Abstract
A special category of malware named ransomware has become very popular for cyber-criminals to extort money. This category limits users from accessing their machines (computers, mobile phones and IoT devices) unless a ransom is paid. Every month, security experts report many forms of ransomware attacks, termed as ransomware families. An example of these families is the GandCrab ransomware that was released at the end of January 2018. In this paper, we present a full depth malware analysis of this ransomware following some recent work and findings on ransomware detection and prevention.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
The Commonwealth of Independent States, also called the Russian Commonwealth.
- 4.
References
Abrams, L.: GandCrab ransomware distributed by exploit kits, appends GDCB extension. https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension
Abrams, L.: GandCrab ransomware version 2 released with new .Crab extension and other changes.https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-version-2-released-with-new-crab-extension-and-other-changes/
Abrams, L.: GandCrab version 3 released with autorun feature and desktop background. https://www.bleepingcomputer.com/news/security/gandcrab-version-3-released-with-autorun-feature-and-desktop-background/
AuditProject: truecrypt-verified-mirror Crypto the AES files.https://github.com/AuditProject/truecrypt-verified-mirror/tree/master/Source
Bajpai, P., Sood, A.K., Enbody, R.: A key-management-based taxonomy for ransomware. In: 2018 APWG Symposium on Electronic Crime Research (eCrime), pp. 1–12, May 2018
Biasini, N.: Gandcrab ransomware walks its way onto compromised sites. https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html/
Brewer, R.: Ransomware attacks: detection, prevention and cure. Netw. Secur. 2016(9), 5–9 (2016)
Cabaj, K., Gregorczyk, M., Mazurczyk, W.: Software-defined networking-based crypto ransomware detection using HTTP traffic characteristics. CoRR abs/1611.08294 (2016)
Caivano, D., Canfora, G., Cocomazzi, A., Pirozzi, A., Visaggio, C.A.: Ransomware at x-rays. In: 2017 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), Exeter, United Kingdom, 21–23 June 2017, pp. 348–353 (2017)
Checkpoint: The GandCrab ransomware mindset. https://research.checkpoint.com/gandcrab-ransomware-mindset/
Cimpanu, C.: Free decrypter available for GandCrab ransomware victims. https://bleepingcomputer.com/news/security/free-decrypter-available-for-gandcrab-ransomware-victims/
Cohen, F.: Computer viruses, Ph.D. thesis. University of Southern California (1986)
Continella, A., et al.: ShieldFS: a self-healing, ransomware-aware filesystem. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, Los Angeles, CA, USA, 5–9 December 2016, pp. 336–347 (2016)
Cybereason: Ransomfree. https://ransomfree.cybereason.com/
Gallegos-Segovia, P.L., Bravo-Torres, J.F., Larios-Rosillo, V.M., Vintimilla-Tapia, P.E., Yuquilima-Albarado, I.F., Jara-Saltos, J.D.: Social engineering as an attack vector for ransomware. In: 2017 CHILEAN Conference on Electrical, Electronics Engineering, Information and Communication Technologies, pp. 1–6, October 2017
Gazet, A.: Comparative analysis of various ransomware virii. J. Comput. Virol. 6(1), 77–90 (2010)
Gómez-Hernández, J.A., Álvarez-González, L., García-Teodoro, P.: R-locker: thwarting ransomware action through a honeyfile-based approach. Comput. Secur. 73, 389–398 (2018)
Huang, J., Xu, J., Xing, X., Liu, P., Qureshi, M.K.: FlashGuard: leveraging intrinsic flash properties to defend against encryption ransomware. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, 30 October–03 November 2017, pp. 2231–2244 (2017)
Kharraz, A., Arshad, S., Mulliner, C., Robertson, W.K., Kirda, E.: UNVEIL: a large-scale, automated approach to detecting ransomware. In: 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, 10–12 August 2016, pp. 757–772 (2016)
Kharraz, A., Kirda, E.: Redemption: real-time protection against ransomware at end-hosts. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 98–119. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_5
Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., Kirda, E.: Cutting the Gordian Knot: a look under the hood of ransomware attacks. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 3–24. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_1
Kim, H., Yoo, D., Kang, J.S., Yeom, Y.: Dynamic ransomware protection using deterministic random bit generator. In: 2017 IEEE Conference on Application, Information and Network Security (AINS), pp. 64–68, November 2017
Kolodenker, E., Koch, W., Stringhini, G., Egele, M.: PayBreak: defense against cryptographic ransomware. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2017, Abu Dhabi, United Arab Emirates, 2–6 April 2017, pp. 599–611 (2017)
Lee, J.K., Moon, S.Y., Park, J.H.: CloudRPS: a cloud analysis based enhanced ransomware prevention system. J. Supercomput. 73(7), 3065–3084 (2017)
Lee, J., Lee, J., Hong, J.: How to make efficient decoy files for ransomware detection? In: Proceedings of the International Conference on Research in Adaptive and Convergent Systems, RACS 2017, Krakow, Poland, 20–23 September 2017, pp. 208–212 (2017)
Lemmou, Y., Souidi, E.M.: Princesslocker analysis. In: 2017 International Conference on Cyber Security and Protection Of Digital Services (Cyber Security), pp. 1–10, June 2017
Lemmou, Y., Souidi, E.M.: Infection, self-reproduction and overinfection in ransomware: the case of teslacrypt. In: 2018 International Conference on Cyber Security And Protection Of Digital Services (Cyber Security) (2018)
Lemmou, Y., Souidi, E.M.: An overview on Spora ransomware. In: Thampi, S.M., Martínez Pérez, G., Westphall, C.B., Hu, J., Fan, C.I., Gómez Mármol, F. (eds.) SSCC 2017. CCIS, vol. 746, pp. 259–275. Springer, Singapore (2017). https://doi.org/10.1007/978-981-10-6898-0_22
MacRae, J., Franqueira, V.N.L.: On locky ransomware, Al Capone and Brexit. In: Matoušek, P., Schmiedecker, M. (eds.) ICDF2C 2017. LNICST, vol. 216, pp. 33–45. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-73697-6_3
Malwarebytes: Cybercrime tactics and techniques Q1 2017. malwarebytes.com/pdf/labs/Cybercrime-Tactics-and-Techniques-Q1-2017.pdf
MalwarebytesLabs: GandCrab distributed by RIG and grandsoft exploit kits. https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kit
MalwarebytesLabs: GandCrab V4 released with the new .KRAB extension for encrypted files. https://www.bleepingcomputer.com/news/security/gandcrab-v4-released-with-the-new-krab-extension-for-encrypted-files/
Moore, C.: Detecting ransomware with honeypot techniques. In: 2016 Cybersecurity and Cyberforensics Conference (CCC), pp. 77–81, August 2016
Nadir, I., Bakhshi, T.: Contemporary cybercrime: a taxonomy of ransomware threats mitigation techniques. In: 2018 International Conference on Computing, Mathematics and Engineering Technologies (iCoMET), pp. 1–7, March 2018
O’Brien, D.: Internet security threat report ransomware 2017, an ISTR special report. Symantec. https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-ransomware-2017-en.pdf
Palisse, A., Le Bouder, H., Lanet, J.-L., Le Guernic, C., Legay, A.: Ransomware and the legacy crypto API. In: Cuppens, F., Cuppens, N., Lanet, J.-L., Legay, A. (eds.) CRiSIS 2016. LNCS, vol. 10158, pp. 11–28. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54876-0_2
Scaife, N., Carter, H., Traynor, P., Butler, K.R.B.: Cryptolock (and drop it): stopping ransomware attacks on user data. In: 36th IEEE International Conference on Distributed Computing Systems, ICDCS 2016, Nara, Japan, 27–30 June 2016, pp. 303–312 (2016)
Shinde, R., der Veeken, P.V., Schooten, S.V., van den Berg, J.: Ransomware: Studying transfer and mitigation. In: 2016 International Conference on Computing, Analytics and Security Trends (CAST) (2016)
Sophos: Sophoslabs 2018 malware forecast. https://sophos.com/en-us/en-us/medialibrary/PDFs/technical-papers/malware-forecast-2018.pdf
Young, A., Yung, M.: Cryptovirology: extortion-based security threats and countermeasures. In: Proceedings 1996 IEEE Symposium on Security and Privacy, pp. 129–140, May 1996
Young, A.L., Yung, M.: Cryptovirology: the birth, neglect, and explosion of ransomware. Commun. ACM 60(7), 24–26 (2017)
Yun, J., Hur, J., Shin, Y., Koo, D.: CLDSafe: an efficient file backup system in cloud storage against ransomware. IEICE Trans. Inf. Syst. 100-D(9), 2228–2231 (2017)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Lemmou, Y., Souidi, E.M. (2018). Inside GandCrab Ransomware. In: Camenisch, J., Papadimitratos, P. (eds) Cryptology and Network Security. CANS 2018. Lecture Notes in Computer Science(), vol 11124. Springer, Cham. https://doi.org/10.1007/978-3-030-00434-7_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-00434-7_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-00433-0
Online ISBN: 978-3-030-00434-7
eBook Packages: Computer ScienceComputer Science (R0)