GandCrab Ransomware Targets MSPs in Criminal Franchisee Scheme
By some measures, ransomware has slipped as the go-to attack technique for cybercriminals. But don’t tell that to the operators behind GandCrab, the ransomware first discovered a little over a year ago that one security provider estimates has since grabbed some 50 percent of the market.
While GandCrab is extortion as you might expect, it’s the malware’s out-of-the-ordinary model of ransomware-as-a-service (RaaS) that has fueled its propagation as the most popular malware type. The gang’s customers aren’t the businesses and individuals whose files GandCrab locks but instead a network of soldiers who go after those companies through stolen credentials or brute force tactics.
Why GandCrab Targets MSPs
Managed services providers (MSPs) are a newly-favorite entry way, giving the crime crews the ability to mass infect thousands in a lone attack. “Probably the most spectacular development in the way affiliates target victims is the targeting of [MSPs] to use their reach inside companies to automate the deployment of ransomware,” Bitdefender said in a blog post. “Once they have infected the network, they wipe logs and traces of their presence and ask for ransoms of approximately $10,000 per company computer.”
Just last month, GandCrab hackers compromised a Connectwise Manage plug-in for the Kaseya VSA remote-monitoring tool used by MSPs’ IT support staff. A plug-in update corrected the issue.
GandCrab was initial promoted on public websites but sold through the dark web and distributed as the RIG exploit kit used in malware-laden ads to deliver the malicious code, wrote Sophos in a blog post. For as little as $100, ransomware neophytes could fell upwards of 200 victims in 60 days, according to Sophos’ researchers. Affiliates can choose their own ransom amount to squeeze victims and in time can add services and features to their burglary bag. A full version of GandCrab costs about $1,000. “In essence, the GandCrab creators provide a criminal franchise system,” Luca Nagy, a Sophos threat researcher, said.
“The ransomware has developed a large pool of customers, and an unfortunately large pool of victims as well. The authors have kept pace with a team of cryptography experts working for Europol and Bitdefender who have released several decryptor tools, and continue to release updated versions of the malware that bypasses the decryptor features every time a new decryptor hits the street,”Nagy said.
GandCrab Decryptor Tools
Fortunately, the defenders have responded with new decryptor tools. In mid-February, Bitdefender again worked with the Romanian Police, Europol and other law enforcement agencies on another update to the decryptor utility it first released a year ago and then updated last October. According to the security provider, this upgrade works for all GandCrab ransomware versions released since October, including versions 1, 4, 5.0.1 through 5.1. “The good news is that now you can have your data back without paying a cent to cyber-criminals,” Bitdefender said.
Based on past behavior, it’s likely the GandCrab hackers will be quick to release another version as a counter move. Indeed, they released GandCrab 5.2 one day before Bitdefender’s latest decryptor. A year ago, GandCrab rolled out a new version just five days after Bitdefender released its initial decryptor for the ransomware. The company’s internal data indicates that 50,000 victims retrieved their data using its first decryptor. Overall, it estimates that in the past year the tool has enabled system administrators and home users to decrypt some 20,000 servers to avoid paying an estimated $24 million in ransom demands.