The GandCrab Mentality

Joie Salvio & Jasper Libranda Manuel, Fortinet Inc

GandCrab is the first ransomware family to hit the spotlight this year reportedly infecting 50 000 victims in less than a month. In fact, this aggressiveness has turned the heads of Europol, in collaboration with a security company to take action. To this day, this malware is still very much active in both development and distribution. In this paper, we will be discussing about the evolution of the malware. We also as peer into the threat actors’ mind sets based on their “loud” reactions on researchers’ and security companies’ movements against their operation, which some may even deem entertaining.

This malware was discovered in late January of this year and was first to use DASH cryptocurrency when Bitcoin and Monero were the norm. Moreover, for its Command-and-Control (C2) servers, it uses .bit Top-Level-Domains (TLD) – an implementation of a decentralized DNS using blockchain technology for added security and privacy. Another interesting trait of this malware campaign is its agile method of development resulting rapid releases of versions, which we will be discussing in details.

Although the techniques and tactics implemented by this malware cannot be considered as advanced yet, having been observed its evolution, it gives us a good glimpse of how threat actors upgrade and counteract mitigations from the security industry. In between these updates, they leave messages directed to specific researchers and companies as a form to interact with them. These interactions display not only confidence from them, but also how unorthodox this campaign is. In fact, just to give a little idea about this, they had a “vaccine war” with a security company up to a point where they released a Proof-of-Concept (POC) of a Denial-of-Service (DOS) attack on one of the company’s antivirus product.

In conclusion, we will also be presenting data and visualization of different distribution campaigns of the malware as well as how we were able to use automations for tracking its developments and for mitigations.

Joie Salvio

I’m a Malware Researcher at Fortinet. My current focus is in analyzing and tracking malware developments, particularly ransomware and botnet families. Prior to joining Fortinet, I was a Threat Response Engineer at Trend Micro for 5 years and was part of the Technical Leader Team. handling engineer escalations involving in-depth malware reverse engineering and signature-related issues.

Jasper Libranda Manuel

Jasper Manuel is a Malware Researcher currently at Fortinet focusing on targeted attacks, emerging threats, and botnets. Prior to Fortinet, he worked for Trend Micro, GData, and Microsoft in the same capacity.