Since January 2018 when the GandCrab ransomware first appeared, the GrandCrab ransomware has undergone a rapid development process.
Information provided by McAfee’s Advanced Threat Research team suggests that GrandCrab is not developed professionally and often contains bugs. It exploits a number of attack vectors to gain a foothold on victim systems including remote desktop connections, phishing emails, legitimate applications which have been infected with malicious code and as a payload of various exploit kits.
GandCrab uses several entry vectors:
- Remote desktop connections with weak security or bought in underground forums
- Phishing emails with links or attachments
- Trojanized legitimate programs containing the malware, or downloading and launching it
- Exploits kits such as RigEK and others
GandCrab uses the following MITRE ATT&CK techniques:
- File deletion
- System information discovery
- Execution through API
- Execution through WMIC
- Application process discovery: to detect antimalware and security products as well as normal programs
- Query registry: to get information about keys that the malware needs make or read
- Modify registry
- File and directory discovery: to search for files to encrypt
- Encrypt files
- Process discovery: enumerating all processes on the endpoint to kill some special ones
- Create files
- Elevation of privileges
McAfee has provided the results of its reverse engineering of versions 4.0 through 4.2 of GrandCrab.
Indicators of Compromise