The history of GandCrab and it’s future

Since January 2018 when the GandCrab ransomware first appeared, the GrandCrab ransomware has undergone a rapid development process.

Information provided by McAfee’s Advanced Threat Research team suggests that GrandCrab is not developed professionally and often contains bugs. It exploits a number of attack vectors to gain a foothold on victim systems including remote desktop connections, phishing emails, legitimate applications which have been infected with malicious code and as a payload of various exploit kits.

GandCrab uses several entry vectors:

  • Remote desktop connections with weak security or bought in underground forums
  • Phishing emails with links or attachments
  • Trojanized legitimate programs containing the malware, or downloading and launching it
  • Exploits kits such as RigEK and others

GandCrab uses the following MITRE ATT&CK techniques:

  • File deletion
  • System information discovery
  • Execution through API
  • Execution through WMIC
  • Application process discovery: to detect antimalware and security products as well as normal programs
  • Query registry: to get information about keys that the malware needs make or read
  • Modify registry
  • File and directory discovery: to search for files to encrypt
  • Encrypt files
  • Process discovery: enumerating all processes on the endpoint to kill some special ones
  • Create files
  • Elevation of privileges

McAfee has provided the results of its reverse engineering of versions 4.0 through 4.2 of GrandCrab.

Indicators of Compromise

Hashes

  • 9a80f1866450f2f10fa69b1eb8747c344d6ef038468014c59cc50497f9e4675d
  • d9466be5c387eb2fbf619a8cd0922b167ea7fa06b63f13cd330ca974cae1d513
  • 43b57d2b16c44041916f3b0562712d5dca4f8a42bc00f00a023b4a0788d18276
  • 786e3c693fcdf55466fd6e5446de7cfeb58a4311442e0bc99ce0b0985c77b45d
  • f5e74d939a5b329dddc94b75bd770d11c8f9cc3a640dccd8dff765b6997809f2
  • 8ecbfe6f52ae98b5c9e406459804c4ba7f110e71716ebf05015a3a99c995baa1
  • e454123d852e6a40eed1f2552e1a1ad3c00991541d812fbf24b70611bd1ec40a
  • 0aef79fac6331f9eca49e711291ac116e7f6fbaeb5a1f3eb7fea9e2e4ec6a608
  • 3277c1649972ab5b43ae9e87087b70ea4825956bfdddd1034f7b0680e6d46efa
  • a92af825bd95b6514f22dea08a4eb6d3491cbad45e69a5b9653b0148ee9f9832
  • ce093ffa19f020a2b73719f653b5e0423df28ef1d59035d55e99154a85c5c668
  • a1aae5ae7a3722b83dc1c9b0831c973641b246808de4f3670f2fd916cf498d38
  • 3b0096d6798b1887cffa1288583e93f70e656270119087ceb2f832b69b89260a
  • e8e948e36fed93061062406693d1b2c402dd8e5788506bfbb50dbd86a5540829

Domain
gandcrabmfe6mnef.onion