Threat Research

GandCrab Ransomware: IOCs & Threat Analysis

By Joie Salvio and Artem Semenchenko | March 16, 2018

GandCrab is the first ransomware to hit the spotlight this year. Known as the first ransomware to use DASH cryptocurrency as a payment, it has hit more than 50,000 victims according to a report from Europol.

A few weeks ago, with the collaboration of Europol, Bitdefender found a loophole and released a decryption tool for the first version (with .GDCB extension) of GandCrab. Authors of the malware then reacted by releasing version 2.0, claiming to have secured their command-and-control (C2) infrastructure.

As we monitored this malware, our system detected a new variant of GandCrab containing information that led to a situation almost as strange as it is humorous.

What is GandCrab and How Does it Work?

GandCrab uses an RSA algorithm to encrypt victims’ files, and then adds “.GDCB” and “.CRAB” to their extensions. This means the only way to decrypt the files is with the private key, which is encrypted and sent to the malware’s command-and-control server. The victim then must pay the ransom of 400USD in DASH currency, moving away from usual cryptocurrencies such as Bitcoin, Ethereum, and Monero.

This malware uses the “.bit” top-level-domain (TLD) for its C2 servers. Dot-bit aims to use blockchain technology to decentralize DNS, which entails added privacy and security. However, since TLD is not regulated by the Internet Corporation for Assigned Names and Numbers (ICANN), in order to resolve these domains a DNS query must be performed on servers that support it. In the past, GandCrab used dns1.doprodns.ru and a.dnspod.com for this.

Fig.1 GandCrab ransom note dropped in directories
Fig.2 GandCrab TOR-hosted payment page requires DASH currency

A GandCrab Deep Dive Leads to a Strange Situation

Before this malware starts encrypting a victim’s files, basic information (computer name, user name, language, etc.) is gathered for identification. B64-encoded RSA public and private keys, which are used to encrypt files, are then added to this information before it is sent to the C2 server.

As we were analyzing a new GandCrab variant caught by our system, we noticed what seemed to be a new field of information found inside the same function. The added hardcoded “&advert=+380668846667” can be seen in the image below.

Fig.3 Screenshot of the victim info assembly function with the new “advert” info

At first, we assumed this to be some kind of referral or affiliate ID, which is commonly used to reward the distributors of the malware. However, it was not included in the information being sent to the C2 server, making our first assumption illogical. So basically, it just seemed to be a dummy string for a personal agenda, which wouldn’t be unusual for GandCrab. In fact, after the aforementioned decryption tool was released, the authors changed some domain names of their C2s to politiaromana.bit and malwarehunterteam.bit to honor (or mock) the participants of the project.

After some basic digging on the numeric part of the field, “+380668846667”, we finally came across a thread from the Russian hacking site forum.exploit.in. This thread was started by a certain member nicknamed “Shut Up,” who was apparently asking for donations for “sick children.” It was baffling to find such a plea in this sort of criminal community. This might be the same reason why the other members were skeptical and decided to investigate.

In the next screenshot of details gathered by one of the members, the contact number is listed as one of the accounts registered to an account in a payment system called Qiwi.

Fig.4 Forum member reveals info about the poster

Ultimately, the forum concluded it was a scam because they were able to link the poster to a previously banned account, and that started a hate train mainly due to the sensitive topic of the scam. That led to threats against the alleged scammer from the members, including from someone with a “GandCrab” moniker. While forum members were suggesting several punishment methods, apparently the ransomware author chose to offer a reward for the scammer’s punishment and then publicized the contact number by adding it to their code.

Fig.5 GandCrab “seller” offers reward for the scammer’s punishment
Fig.6 Conversation where GandCrab hints he added the contact to the code

Conclusion

Discovering changes between malware variants can sometimes reveal relevant information about the malware operation that could be used for mitigation strategies. And sometimes, strange as it seems, an investigation might just lead to a dead-end with nothing but a good story to tell. However, it is always important to investigate and verify.

As always, FortiGuard will be constantly monitoring this threat for any changes.

-= FortiGuard Lion Team =-

IOCs for GandCrab Ransomware

Files

  • 95256aed4298a4732ed25a114c0b4c1cbad691bba2831dad81b40b3f9304afa0 (packed) –
    W32/GandCrab.KAD!tr.ransom

  • b3f0633706a574ca8e2e429ffad50b769148ec0f5bd75adb1f9cc38b485e2cff (unpacked) –
    W32/GandCrab.KAD!tr.ransom

Network

  • politiaromana.bit

  • malwarehunterteam.bit

  • gdcb.bit

  • gandcrab.bit

  • nomoreransom.coin

  • nomoreransom.bit

  • ns1.virmach.ru (DNS server)

  • ns2.virmach.ru (DNS server)

Sign up for our weekly FortiGuard intel briefs.