Skip to main content
SpringerLink
Log in

Inside GandCrab Ransomware

  • Conference paper
  • First Online:
Cryptology and Network Security (CANS 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11124))

Included in the following conference series:

Abstract

A special category of malware named ransomware has become very popular for cyber-criminals to extort money. This category limits users from accessing their machines (computers, mobile phones and IoT devices) unless a ransom is paid. Every month, security experts report many forms of ransomware attacks, termed as ransomware families. An example of these families is the GandCrab ransomware that was released at the end of January 2018. In this paper, we present a full depth malware analysis of this ransomware following some recent work and findings on ransomware detection and prevention.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://id-ransomware.malwarehunterteam.com/.

  2. 2.

    https://www.bleepingcomputer.com/.

  3. 3.

    The Commonwealth of Independent States, also called the Russian Commonwealth.

  4. 4.

    https://i.imgur.com/NLaFqkv.png and https://i.imgur.com/FVtXFuu.png.

References

  1. Abrams, L.: GandCrab ransomware distributed by exploit kits, appends GDCB extension. https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension

  2. Abrams, L.: GandCrab ransomware version 2 released with new .Crab extension and other changes.https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-version-2-released-with-new-crab-extension-and-other-changes/

  3. Abrams, L.: GandCrab version 3 released with autorun feature and desktop background. https://www.bleepingcomputer.com/news/security/gandcrab-version-3-released-with-autorun-feature-and-desktop-background/

  4. AuditProject: truecrypt-verified-mirror Crypto the AES files.https://github.com/AuditProject/truecrypt-verified-mirror/tree/master/Source

  5. Bajpai, P., Sood, A.K., Enbody, R.: A key-management-based taxonomy for ransomware. In: 2018 APWG Symposium on Electronic Crime Research (eCrime), pp. 1–12, May 2018

    Google Scholar 

  6. Biasini, N.: Gandcrab ransomware walks its way onto compromised sites. https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html/

  7. Brewer, R.: Ransomware attacks: detection, prevention and cure. Netw. Secur. 2016(9), 5–9 (2016)

    Article  Google Scholar 

  8. Cabaj, K., Gregorczyk, M., Mazurczyk, W.: Software-defined networking-based crypto ransomware detection using HTTP traffic characteristics. CoRR abs/1611.08294 (2016)

    Google Scholar 

  9. Caivano, D., Canfora, G., Cocomazzi, A., Pirozzi, A., Visaggio, C.A.: Ransomware at x-rays. In: 2017 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), Exeter, United Kingdom, 21–23 June 2017, pp. 348–353 (2017)

    Google Scholar 

  10. Checkpoint: The GandCrab ransomware mindset. https://research.checkpoint.com/gandcrab-ransomware-mindset/

  11. Cimpanu, C.: Free decrypter available for GandCrab ransomware victims. https://bleepingcomputer.com/news/security/free-decrypter-available-for-gandcrab-ransomware-victims/

  12. Cohen, F.: Computer viruses, Ph.D. thesis. University of Southern California (1986)

    Google Scholar 

  13. Continella, A., et al.: ShieldFS: a self-healing, ransomware-aware filesystem. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, Los Angeles, CA, USA, 5–9 December 2016, pp. 336–347 (2016)

    Google Scholar 

  14. Cybereason: Ransomfree. https://ransomfree.cybereason.com/

  15. Gallegos-Segovia, P.L., Bravo-Torres, J.F., Larios-Rosillo, V.M., Vintimilla-Tapia, P.E., Yuquilima-Albarado, I.F., Jara-Saltos, J.D.: Social engineering as an attack vector for ransomware. In: 2017 CHILEAN Conference on Electrical, Electronics Engineering, Information and Communication Technologies, pp. 1–6, October 2017

    Google Scholar 

  16. Gazet, A.: Comparative analysis of various ransomware virii. J. Comput. Virol. 6(1), 77–90 (2010)

    Article  Google Scholar 

  17. Gómez-Hernández, J.A., Álvarez-González, L., García-Teodoro, P.: R-locker: thwarting ransomware action through a honeyfile-based approach. Comput. Secur. 73, 389–398 (2018)

    Article  Google Scholar 

  18. Huang, J., Xu, J., Xing, X., Liu, P., Qureshi, M.K.: FlashGuard: leveraging intrinsic flash properties to defend against encryption ransomware. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, 30 October–03 November 2017, pp. 2231–2244 (2017)

    Google Scholar 

  19. Kharraz, A., Arshad, S., Mulliner, C., Robertson, W.K., Kirda, E.: UNVEIL: a large-scale, automated approach to detecting ransomware. In: 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, 10–12 August 2016, pp. 757–772 (2016)

    Google Scholar 

  20. Kharraz, A., Kirda, E.: Redemption: real-time protection against ransomware at end-hosts. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 98–119. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_5

    Chapter  Google Scholar 

  21. Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., Kirda, E.: Cutting the Gordian Knot: a look under the hood of ransomware attacks. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 3–24. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_1

    Chapter  Google Scholar 

  22. Kim, H., Yoo, D., Kang, J.S., Yeom, Y.: Dynamic ransomware protection using deterministic random bit generator. In: 2017 IEEE Conference on Application, Information and Network Security (AINS), pp. 64–68, November 2017

    Google Scholar 

  23. Kolodenker, E., Koch, W., Stringhini, G., Egele, M.: PayBreak: defense against cryptographic ransomware. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2017, Abu Dhabi, United Arab Emirates, 2–6 April 2017, pp. 599–611 (2017)

    Google Scholar 

  24. Lee, J.K., Moon, S.Y., Park, J.H.: CloudRPS: a cloud analysis based enhanced ransomware prevention system. J. Supercomput. 73(7), 3065–3084 (2017)

    Article  Google Scholar 

  25. Lee, J., Lee, J., Hong, J.: How to make efficient decoy files for ransomware detection? In: Proceedings of the International Conference on Research in Adaptive and Convergent Systems, RACS 2017, Krakow, Poland, 20–23 September 2017, pp. 208–212 (2017)

    Google Scholar 

  26. Lemmou, Y., Souidi, E.M.: Princesslocker analysis. In: 2017 International Conference on Cyber Security and Protection Of Digital Services (Cyber Security), pp. 1–10, June 2017

    Google Scholar 

  27. Lemmou, Y., Souidi, E.M.: Infection, self-reproduction and overinfection in ransomware: the case of teslacrypt. In: 2018 International Conference on Cyber Security And Protection Of Digital Services (Cyber Security) (2018)

    Google Scholar 

  28. Lemmou, Y., Souidi, E.M.: An overview on Spora ransomware. In: Thampi, S.M., Martínez Pérez, G., Westphall, C.B., Hu, J., Fan, C.I., Gómez Mármol, F. (eds.) SSCC 2017. CCIS, vol. 746, pp. 259–275. Springer, Singapore (2017). https://doi.org/10.1007/978-981-10-6898-0_22

    Chapter  Google Scholar 

  29. MacRae, J., Franqueira, V.N.L.: On locky ransomware, Al Capone and Brexit. In: Matoušek, P., Schmiedecker, M. (eds.) ICDF2C 2017. LNICST, vol. 216, pp. 33–45. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-73697-6_3

    Chapter  Google Scholar 

  30. Malwarebytes: Cybercrime tactics and techniques Q1 2017. malwarebytes.com/pdf/labs/Cybercrime-Tactics-and-Techniques-Q1-2017.pdf

  31. MalwarebytesLabs: GandCrab distributed by RIG and grandsoft exploit kits. https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kit

  32. MalwarebytesLabs: GandCrab V4 released with the new .KRAB extension for encrypted files. https://www.bleepingcomputer.com/news/security/gandcrab-v4-released-with-the-new-krab-extension-for-encrypted-files/

  33. Moore, C.: Detecting ransomware with honeypot techniques. In: 2016 Cybersecurity and Cyberforensics Conference (CCC), pp. 77–81, August 2016

    Google Scholar 

  34. Nadir, I., Bakhshi, T.: Contemporary cybercrime: a taxonomy of ransomware threats mitigation techniques. In: 2018 International Conference on Computing, Mathematics and Engineering Technologies (iCoMET), pp. 1–7, March 2018

    Google Scholar 

  35. O’Brien, D.: Internet security threat report ransomware 2017, an ISTR special report. Symantec. https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-ransomware-2017-en.pdf

  36. Palisse, A., Le Bouder, H., Lanet, J.-L., Le Guernic, C., Legay, A.: Ransomware and the legacy crypto API. In: Cuppens, F., Cuppens, N., Lanet, J.-L., Legay, A. (eds.) CRiSIS 2016. LNCS, vol. 10158, pp. 11–28. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54876-0_2

    Chapter  Google Scholar 

  37. Scaife, N., Carter, H., Traynor, P., Butler, K.R.B.: Cryptolock (and drop it): stopping ransomware attacks on user data. In: 36th IEEE International Conference on Distributed Computing Systems, ICDCS 2016, Nara, Japan, 27–30 June 2016, pp. 303–312 (2016)

    Google Scholar 

  38. Shinde, R., der Veeken, P.V., Schooten, S.V., van den Berg, J.: Ransomware: Studying transfer and mitigation. In: 2016 International Conference on Computing, Analytics and Security Trends (CAST) (2016)

    Google Scholar 

  39. Sophos: Sophoslabs 2018 malware forecast. https://sophos.com/en-us/en-us/medialibrary/PDFs/technical-papers/malware-forecast-2018.pdf

  40. Young, A., Yung, M.: Cryptovirology: extortion-based security threats and countermeasures. In: Proceedings 1996 IEEE Symposium on Security and Privacy, pp. 129–140, May 1996

    Google Scholar 

  41. Young, A.L., Yung, M.: Cryptovirology: the birth, neglect, and explosion of ransomware. Commun. ACM 60(7), 24–26 (2017)

    Article  Google Scholar 

  42. Yun, J., Hur, J., Shin, Y., Koo, D.: CLDSafe: an efficient file backup system in cloud storage against ransomware. IEICE Trans. Inf. Syst. 100-D(9), 2228–2231 (2017)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Faculty of Sciences, LabMIASI, Mohammed V University in Rabat, BP 1014 RP, 1000, Rabat, Morocco

    Yassine Lemmou & El Mamoun Souidi

Authors
  1. Yassine Lemmou
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. El Mamoun Souidi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yassine Lemmou .

Editor information

Editors and Affiliations

  1. IBM Research - Zurich, Rüschlikon, Switzerland

    Jan Camenisch

  2. KTH Royal Institute of Technology, Stockholm, Sweden

    Panos Papadimitratos

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Lemmou, Y., Souidi, E.M. (2018). Inside GandCrab Ransomware. In: Camenisch, J., Papadimitratos, P. (eds) Cryptology and Network Security. CANS 2018. Lecture Notes in Computer Science(), vol 11124. Springer, Cham. https://doi.org/10.1007/978-3-030-00434-7_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-00434-7_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-00433-0

  • Online ISBN: 978-3-030-00434-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation