A new ransomware attack called “GandCrab” emerged last week, which has surprisingly distinct features such as only accepting ransom payment from the anonymous crypto currency ‘DASH’ and employing a “dot bit” (.bit) top level domain served by Namecoin’s distributed blockchain-based DNS infrastructure.
Like other ransomwares we have observed, the GandCrab’s campaign is leveraging the Seamless iframe exploit via malvertisements and web-redirects that are armed with a RIG Exploit Kit. The RIG Exploit Kit attempts to transparently drop GandCrab onto the target machine by repeatedly trying to exploit any potentially unpatched vulnerabilities on the host until successful.
The technical analysis unveils that GandCrab generates an RSA public/private key pair on victim machine that is utilized during C2 communication, which includes transmission of a headerless 64-bit encoded string with other information harvested from the infected host. GandCrab’s encryption routine encrypts files on all drives in a loop and all encrypted files eventually have a “.GDCB” extension.
As depicted below, ransom is demanded for the “GandCrab Decryptor” in an amount of 1.54 DASH (approximately $1200 USD) to be paid to the provided DASH payment address. As a show of “Good Faith”, the attacker will provide the victim with the option to decrypt one file for free.
Upon execution, GandCrab collects the following system specific information for future use:
- pc_keyb(keyboard type)
- pc_user(user name)
- pc_name (computer name)
- av (Antivirus information)
- pc_lang (system language)
- ip (IP address)
- hdd(system disk drives)
- os_bit (OS version)
- os_major (windows version)
- Processor type
- Disk space
Here is the code snippet that creates an array with labeled indexes and then calls a function GetProcessHeap to populate this array/string.
After that, it checks for disk drives types and saves the FIXED drives names to a memory buffer. Later, it will encrypt files on these FIXED drives. In our case, the FIXED drives were: C:\ and D:\
Then it creates mutex with pc_group and a unique system specific alpha-numeric ransom ID generated at runtime, e.g.
It copies itself into %appdata/roaming% with a random file name like: “nohfzh.exe”. It creates a RunOnce registry key entry to ensure that the malware will execute if the computer reboots accidentally. It also adds “gdcb-decrypt.txt” (ransom note) file in Startup folder after all files have been encrypted.
Before moving towards encryption, it kills any running processes hardcoded in the below list, so that it can encrypt files being used (locked) by these processes.
It loops through the above list of processes and terminates them one by one.
RSA Key Generation
For encryption, it generates an RSA 2048 bit key using the RSA public key exchange algorithm (CALG_RSA_KEYX), and then exports both key blobs to the buffer.
Now it prepares the POST request to send the victim’s system information gathered at start. In the meantime, it queries “ipv4bot.whatismyipaddress.com” to fetch the systems public IP address.
All the system information, RSA key and IP address are base64 encoded, and sent via the following post to the C&C server:
As we’ve seen, almost everything is hardcoded in the code but we haven’t seen the above C&C IP (18.104.22.168) where the POST data is sent. Actually, it sends an nslookup request to .bit domain to fetch the IP address of GandCrab’s C2.
GandCrab queries a.dnspod.com – TLD Name Server to resolve all “.bit” domain names. Since it uses NameCoin, an open source block chain based distributed DNS infrastructure, it is tough for law enforcement agencies to take down these websites.
Now this is point where it will start scanning FIXED drives against following file extensions:
After encrypting each file, it appends a “. GDCB” to the file name.
Adds GDCB-DECRYPT.txt file in each folder where the files are encrypted. Here are the contents of GDCB-DECRYPT.txt file.
GandCrab’s final steps are to delete all shadow copies of files and to display the ransom note containing the victim’s system specific information, ransom amount and the instructions to buy the decryptor.
Below is the complete process tree.