SamSam and GandCrab Illustrate Evolution of Ransomware
19.11.2018 securityweek
Ransomware

2018 has seen a major divergence in the operation of ransomware: targeted versus ransomware as a service (RaaS). Two particular malware families have dominated each branch: SamSam (targeted) and GandCrab (RaaS). Targeted seeks high ransoms from relatively few victims, while RaaS seeks relatively small ransoms from a large number of victims.

The reason for the divergence is improving defenses against ransomware. The original spray-gun method of infection is no longer as effective as it used to be. User defenses against the malware are more effective, while decryptors are rapidly developed and made available to victims via the NoMoreRansom website and from other security firms.

RaaS emerged as a model to allow the malware developers to concentrate on software development and staying ahead of the defenders while selling or renting their product to multiple distributors -- regardless of the distributors' level of technical capability. By maintaining continuous improvement, the RaaS model ensures that the spray gun approach continues to be viable for the criminals.

The targeted approach is typified by SamSam. Since it is harder to automatically infect a system -- and even harder to automatically infect enough of a corporate network to make extortion viable -- the targeted approach aims to breach the network first, reconnoiter the infrastructure, and then encrypt the key areas to deliver maximum disruption to the whole network.

Both approaches have proven effective throughout 2018. Probably the best known successful SamSam attack was that delivered on the City of Atlanta in March 2018. The ransom was reportedly set at around $50,000 -- which the City declined to pay. However, as the city budget was being prepared in June, Daphne Rackley, the head of information management in Atlanta, announced that her department would need an additional $9.5 million because of the ransomware.

Public information on SamSam attacks is limited. Many victims simply pay the ransom. However, by following the money and tracking the bitcoin wallets used by the attackers, Sophos estimated in July 2018 that more than 230 victims had paid the ransom, and the criminals had netted nearly $6 million since SamSam first appeared in early 2016. In its latest report (PDF), Sophos estimates that total income from paid SamSam ransoms now exceeds $6.5 million.

The business model has proven so successful that SamSam is no longer the only ransomware used in highly targeted attacks against medium and large-scale organizations. Sophos points to two others in particular: BitPaymer and Ryuk. All three of these ransomwares target the Remote Desktop Protocol (RDP).

BitPaymer has been tied by ESET to the Dridex gang. Sophos suggests that there are multiple attacks per week, and that successful infections charge anything between $50,000 and $1 million for decryption.

Ryuk has been tied to the North Korean Lazarus group by Check Point. Like BitPaymer, there are multiple attacks per week. Ryuk charges victims around $100,000 for decryption. Like SamSam, there is no known decryptor for BitPaymer or Ryuk.

Sophos likens targeted ransomware to a cat burglar; and commodity RaaS ransomware to smash-and-grab raiding. In July 2018, Malwarebytes described GandCrab as the king of ransomware because it is the most prolific. It is commodity ransomware that tries to infect anything it comes across, and is delivered via RDP and by email and exploit kits. In contrast to the high ransoms demanded by targeted malware, GandCrab will demand as (relatively) little as $1000 (going up to $8000) from its victims.

Tamas Boczan, senior threat analyst at VMRay has been tracking the evolution of GandCrab, and delivered a presentation on the subject Friday, November 16 at the GREHack conference in Grenoble, France. He describes the attack vectors as various downloaders (JavaScript, Doc, encrypted doc) attached to emails, drive-by exploit kit downloads, and RDP bruteforcing. At the time of writing this, Shodan finds 2,543,202 incidences for 'remote desktop'.

Boczan traces the evolution of GandCrab, and the cat-and-mouse battle it has with defenders. On February 28, 2018, after law enforcement allegedly gained access to GandCrab C2s, BitDefender developed a decryptor for GandCrab v.1, and provided it to the NoMoreRansom website. On March 5, just one week later, the GandCrab developer released a new version, providing better protection of C2s, changing the encrypted file extension to .CRAB, performing kernel-mode AV checking, and -- most importantly -- mitigating the decryptor.

By July 2018, GandCrab had evolved into version 4. This version introduced new Salsa encryption, encrypted network shares, changed the extension to .KRAB, and removed itself on completion. Within days, version 4.1 was released, using hacked websites disguised as download sites for cracked applications. An analysis by Fortinet concluded that it may have been an experimental version, and that claims that it and version 4 could spread via the EternalBlue exploit were simply wrong.

Then followed a strange tit-for-tat between the GandCrab developer and South Korean firm AhnLab. AhnLab released a vaccine for GandCrab. GandCrab retaliated -- supposedly within hours -- by releasing an alleged zero-day against AhnLab's anti-virus product. "Their killswitch has became useless in only few hours," the GandCrab developer told Bleeping Computer. His own exploit, however, would be a "reputation hole for ahnlab for years."

The dispute became moot, however, with the release of GandCrab version 5 at the end of September. Versions 5.01 and 5.02 and 5.03 followed quickly. At this point, only version 1 had a decryptor available (although other vaccines appeared after AhnLab's original vaccine). On October 25, BitDefender announced a new decryptor for versions 1, 4 and 5.

"Twelve hours later," said Boczan in his GREHack presentation, "a new version." He describes the current state as no decryptor, challenging to track because of the packer, random file extension, less obvious C2 connection, and some chance for privilege escalation.

SamSam and GandCrab illustrate the evolution of the ransomware threat. Targeted attacks such as those by SamSam take more effort, require skilled adversaries, but generate much larger payouts. Given that standard advice to companies is not whether you will be hacked, but when you will be hacked, this threat is more likely to increase than decrease. Effectively, any medium or large organization is a potential target.

RaaS -- typified by GandCrab -- is a business run on business lines. GandCrab is rapidly and effectively supported with new versions very soon after any setback. It forms alliances with other criminals and even ran an underground competition before selecting NTCrypt as a crypter service partner. This too shows no sign of slowing.