GandCrab Ransomware UpdateOVERALL CLASSIFICATION IS

UNCLASSIFIEDTLPWHITE

3282019

UNCLASSIFIED TLPWHITE

UNCLASSIFIED

GandCrab ndash AgendaGandCrabWhat is ransomware Why does it matter to HPH GandCrab introduction GandCrab updates Actor Example - GandCrab phishing attack Example - ransom notes Infection vectors and persistence Versions Indicators of compromise amp Yara rule Solutions References Conclusion

UNCLASSIFIED 2

UNCLASSIFIED TLPWHITE

Non-Technical managerial strategic and high-level (general audience)

Technical Tactical IOCs requiring in-depth knowledge (sysadmins IRT)

Slides Key

3282019

Image httpssensorstechforumcom

Ransomware ndash WhatWhy

UNCLASSIFIED 3

UNCLASSIFIED TLPWHITE

3282019

RansomwareWhat is ransomware

ndash Malicious code that infects a system encrypts important files and requests ransom to decrypt them

Critical to the Healthcare industry Data-driven decisions Mission (wellbeing health and lives)Reporting Cylance Threat Report (May 2018)

ndash Ransomware attacks tripled in 2017ndash Healthcare was targeted more than any other industry

Kaspersky Cyber Pulse The State of Cybersecurity in Healthcare (December 2018)

ndash One in four healthcare organizations were successfully attacked by ransomware in 2018

Solutionary Security Engineering Research Team (SERT) Q2 2016 report

ndash 88 of all ransomware attacks targeted the healthcare industry

Image Health IT Outcomes

Image Wall Street Journal

GandCrab ndash AgendaGandCrabWhat is ransomware Why does it matter to HPH GandCrab introduction GandCrab updates Actor Example - GandCrab phishing attack Example - ransom notes Infection vectors and persistence Versions Indicators of compromise amp Yara rule Solutions References Conclusion

UNCLASSIFIED 2

UNCLASSIFIED TLPWHITE

Non-Technical managerial strategic and high-level (general audience)

Technical Tactical IOCs requiring in-depth knowledge (sysadmins IRT)

Slides Key

3282019

Image httpssensorstechforumcom

Ransomware ndash WhatWhy

UNCLASSIFIED 3

UNCLASSIFIED TLPWHITE

3282019

RansomwareWhat is ransomware

ndash Malicious code that infects a system encrypts important files and requests ransom to decrypt them

Critical to the Healthcare industry Data-driven decisions Mission (wellbeing health and lives)Reporting Cylance Threat Report (May 2018)

ndash Ransomware attacks tripled in 2017ndash Healthcare was targeted more than any other industry

Kaspersky Cyber Pulse The State of Cybersecurity in Healthcare (December 2018)

ndash One in four healthcare organizations were successfully attacked by ransomware in 2018

Solutionary Security Engineering Research Team (SERT) Q2 2016 report

ndash 88 of all ransomware attacks targeted the healthcare industry

Image Health IT Outcomes

Image Wall Street Journal

Ransomware ndash WhatWhy

UNCLASSIFIED 3

UNCLASSIFIED TLPWHITE

3282019

RansomwareWhat is ransomware

ndash Malicious code that infects a system encrypts important files and requests ransom to decrypt them

Critical to the Healthcare industry Data-driven decisions Mission (wellbeing health and lives)Reporting Cylance Threat Report (May 2018)

ndash Ransomware attacks tripled in 2017ndash Healthcare was targeted more than any other industry

Kaspersky Cyber Pulse The State of Cybersecurity in Healthcare (December 2018)

ndash One in four healthcare organizations were successfully attacked by ransomware in 2018

Solutionary Security Engineering Research Team (SERT) Q2 2016 report

ndash 88 of all ransomware attacks targeted the healthcare industry

Image Health IT Outcomes

Image Wall Street Journal

GandCrab ndash IntroductionGandcrab - Intro First identified on January 26 2018 Itrsquos a form of ransomware aggressively updated

ndash Over 500000 global infections since first release Offered as Ransomware-as-a-Service (RaaS)

ndash Operators arenrsquot necessarily technical Developers outsource attacks split profits

ndash Monetization Per PC not lump sumndash Typical ransoms $300 to $6000 (Dash)

Spread via common tacticsndash Malspamphishingndash Remote Desktop Protocol (RDP)ndash Virtual Network Computing (VNC)

Other functionsndash Can bypass some firewalls and AVsndash Can detect sandboxes and virtual machines

Used to target Windows systems in large organizations (big game hunting)

UNCLASSIFIED 4

UNCLASSIFIED TLPWHITE

3282019

Image SC Magazine

GandCrab ndash UpdatesWhatrsquos changed recently Version 52 is out

ndash Decryptors exist for all versions previous to 52 Better affiliate relationships

ndash Structured profitable long-term agreementsndash Separation between developers and operationsndash Incentive to use GandCrab

Big game huntingndash Increased reconnaissancendash Even more persistence against high-value

targetsndash High-value targetsndash ldquoFrom mob attack to surgical strikerdquo

UNCLASSIFIED 5

UNCLASSIFIED TLPWHITE

3282019

Image BestTechTips

GandCrab ndash ActorPINCHY SPIDER (GandCrab developers) Named by CrowdStrike

ndash ldquohellipthe latest eCrime adversaries to join the growing trend of targeted low-volumehigh-return ransomware deployments known as lsquobig game huntingrsquordquo

ndash Unknown country(ies) of operation or any nation-state affiliation Offered as RaaS Uses distributors to infect systems

ndash Allows for PINCHY SPIDER to focus on development vice infectionsndash Provides separation between victims and PINCHY SPIDERndash Splits profits (6040 and sometimes 7030)ndash Operators arenrsquot necessarily technical

UNCLASSIFIED 6

UNCLASSIFIED TLPWHITE

3282019

Image Crowdstrike

Example Screenshot of fake CDC e-mail

UNCLASSIFIED 7

UNCLASSIFIED TLPWHITE

3282019

Fake e-mail address attempting to look legitimate

Malicious attachments

Body of e-mail designed to look legitimate

Image httpsmyonlinesecuritycouk

Example

Macro A series of commands and instructions used in Microsoft Windows grouped together as a single command to automate a task and make people more productive

UNCLASSIFIED 8

UNCLASSIFIED TLPWHITE

3282019

Macros

Image httpsmyonlinesecuritycouk

GandCrab ndash Ransom NotesExample ransom notes Notification of compromise Expression of futility Compliance instructions

UNCLASSIFIED 9

UNCLASSIFIED TLPWHITE

3282019

Source Symantec

Source Malwarebytes

GandCrab ndash UpdatesWhatrsquos changed recently Version 52 is out

ndash Decryptors exist for all versions previous to 52 Better affiliate relationships

ndash Structured profitable long-term agreementsndash Separation between developers and operationsndash Incentive to use GandCrab

Big game huntingndash Increased reconnaissancendash Even more persistence against high-value

targetsndash High-value targetsndash ldquoFrom mob attack to surgical strikerdquo

UNCLASSIFIED 5

UNCLASSIFIED TLPWHITE

3282019

Image BestTechTips

GandCrab ndash ActorPINCHY SPIDER (GandCrab developers) Named by CrowdStrike

ndash ldquohellipthe latest eCrime adversaries to join the growing trend of targeted low-volumehigh-return ransomware deployments known as lsquobig game huntingrsquordquo

ndash Unknown country(ies) of operation or any nation-state affiliation Offered as RaaS Uses distributors to infect systems

ndash Allows for PINCHY SPIDER to focus on development vice infectionsndash Provides separation between victims and PINCHY SPIDERndash Splits profits (6040 and sometimes 7030)ndash Operators arenrsquot necessarily technical

UNCLASSIFIED 6

UNCLASSIFIED TLPWHITE

3282019

Image Crowdstrike

Example Screenshot of fake CDC e-mail

UNCLASSIFIED 7

UNCLASSIFIED TLPWHITE

3282019

Fake e-mail address attempting to look legitimate

Malicious attachments

Body of e-mail designed to look legitimate

Image httpsmyonlinesecuritycouk

Example

Macro A series of commands and instructions used in Microsoft Windows grouped together as a single command to automate a task and make people more productive

UNCLASSIFIED 8

UNCLASSIFIED TLPWHITE

3282019

Macros

Image httpsmyonlinesecuritycouk

GandCrab ndash Ransom NotesExample ransom notes Notification of compromise Expression of futility Compliance instructions

UNCLASSIFIED 9

UNCLASSIFIED TLPWHITE

3282019

Source Symantec

Source Malwarebytes

GandCrab ndash ActorPINCHY SPIDER (GandCrab developers) Named by CrowdStrike

ndash ldquohellipthe latest eCrime adversaries to join the growing trend of targeted low-volumehigh-return ransomware deployments known as lsquobig game huntingrsquordquo

ndash Unknown country(ies) of operation or any nation-state affiliation Offered as RaaS Uses distributors to infect systems

ndash Allows for PINCHY SPIDER to focus on development vice infectionsndash Provides separation between victims and PINCHY SPIDERndash Splits profits (6040 and sometimes 7030)ndash Operators arenrsquot necessarily technical

UNCLASSIFIED 6

UNCLASSIFIED TLPWHITE

3282019

Image Crowdstrike

Example Screenshot of fake CDC e-mail

UNCLASSIFIED 7

UNCLASSIFIED TLPWHITE

3282019

Fake e-mail address attempting to look legitimate

Malicious attachments

Body of e-mail designed to look legitimate

Image httpsmyonlinesecuritycouk

Example

Macro A series of commands and instructions used in Microsoft Windows grouped together as a single command to automate a task and make people more productive

UNCLASSIFIED 8

UNCLASSIFIED TLPWHITE

3282019

Macros

Image httpsmyonlinesecuritycouk

GandCrab ndash Ransom NotesExample ransom notes Notification of compromise Expression of futility Compliance instructions

UNCLASSIFIED 9

UNCLASSIFIED TLPWHITE

3282019

Source Symantec

Source Malwarebytes

Example Screenshot of fake CDC e-mail

UNCLASSIFIED 7

UNCLASSIFIED TLPWHITE

3282019

Fake e-mail address attempting to look legitimate

Malicious attachments

Body of e-mail designed to look legitimate

Image httpsmyonlinesecuritycouk

Example

Macro A series of commands and instructions used in Microsoft Windows grouped together as a single command to automate a task and make people more productive

UNCLASSIFIED 8

UNCLASSIFIED TLPWHITE

3282019

Macros

Image httpsmyonlinesecuritycouk

GandCrab ndash Ransom NotesExample ransom notes Notification of compromise Expression of futility Compliance instructions

UNCLASSIFIED 9

UNCLASSIFIED TLPWHITE

3282019

Source Symantec

Source Malwarebytes

Example

Macro A series of commands and instructions used in Microsoft Windows grouped together as a single command to automate a task and make people more productive

UNCLASSIFIED 8

UNCLASSIFIED TLPWHITE

3282019

Macros

Image httpsmyonlinesecuritycouk

GandCrab ndash Ransom NotesExample ransom notes Notification of compromise Expression of futility Compliance instructions

UNCLASSIFIED 9

UNCLASSIFIED TLPWHITE

3282019

Source Symantec

Source Malwarebytes

GandCrab ndash Ransom NotesExample ransom notes Notification of compromise Expression of futility Compliance instructions

UNCLASSIFIED 9

UNCLASSIFIED TLPWHITE

3282019

Source Symantec

Source Malwarebytes

Infection vectors and persistenceInfection vectors Remote Desktop Protocol (RDP) Virtual Network Computing (VNC) Corporate spamphishingmalspam

ndash Necurs botnet Exploit kits

ndash Fallout RIG Magnitude GrandSoft Social Engineering

Once itrsquos on your system how does it stay there

Persistence Living off the land (both default and post-installation tools)

ndash Sysinternals ProcMonndash Process Hackerndash LAN Search Pro

UNCLASSIFIED 10

UNCLASSIFIED TLPWHITE

3282019

GandCrab ndash VersionsHow to identify the version

UNCLASSIFIED 11

UNCLASSIFIED TLPWHITE

3282019

VERSION EXTENSION RANSOM NOTE

1 GDCB Starts with mdash= GANDCRAB =mdash helliphelliphelliphelliphellip the extension GDCB

2 GDCB Starts with mdash= GANDCRAB =mdash helliphelliphelliphelliphellip the extension GDCB

3 CRAB Starts with mdash= GANDCRAB V3 =mdash helliphelliphellip the extension CRAB

4 KRAB Starts with mdash= GANDCRAB V4 =mdash helliphelliphellip the extension KRAB

5 ([A-Z]+) Starts with mdash= GANDCRAB V50 =mdash helliphelliphellip the extension UKCZA

501 ([A-Z]+) Starts with mdash= GANDCRAB V501 =mdash hellip the extension YIAQDG

502 ([A-Z]+) Starts withmdash= GANDCRAB V502 =mdash hellip the extension CQXGPMKNR

503 ([A-Z]+) Starts withmdash= GANDCRAB V503 =mdash hellip the extension HHFEHIOL

503 ([A-Z]+) Starts withmdash= GANDCRAB V504 =mdash hellip the extension BYACZCZI

505 ([A-Z]+) Starts withmdash= GANDCRAB V505 =mdash hellip the extension KZZXVWMLI

505 ([A-Z]+) Starts withmdash= GANDCRAB V51 =mdash hellip the extension IJDHRQJD

Source Bitdefender

GandCrab ndash VersionsHow to identify the version

UNCLASSIFIED 11

UNCLASSIFIED TLPWHITE

3282019

VERSION EXTENSION RANSOM NOTE

1 GDCB Starts with mdash= GANDCRAB =mdash helliphelliphelliphelliphellip the extension GDCB

2 GDCB Starts with mdash= GANDCRAB =mdash helliphelliphelliphelliphellip the extension GDCB

3 CRAB Starts with mdash= GANDCRAB V3 =mdash helliphelliphellip the extension CRAB

4 KRAB Starts with mdash= GANDCRAB V4 =mdash helliphelliphellip the extension KRAB

5 ([A-Z]+) Starts with mdash= GANDCRAB V50 =mdash helliphelliphellip the extension UKCZA

501 ([A-Z]+) Starts with mdash= GANDCRAB V501 =mdash hellip the extension YIAQDG

502 ([A-Z]+) Starts withmdash= GANDCRAB V502 =mdash hellip the extension CQXGPMKNR

503 ([A-Z]+) Starts withmdash= GANDCRAB V503 =mdash hellip the extension HHFEHIOL

503 ([A-Z]+) Starts withmdash= GANDCRAB V504 =mdash hellip the extension BYACZCZI

505 ([A-Z]+) Starts withmdash= GANDCRAB V505 =mdash hellip the extension KZZXVWMLI

505 ([A-Z]+) Starts withmdash= GANDCRAB V51 =mdash hellip the extension IJDHRQJD

Source Bitdefender

GandCrab ndash Indicators of compromiseIndicators of compromise (IOCs)

UNCLASSIFIED 12

UNCLASSIFIED TLPWHITE

3282019

VersionType MD5 HashGandCrab v51 SHA256 0741e7c0b02f6ef0b28d00a7467bf91edb0cb0f6f20dc1fbed76119c7ae79b4f

GandCrab v52 SHA256 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9

GandCrab v52 SHA256 bd16b703cd20e622e3e70e71bb4c68d1d1a3e14462f4b09978bbbb14e41625dc

GandCrab v52 SHA256 d7ffa0d8566702474790d7cbbbf9d51e9937d82582f82e1a00ddb1c489700d62

GandCrab v52 SHA256 d860bdf0d56a66f0e1b502067d07bdb595f60ef8c43de6b9caf5492a429426d6

GandCrab v52 SHA256 f70d73b6c3f61f412567bf74d4f1fba052ddccf0f8b2e61a6c69de9c8c5e6ec1

GandCrab v52 SHA256 fb136c8360d1a5ab80f61109c55c5a788aa1d8796d1e75aca8c1a762b598d3f4

GandCrab ndash Yara ruleimport pe

rule gandcrab_win32_downloader_unpack meta

author = tccontredescription = detecting gandcrab downloaderdate = 2018-11-08sha256 = 7cb45951e8f8dd064b467dd55819c83d3d85359ef7a382c3bad9f9116282e2e4

strings$mz = 4d 5a

$s1 = open=_DeviceManagerexe fullword $s2 = Mozilla50 (Macintosh Intel Mac OS X 109 rv250) Gecko20100101 Firefox250 fullword

$c0 = DisableAntiSpyware fullword wide$c1 = DisableBehaviorMonitoring fullword wide$c2 = FirewallDisableNotify fullword wide$c3 = lsT80870405687060 fullword$c4 = RecycleBin fullword wide$c5 = autoruninf fullword wide

$code1 = 83 C8 20 83 F8 61 74 61 8B 45 FC 0F B7 00 83 C8 20 83 F8 62 74 53 $code2 = D1 E8 EB 07 D1 E8 35 20 83 B8 ED E2 EC AB

condition($mz at 0) and all of ($s) and 2 of ($c) and 1 of ($code)

UNCLASSIFIED 13

UNCLASSIFIED TLPWHITE

3282019

YARA A rule-based tool for malware analysts to identify and analyze malware

GandCrab ndash SolutionsContent filtering Deploys to mail server signature-based traffic blockingConfiguration management and strong password policy Periodically review all network hardware devices and applications for configurations develop and enforce

strong password policyEndpoint security Every system in the enterprise should be protectedNetwork traffic analysisNetflow and packet capture Real-time examination of system and network eventsData backup Network cloud redundancy is criticalDecryptors Bit Defender maintains a tool that can decrypt files encrypted by versions 1 4 and 501 through 51

ndash httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-freendash Requires Internet connection and ransom note

Employ a zero-day recovery approachhttpswwwnomoreransomorg

UNCLASSIFIED 14

UNCLASSIFIED TLPWHITE

3282019

Source blogmalwarebytescom

GandCrab ndash Yara ruleimport pe

rule gandcrab_win32_downloader_unpack meta

author = tccontredescription = detecting gandcrab downloaderdate = 2018-11-08sha256 = 7cb45951e8f8dd064b467dd55819c83d3d85359ef7a382c3bad9f9116282e2e4

strings$mz = 4d 5a

$s1 = open=_DeviceManagerexe fullword $s2 = Mozilla50 (Macintosh Intel Mac OS X 109 rv250) Gecko20100101 Firefox250 fullword

$c0 = DisableAntiSpyware fullword wide$c1 = DisableBehaviorMonitoring fullword wide$c2 = FirewallDisableNotify fullword wide$c3 = lsT80870405687060 fullword$c4 = RecycleBin fullword wide$c5 = autoruninf fullword wide

$code1 = 83 C8 20 83 F8 61 74 61 8B 45 FC 0F B7 00 83 C8 20 83 F8 62 74 53 $code2 = D1 E8 EB 07 D1 E8 35 20 83 B8 ED E2 EC AB

condition($mz at 0) and all of ($s) and 2 of ($c) and 1 of ($code)

UNCLASSIFIED 13

UNCLASSIFIED TLPWHITE

3282019

YARA A rule-based tool for malware analysts to identify and analyze malware

GandCrab ndash SolutionsContent filtering Deploys to mail server signature-based traffic blockingConfiguration management and strong password policy Periodically review all network hardware devices and applications for configurations develop and enforce

strong password policyEndpoint security Every system in the enterprise should be protectedNetwork traffic analysisNetflow and packet capture Real-time examination of system and network eventsData backup Network cloud redundancy is criticalDecryptors Bit Defender maintains a tool that can decrypt files encrypted by versions 1 4 and 501 through 51

ndash httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-freendash Requires Internet connection and ransom note

Employ a zero-day recovery approachhttpswwwnomoreransomorg

UNCLASSIFIED 14

UNCLASSIFIED TLPWHITE

3282019

Source blogmalwarebytescom

GandCrab ndash SolutionsContent filtering Deploys to mail server signature-based traffic blockingConfiguration management and strong password policy Periodically review all network hardware devices and applications for configurations develop and enforce

strong password policyEndpoint security Every system in the enterprise should be protectedNetwork traffic analysisNetflow and packet capture Real-time examination of system and network eventsData backup Network cloud redundancy is criticalDecryptors Bit Defender maintains a tool that can decrypt files encrypted by versions 1 4 and 501 through 51

ndash httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-freendash Requires Internet connection and ransom note

Employ a zero-day recovery approachhttpswwwnomoreransomorg

UNCLASSIFIED 14

UNCLASSIFIED TLPWHITE

3282019

Source blogmalwarebytescom

GandCrab ndash Solutions (continued)Infection vectors ndash GandCrab-specific countermeasures and mitigations Remote Desktop Protocol and Virtual Network Computing ndash Protect credentials and auditlog access Corporate spamphishingmalspam ndash User awareness training and content filtering Exploit kits ndash

ndash User awareness training (visiting untrustedsuspicious websites)ndash Whitelisting and blacklisting websitesndash Implementing intrusion detection technologies

Social Engineering ndash User awareness training

WE DO NOT RECOMMEND PAYING A RANSOM

UNCLASSIFIED 15

UNCLASSIFIED TLPWHITE

3282019

We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx

Do not pay ransom

We recommend not paying ransom No guarantee files are decrypted and available again It incentivizes future ransomware attacks

Norsk Hydro Suffered from ransomware attack on March 19 2019 Production management systems and equipment was rendered inoperable Described as ldquocripplingrdquo ldquodebilitatingrdquo and ldquodisastrousrdquo Reported $40 million loss in revenue

UNCLASSIFIED 16

UNCLASSIFIED TLPWHITE

3282019

ReferencesReferencesFurther Reading Palmer Danny This Malware Spreading Tool is Back With Some New Tricks ZDNet January 18 2019 httpswwwzdnetcomarticlethis-malware-spreading-tool-is-back-with-some-new-tricks Palmer Danny Ransomware Warning The Gang Behind this Virulent Malware Just Changed Tactics Again ZDNet March 7 2019 httpswwwzdnetcomarticleransomware-warning-the-

gang-behind-this-virulent-malware-just-changed-tactics-again Palmer Danny What is ransomware Everything You Need to Know About One of the Biggest Menaces on the Web ZDNet August 22 2018 httpswwwzdnetcomarticleransomware-an-

executive-guide-to-one-of-the-biggest-menaces-on-the-web Palmer Danny What is Ransomware Ransomware Gets Easier for Would-Be Crooks as Developers Offer Malware-As-A-Service ZDNet February 8 2018

httpswwwzdnetcomarticleransomware-gets-easier-for-would-be-crooks-easier-as-developers-offer-malware-as-a-service Palmer Danny Ransomware Crooks Test a New Way to Spread Their Malware ZDNet January 31 2018 httpswwwzdnetcomarticleransomware-crooks-test-a-new-way-to-spread-their-

malware Cimpanu Catalin Bitdefender Releases Third GandCrab Ransomware Free Decrypter in the Past Year ZDNet February 19 2019 httpswwwzdnetcomarticlebitdefender-releases-third-

gandcrab-ransomware-free-decrypter-in-the-past-year Botezatu Bogdan Thwarting GandCrab in the New Era of Agile Computer-Jackers Security Boulevard March 6 2019 httpssecurityboulevardcom201903thwarting-gandcrab-in-the-new-

era-of-agile-computer-jackers Moshailov Roy Threat Profile GandCrab Ransomware Morphisec February 23 2018 httpblogmorphiseccomthreat-profile-gandcrab-ransomware Threat Landscape Dashboard GandCrab 5 - Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-5-

ransomwarehtml GandCrab 4 ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-4-ransomwarehtml GandCrab ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-ransomwarehtml Barth Bradley Third Decryption Tool for GandCrab Ransomware Released to Public SC Magazine February 20 2019 httpswwwscmagazinecomhomesecurity-newsransomwarethird-

decryption-tool-for-gandcrab-ransomware-released-to-public The GandCrab Ransomware Mindset Checkpoint March 13 2018 httpsresearchcheckpointcomgandcrab-ransomware-mindset Heller Michael GandCrab ransomware adds NSA tools for faster spreading Tech Target Search Security July 11 2018 httpssearchsecuritytechtargetcomnews252444624GandCrab-

ransomware-adds-NSA-tools-for-faster-spreading Gandcrab Ransomware Actively Spreading in the Wild Soincwall Security News May 16 2018 httpssecuritynewssonicwallcomxmlpostgandcrab-ransomware-actively-spreading-in-the-

wild GandCrab Ransomware BtCIRT February 28 2019 httpswwwbtcirtbtgandcrab-ransomware GandCrab and Ursnif Campaign IBM X-Force Exchange httpsexchangexforceibmcloudcomcollectionGandCrab-and-Ursnif-Campaign-5ada0685f6645ba53c64955d80c90f04 GandCrab The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) January 31 2018 httpswwwcybernjgovthreat-profilesransomware-variantsgandcrab GandCrab The Malware Wiki httpmalwarewikiacomwikiGandCrab Paganini Pierluigi Experts Released a free Decryption Tool for GandCrab Ransomware Security Affairs October 25 2018 httpssecurityaffairscowordpress77392malwaregandcrab-

decryption-toolhtml Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049 GandCrab Ransomware Decryption Tool No More Ransom Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049

UNCLASSIFIED 17

UNCLASSIFIED TLPWHITE

3282019

ReferencesReferencesFurther Reading Palmer Danny This Malware Spreading Tool is Back With Some New Tricks ZDNet January 18 2019 httpswwwzdnetcomarticlethis-malware-spreading-tool-is-back-with-some-new-tricks Palmer Danny Ransomware Warning The Gang Behind this Virulent Malware Just Changed Tactics Again ZDNet March 7 2019 httpswwwzdnetcomarticleransomware-warning-the-

gang-behind-this-virulent-malware-just-changed-tactics-again Palmer Danny What is ransomware Everything You Need to Know About One of the Biggest Menaces on the Web ZDNet August 22 2018 httpswwwzdnetcomarticleransomware-an-

executive-guide-to-one-of-the-biggest-menaces-on-the-web Palmer Danny What is Ransomware Ransomware Gets Easier for Would-Be Crooks as Developers Offer Malware-As-A-Service ZDNet February 8 2018

httpswwwzdnetcomarticleransomware-gets-easier-for-would-be-crooks-easier-as-developers-offer-malware-as-a-service Palmer Danny Ransomware Crooks Test a New Way to Spread Their Malware ZDNet January 31 2018 httpswwwzdnetcomarticleransomware-crooks-test-a-new-way-to-spread-their-

malware Cimpanu Catalin Bitdefender Releases Third GandCrab Ransomware Free Decrypter in the Past Year ZDNet February 19 2019 httpswwwzdnetcomarticlebitdefender-releases-third-

gandcrab-ransomware-free-decrypter-in-the-past-year Botezatu Bogdan Thwarting GandCrab in the New Era of Agile Computer-Jackers Security Boulevard March 6 2019 httpssecurityboulevardcom201903thwarting-gandcrab-in-the-new-

era-of-agile-computer-jackers Moshailov Roy Threat Profile GandCrab Ransomware Morphisec February 23 2018 httpblogmorphiseccomthreat-profile-gandcrab-ransomware Threat Landscape Dashboard GandCrab 5 - Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-5-

ransomwarehtml GandCrab 4 ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-4-ransomwarehtml GandCrab ndash Ransomware McAfee httpswwwmcafeecomenterpriseen-usthreat-centerthreat-landscape-dashboardransomware-detailsgandcrab-ransomwarehtml Barth Bradley Third Decryption Tool for GandCrab Ransomware Released to Public SC Magazine February 20 2019 httpswwwscmagazinecomhomesecurity-newsransomwarethird-

decryption-tool-for-gandcrab-ransomware-released-to-public The GandCrab Ransomware Mindset Checkpoint March 13 2018 httpsresearchcheckpointcomgandcrab-ransomware-mindset Heller Michael GandCrab ransomware adds NSA tools for faster spreading Tech Target Search Security July 11 2018 httpssearchsecuritytechtargetcomnews252444624GandCrab-

ransomware-adds-NSA-tools-for-faster-spreading Gandcrab Ransomware Actively Spreading in the Wild Soincwall Security News May 16 2018 httpssecuritynewssonicwallcomxmlpostgandcrab-ransomware-actively-spreading-in-the-

wild GandCrab Ransomware BtCIRT February 28 2019 httpswwwbtcirtbtgandcrab-ransomware GandCrab and Ursnif Campaign IBM X-Force Exchange httpsexchangexforceibmcloudcomcollectionGandCrab-and-Ursnif-Campaign-5ada0685f6645ba53c64955d80c90f04 GandCrab The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) January 31 2018 httpswwwcybernjgovthreat-profilesransomware-variantsgandcrab GandCrab The Malware Wiki httpmalwarewikiacomwikiGandCrab Paganini Pierluigi Experts Released a free Decryption Tool for GandCrab Ransomware Security Affairs October 25 2018 httpssecurityaffairscowordpress77392malwaregandcrab-

decryption-toolhtml Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049 GandCrab Ransomware Decryption Tool No More Ransom Clean a GandCrab infection using the ESET GandCrab Decryptor ESET httpssupportesetcomkb7049

UNCLASSIFIED 17

UNCLASSIFIED TLPWHITE

3282019

ReferencesReferencesFurther Reading FeeleyBrendon Hartley Bex and Frankoff Sergei PINCHY SPIDER Affiliates Adopt ldquoBig Game Huntingrdquo Tactics to Distribute GandCrab Ransomware March 6 2019

httpswwwcrowdstrikecomblogpinchy-spider-adopts-big-game-hunting Botezatu Bogdan New GandCrab v51 Decryptor Available Now Bit Defender February 19 2019 httpslabsbitdefendercom201902new-gandcrab-v5-1-decryptor-available-

nowcid=soc7Cc7ctw7CGandCrab Abrams Lawrence GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts BleepingComputer February 8 2018

httpswwwbleepingcomputercomnewssecuritygandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts Castillo Donald EGG Files in Spam Delivers GandCrab v43 Ransomware to South Korean Users Trend Micro August 20 2018

httpswwwtrendmicrocomvinfoussecuritynewscybercrime-and-digital-threats-egg-files-in-spam-delivers-gandcrab-v4-3-ransomware-to-south-korean-users Abrams Lawrence EITest HoeflerText Scam Distributing GandCrab amp Netsupport Manager February 28 2018 httpswwwbleepingcomputercomnewssecurityeitest-hoeflertext-scam-

distributing-gandcrab-and-netsupport-manager Abrams Lawrence GandCrab Ransomware Version 2 Released With New Crab Extension amp Other Changes March 6 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-

ransomware-version-2-released-with-new-crab-extension-and-other-changes Abrams Lawrence GandCrab V4 Released With the New KRAB Extension for Encrypted Files September 25 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v4-released-

with-the-new-krab-extension-for-encrypted-files Abrams Lawrence GandCrab V5 Released With Random Extensions and New HTML Ransom Note June 3 2018 httpswwwbleepingcomputercomnewssecuritygandcrab-v5-released-

with-random-extensions-and-new-html-ransom-note Abrams Lawrence Mail Attachment Builds Malware Downloader from Super Mario Image February 8 2019 httpswwwbleepingcomputercomnewssecuritymail-attachment-builds-malware-

downloader-from-super-mario-image Salvio Joie GandCrab V3 Accidentally Locks Systems with New lsquoChange Wallpaperrsquo Feature Fortinet Blog May 4 2018 httpswwwfortinetcomblogthreat-researchgandcrab-v3-

accidentally-locks-systems-with-new--change-wallpapehtml Costis Andrew Cramer Cathy Miner Emily Myers Jared CB TAU amp CB ThreatSight Threat Analysis GandCrab and Ursnif Campaign Carbon Black Threat Analysis Unit January 24 2019

httpswwwcarbonblackcom20190124carbon-black-tau-threatsight-analysis-gandcrab-and-ursnif-campaign Botezatu Bogdan GandCrab Ransomware decryption tool Bit Defender October 25 2018 httpslabsbitdefendercom201810gandcrab-ransomware-decryption-tool-available-for-free Hioueras Vasilios and Segura Jeacuterocircme GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated) Malwarebytes Labs Last updated May 10 2018

httpsblogmalwarebytescomthreat-analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Murphy Ian GandCrab Goes From Mob Attack to Surgical Strike Enterprise Times March 8 2019 httpswwwenterprisetimescouk20190308gandcrab-goes-from-mob-attack-to-surgical-

strike 2017 Cylance Threat Report httpspagescylancecom2018-03CylanceThreatReport2017html Kaspersky Cyber Pulse The State of Cybersecurity in Healthcare httpsgokasperskycomrs802-IJN-240imagesHealthcare-Survey-Reportpdf Fuentes Maria Rosario Cybercrime and Other Threats Faced by the Healthcare Industry Trend Micro httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-

intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf Solutionary SERT Q2 Report 88 Percent of All Ransomware Is Detected in Healthcare Industry httpwwwmarketwiredcompress-releasesolutionary-sert-q2-report-88-percent-all-

ransomware-is-detected-healthcare-industry-nyse-ntt-2145268htm

UNCLASSIFIED 18

UNCLASSIFIED TLPWHITE

3282019

ReferencesReferencesFurther Reading Krastev Ventsislav Killswitch File Now Available for GandCrab v412 Ransomware Sensors Tech Forum July 19 2018 httpssensorstechforumcomkillswitch-file-now-available-gandcrab-

v4-1-2-ransomware Boczan Tamas The Evolution of GandCrab Ransomware VMRay Cybersecurity Blog June 5 2018 (updated July 9 2018) httpswwwvmraycomcyber-security-bloggandcrab-ransomware-

evolution-analysis Malwarebytes Labs Malwarebytes Blog GandCrab ransomware distributed by RIG and GrandSoft exploit kits January 30 2018 (updated May 10 2018) httpsblogmalwarebytescomthreat-

analysis201801gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits Biasini Nick with contributions from Lister Nick and Marczewski Christopher Cisco Talos Blog Gandcrab Ransomware Walks its Way onto Compromised Sites May 9 2018

httpsblogtalosintelligencecom201805gandcrab-compromised-siteshtml Duncan Brad SANS Internet Storm Center InfoSec Handlers Dairy Blog Ransomware news GlobeImposter gets a facelift GandCrab is still out there March 7 2018

httpsiscsansedudiary23417 Cyber Security blog - Tools and Malware Analysis RE Gandcrab Downloader Theres More To This Than Meets The Eye November 8 2018 httpstccontreblogspotcom201811re-

gandcrab-downloader-theres-more-tohtml Europol Press Release Pay No More Universal GandCrab Decryption Tool Released for Free on No More Ransom Oct 28 2018 httpswwweuropoleuropaeunewsroomnewspay-no-

more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom VirusTotal GandCrab entry httpswwwvirustotalcomfile69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1ddetails

UNCLASSIFIED 19

UNCLASSIFIED TLPWHITE

3282019

Upcoming Briefsbull Exploit Landscapebull Dark web PHI Marketplace

Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide their feedback to HC3HHSGOV

Requests for InformationDo you need information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV

20

UNCLASSIFIED

6212018

Questions

UNCLASSIFIED

UNCLASSIFIED

3282019

TLPWHITE

Image SC Magazine