Threat Research

GandCrab: Honor among Thieves?

By Joie Salvio and Artem Semenchenko | March 16, 2018

GandCrab is the first ransomware to hit the spotlight this year. Known as the first ransom malware to use DASH cryptocurrency as a payment, it has hit more than 50,000 victims according to a report from Europol.

A few weeks ago, with the collaboration of Europol, Bitdefender found a loophole and released a decryption tool for the first version (with .GDCB extension) of GandCrab. Authors of the malware then reacted by releasing version 2.0, claiming to have secured their command-and-control (C2) infrastructure.

As we monitored this malware, our system detected a new variant of GandCrab containing information that led to a situation almost as strange as it is humorous.

GandCrab in a Nutshell

GandCrab uses an RSA algorithm to encrypt victim’s files, and then adds “.GDCB” and “.CRAB” to their extensions. This means the only way to decrypt the files is with the private key, which is encrypted and sent to the malware’s command-and-control server. The victim then must pay the ransom of 400USD in DASH currency, moving away from usual cryptocurrencies such as Bitcoin, Ethereum, and Monero.

This malware uses the “.bit” top-level-domain (TLD) for its C2 servers. Dot-bit aims to use blockchain technology to decentralize DNS, which entails added privacy and security. However, since TLD is not regulated by the Internet Corporation for Assigned Names and Numbers (ICANN), in order to resolve these domains a DNS query must be performed on servers that support it. In the past, GandCrab used dns1.doprodns.ru and a.dnspod.com for this.

Fig.1 GandCrab ransom note dropped in directories
Fig.2 GandCrab TOR-hosted payment page requires DASH currency

Strange Info Leads to Stranger Situation

Before this malware starts encrypting a victim’s files, basic information (computer name, user name, language, etc.) is gathered for identification. B64-encoded RSA public and private keys, which are used to encrypt files, are then added to this information before it is sent to the C2 server.

 As we were analysing a new GandCrab variant caught by our system, we noticed what seemed to be a new field of information found inside the same function. The added hardcoded “&advert=+380668846667” can be seen in the below.

Fig.3 Screenshot of the victim info assembly function with the new “advert” info

At first, we assumed this to be some kind of a referral or affiliate ID, which is commonly used to reward the distributors of the malware. However, it was not included in the information being sent to the C2 server, making our first assumption illogical. So basically, it just seemed to be a dummy string for a personal agenda, which wouldn’t be unusual for GandCrab. In fact, after the aforementioned decryption tool was released, the authors changed some domain names of their C2’s to politiaromana.bit and malwarehunterteam.bit to honour (or mock) the participants of the project.

After some basic digging on the numeric part of the field, “+380668846667”, we finally came across a thread from the Russian hacking site forum.exploit.in. This thread was started by a certain member nicknamed “Shut Up,” who was apparently asking for donations for “sick children.” It was baffling to find such a plea in this sort of criminal community. This might be the same reason for the other members to be sceptics and do investigation.

In the next screenshot of details gathered by one of the members, the contact number is listed as one of the accounts registered to an account in a payment system called Qiwi.

Fig.4 Forum member reveals info about the poster

Ultimately, the forum concluded it was a scam because they were able to link the poster to a previously banned account, and that started a hate train mainly due to the sensitive topic for the scam. That led to threats against the alleged scammer from the members, including from someone with a “GandCrab” moniker. While forum members were suggesting several punishment methods, apparently the ransomware author chose to offer a reward for the scammer’s punishment and then publicized the contact number by adding it to their code.

Fig.5 GandCrab “seller” offers reward for the scammer’s punishment
Fig.6 Conversation where GandCrab hints he added the contact to the code

Conclusion

Discovering changes between malware variants can sometimes reveal relevant information about the malware operation that could be used for mitigation strategies. And sometimes, strange as it seems, an investigation might just lead to a dead-end with nothing but a good story to tell. However, it is always important to investigate and verify.

As always, FortiGuard will be constantly monitoring this threat for any changes.

-= FortiGuard Lion Team =-

IOC

Files

95256aed4298a4732ed25a114c0b4c1cbad691bba2831dad81b40b3f9304afa0 (packed) –
W32/GandCrab.KAD!tr.ransom

b3f0633706a574ca8e2e429ffad50b769148ec0f5bd75adb1f9cc38b485e2cff (unpacked) –
W32/GandCrab.KAD!tr.ransom

Network

politiaromana.bit

malwarehunterteam.bit

gdcb.bit

gandcrab.bit

nomoreransom.coin

nomoreransom.bit

ns1.virmach.ru (DNS server)

ns2.virmach.ru (DNS server)

 

Sign up for our weekly FortiGuard intel briefs or to be a part of our open beta of Fortinet’s FortiGuard Threat Intelligence Service.