190124carbon-black-tau-threatsight-analysis-gandcrab-and-ursnif-campaign Botezatu Bogdan GandCrab Ransomware decryption tool Bit Defender October 25 2018 httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-free Hioueras Vasilios and Segura Jeacuterocircme GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated) Malwarebytes Labs Last updated May 10 2018
httpsblogmalwarebytescomthreat-analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Murphy Ian GandCrab Goes From Mob Attack to Surgical Strike Enterprise Times March 8 2019 httpswwwenterprisetimescouk20190308gandcrab-goes-from-mob-attack-to-surgical-
strike 2017 Cylance Threat Report httpspagescylancecom2018-03CylanceThreatReport2017html Kaspersky Cyber Pulse The State of Cybersecurity in Healthcare httpsgokasperskycomrs802-IJN-240imagesHealthcare-Survey-Reportpdf Fuentes Maria Rosario Cybercrime and Other Threats Faced by the Healthcare Industry Trend Micro httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf Solutionary SERT Q2 Report 88 Percent of All Ransomware Is Detected in Healthcare Industry httpwwwmarketwiredcompress-releasesolutionary-sert-q2-report-88-percent-all-
ransomware-is-detected-healthcare-industry-nyse-ntt-2145268htm
UNCLASSIFIED 18
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Krastev Ventsislav Killswitch File Now Available for GandCrab v412 Ransomware Sensors Tech Forum July 19 2018 httpssensorstechforumcomkillswitch-file-now-available-gandcrab-
v4-1-2-ransomware Boczan Tamas The Evolution of GandCrab Ransomware VMRay Cybersecurity Blog June 5 2018 (updated July 9 2018) httpswwwvmraycomcyber-security-bloggandcrab-ransomware-
evolution-analysis Malwarebytes Labs Malwarebytes Blog GandCrab ransomware distributed by RIG and GrandSoft exploit kits January 30 2018 (updated May 10 2018) httpsblogmalwarebytescomthreat-
analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Biasini Nick with contributions from Lister Nick and Marczewski Christopher Cisco Talos Blog Gandcrab Ransomware Walks its Way onto Compromised Sites May 9 2018
httpsblogtalosintelligencecom201805gandcrab-compromised-siteshtml Duncan Brad SANS Internet Storm Center InfoSec Handlers Dairy Blog Ransomware news GlobeImposter gets a facelift GandCrab is still out there March 7 2018
httpsiscsansedudiary23417 Cyber Security blog - Tools and Malware Analysis RE Gandcrab Downloader Theres More To This Than Meets The Eye November 8 2018 httpstccontreblogspotcom201811re-
gandcrab-downloader-theres-more-tohtml Europol Press Release Pay No More Universal GandCrab Decryption Tool Released for Free on No More Ransom Oct 28 2018 httpswwweuropoleuropaeunewsroomnewspay-no-
more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom VirusTotal GandCrab entry httpswwwvirustotalcomfile69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1ddetails
UNCLASSIFIED 19
UNCLASSIFIED TLPWHITE
3282019
Upcoming Briefsbull Exploit Landscapebull Dark web PHI Marketplace
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide their feedback to HC3HHSGOV
Requests for InformationDo you need information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV
20
UNCLASSIFIED
6212018
Questions
UNCLASSIFIED
UNCLASSIFIED
3282019
TLPWHITE
Image SC Magazine
- GandCrab Ransomware Update
- GandCrab ndash Agenda
- Ransomware ndash WhatWhy
- GandCrab ndash Introduction
- GandCrab ndash Updates
- GandCrab ndash Actor
- Example
- Example
- GandCrab ndash Ransom Notes
- Infection vectors and persistence
- GandCrab ndash Versions
- GandCrab ndash Indicators of compromise
- GandCrab ndash Yara rule
- GandCrab ndash Solutions
- GandCrab ndash Solutions (continued)
- Do not pay ransom
- References
- References
- References
- Slide Number 20
-
ReferencesReferencesFurther Reading FeeleyBrendon Hartley Bex and Frankoff Sergei PINCHY SPIDER Affiliates Adopt ldquoBig Game Huntingrdquo Tactics to Distribute GandCrab Ransomware March 6 2019
httpswwwcrowdstrikecomblogpinchy-spider-adopts-big-game-hunting Botezatu Bogdan New GandCrab v51 Decryptor Available Now Bit Defender February 19 2019 httpslabsbitdefendercom201902new-gandcrab-v5-1-decryptor-available-
nowcid=soc7Cc7ctw7CGandCrab Abrams Lawrence GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts BleepingComputer February 8 2018
httpswwwbleepingcomputercomnewssecuritygandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts Castillo Donald EGG Files in Spam Delivers GandCrab v43 Ransomware to South Korean Users Trend Micro August 20 2018
httpswwwtrendmicrocomvinfoussecuritynewscybercrime-and-digital-threats-egg-files-in-spam-delivers-gandcrab-v4-3-ransomware-to-south-korean-users Abrams Lawrence EITest HoeflerText Scam Distributing GandCrab amp Netsupport Manager February 28 2018 httpswwwbleepingcomputercomnewssecurityeitest-hoeflertext-scam-
distributing-gandcrab-and-netsupport-manager Abrams Lawrence GandCrab Ransomware Version 2 Released With New Crab Extension amp Other Changes March 6 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-
ransomware-version-2-released-with-new-crab-extension-and-other-changes Abrams Lawrence GandCrab V4 Released With the New KRAB Extension for Encrypted Files September 25 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v4-released-
with-the-new-krab-extension-for-encrypted-files Abrams Lawrence GandCrab V5 Released With Random Extensions and New HTML Ransom Note June 3 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v5-released-
with-random-extensions-and-new-html-ransom-note Abrams Lawrence Mail Attachment Builds Malware Downloader from Super Mario Image February 8 2019 httpswwwbleepingcomputercomnewssecuritymail-attachment-builds-malware-
downloader-from-super-mario-image Salvio Joie GandCrab V3 Accidentally Locks Systems with New lsquoChange Wallpaperrsquo Feature Fortinet Blog May 4 2018 httpswwwfortinetcomblogthreat-researchgandcrab-v3-
accidentally-locks-systems-with-new--change-wallpapehtml Costis Andrew Cramer Cathy Miner Emily Myers Jared CB TAU amp CB ThreatSight Threat Analysis GandCrab and Ursnif Campaign Carbon Black Threat Analysis Unit January 24 2019
httpswwwcarbonblackcom20190124carbon-black-tau-threatsight-analysis-gandcrab-and-ursnif-campaign Botezatu Bogdan GandCrab Ransomware decryption tool Bit Defender October 25 2018 httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-free Hioueras Vasilios and Segura Jeacuterocircme GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated) Malwarebytes Labs Last updated May 10 2018
httpsblogmalwarebytescomthreat-analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Murphy Ian GandCrab Goes From Mob Attack to Surgical Strike Enterprise Times March 8 2019 httpswwwenterprisetimescouk20190308gandcrab-goes-from-mob-attack-to-surgical-
strike 2017 Cylance Threat Report httpspagescylancecom2018-03CylanceThreatReport2017html Kaspersky Cyber Pulse The State of Cybersecurity in Healthcare httpsgokasperskycomrs802-IJN-240imagesHealthcare-Survey-Reportpdf Fuentes Maria Rosario Cybercrime and Other Threats Faced by the Healthcare Industry Trend Micro httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf Solutionary SERT Q2 Report 88 Percent of All Ransomware Is Detected in Healthcare Industry httpwwwmarketwiredcompress-releasesolutionary-sert-q2-report-88-percent-all-
ransomware-is-detected-healthcare-industry-nyse-ntt-2145268htm
UNCLASSIFIED 18
UNCLASSIFIED TLPWHITE
3282019
ReferencesReferencesFurther Reading Krastev Ventsislav Killswitch File Now Available for GandCrab v412 Ransomware Sensors Tech Forum July 19 2018 httpssensorstechforumcomkillswitch-file-now-available-gandcrab-
v4-1-2-ransomware Boczan Tamas The Evolution of GandCrab Ransomware VMRay Cybersecurity Blog June 5 2018 (updated July 9 2018) httpswwwvmraycomcyber-security-bloggandcrab-ransomware-
evolution-analysis Malwarebytes Labs Malwarebytes Blog GandCrab ransomware distributed by RIG and GrandSoft exploit kits January 30 2018 (updated May 10 2018) httpsblogmalwarebytescomthreat-
analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Biasini Nick with contributions from Lister Nick and Marczewski Christopher Cisco Talos Blog Gandcrab Ransomware Walks its Way onto Compromised Sites May 9 2018
httpsblogtalosintelligencecom201805gandcrab-compromised-siteshtml Duncan Brad SANS Internet Storm Center InfoSec Handlers Dairy Blog Ransomware news GlobeImposter gets a facelift GandCrab is still out there March 7 2018
httpsiscsansedudiary23417 Cyber Security blog - Tools and Malware Analysis RE Gandcrab Downloader Theres More To This Than Meets The Eye November 8 2018 httpstccontreblogspotcom201811re-
gandcrab-downloader-theres-more-tohtml Europol Press Release Pay No More Universal GandCrab Decryption Tool Released for Free on No More Ransom Oct 28 2018 httpswwweuropoleuropaeunewsroomnewspay-no-
more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom VirusTotal GandCrab entry httpswwwvirustotalcomfile69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1ddetails
UNCLASSIFIED 19
UNCLASSIFIED TLPWHITE
3282019
Upcoming Briefsbull Exploit Landscapebull Dark web PHI Marketplace
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide their feedback to HC3HHSGOV
Requests for InformationDo you need information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV
20
UNCLASSIFIED
6212018
Questions
UNCLASSIFIED
UNCLASSIFIED
3282019
TLPWHITE
Image SC Magazine
- GandCrab Ransomware Update
- GandCrab ndash Agenda
- Ransomware ndash WhatWhy
- GandCrab ndash Introduction
- GandCrab ndash Updates
- GandCrab ndash Actor
- Example
- Example
- GandCrab ndash Ransom Notes
- Infection vectors and persistence
- GandCrab ndash Versions
- GandCrab ndash Indicators of compromise
- GandCrab ndash Yara rule
- GandCrab ndash Solutions
- GandCrab ndash Solutions (continued)
- Do not pay ransom
- References
- References
- References
- Slide Number 20
-
ReferencesReferencesFurther Reading Krastev Ventsislav Killswitch File Now Available for GandCrab v412 Ransomware Sensors Tech Forum July 19 2018 httpssensorstechforumcomkillswitch-file-now-available-gandcrab-
v4-1-2-ransomware Boczan Tamas The Evolution of GandCrab Ransomware VMRay Cybersecurity Blog June 5 2018 (updated July 9 2018) httpswwwvmraycomcyber-security-bloggandcrab-ransomware-
evolution-analysis Malwarebytes Labs Malwarebytes Blog GandCrab ransomware distributed by RIG and GrandSoft exploit kits January 30 2018 (updated May 10 2018) httpsblogmalwarebytescomthreat-
analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Biasini Nick with contributions from Lister Nick and Marczewski Christopher Cisco Talos Blog Gandcrab Ransomware Walks its Way onto Compromised Sites May 9 2018
httpsblogtalosintelligencecom201805gandcrab-compromised-siteshtml Duncan Brad SANS Internet Storm Center InfoSec Handlers Dairy Blog Ransomware news GlobeImposter gets a facelift GandCrab is still out there March 7 2018
httpsiscsansedudiary23417 Cyber Security blog - Tools and Malware Analysis RE Gandcrab Downloader Theres More To This Than Meets The Eye November 8 2018 httpstccontreblogspotcom201811re-
gandcrab-downloader-theres-more-tohtml Europol Press Release Pay No More Universal GandCrab Decryption Tool Released for Free on No More Ransom Oct 28 2018 httpswwweuropoleuropaeunewsroomnewspay-no-
more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom VirusTotal GandCrab entry httpswwwvirustotalcomfile69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1ddetails
UNCLASSIFIED 19
UNCLASSIFIED TLPWHITE
3282019
Upcoming Briefsbull Exploit Landscapebull Dark web PHI Marketplace
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide their feedback to HC3HHSGOV
Requests for InformationDo you need information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV
20
UNCLASSIFIED
6212018
Questions
UNCLASSIFIED
UNCLASSIFIED
3282019
TLPWHITE
Image SC Magazine
- GandCrab Ransomware Update
- GandCrab ndash Agenda
- Ransomware ndash WhatWhy
- GandCrab ndash Introduction
- GandCrab ndash Updates
- GandCrab ndash Actor
- Example
- Example
- GandCrab ndash Ransom Notes
- Infection vectors and persistence
- GandCrab ndash Versions
- GandCrab ndash Indicators of compromise
- GandCrab ndash Yara rule
- GandCrab ndash Solutions
- GandCrab ndash Solutions (continued)
- Do not pay ransom
- References
- References
- References
- Slide Number 20
-
Upcoming Briefsbull Exploit Landscapebull Dark web PHI Marketplace
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide their feedback to HC3HHSGOV
Requests for InformationDo you need information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV
20
UNCLASSIFIED
6212018
Questions
UNCLASSIFIED
UNCLASSIFIED
3282019
TLPWHITE
Image SC Magazine
- GandCrab Ransomware Update
- GandCrab ndash Agenda
- Ransomware ndash WhatWhy
- GandCrab ndash Introduction
- GandCrab ndash Updates
- GandCrab ndash Actor
- Example
- Example
- GandCrab ndash Ransom Notes
- Infection vectors and persistence
- GandCrab ndash Versions
- GandCrab ndash Indicators of compromise
- GandCrab ndash Yara rule
- GandCrab ndash Solutions
- GandCrab ndash Solutions (continued)
- Do not pay ransom
- References
- References
- References
- Slide Number 20
-