GandCrab (or just Crab) ransomware definitely changed the rules of the ransomware game.
The operators behind the infamous cryptovirus created a very profiting business model which others quickly adopted. For example, let’s have a look at the so-called Sodinokibi ransomware.
It displayed well-coordinated behavior and distribution campaigns, and it was quite evident that its operators borrowed quite a few tricks from GandCrab. This indicated that Sodinokibi could grow as big as GandCrab in terms of attacks and variants, leading to the adoption of many affiliates.
So, which hackers emerged from GandCrab?
A new report by Advanced Intelligence sheds some light on the “GandCrab paradigm”.
The very first notable difference that made GandCrab stand out is the exposure, a true sign of a rising business model. “Before GandCrab, traditional ransomware teams, run by Russian-speaking hackers were acting privately, silently, and avoided underground forums,” the report says. This was done for anonymity purposes, as the Russian underground community didn’t go along with the digital extortion model, which is central to ransomware development.
The operators of GandCrab did exactly the opposite by choosing to become “a paradigm-shifting phenomenon”:
They turned ransomware business into a full-fledged media operation. Branding, marketing, outreach, and even Public Relations (PR) manifested in continuous communications with customers, affiliates, victims, and security researchers – everything was meticulously set to establish a new type of ransomware enterprise.
But what exactly did GandCrab change?
For starters, the ransomware developer(s) created their own charity campaigns and micro-loan partnerships across forums.
The cybercrime syndicate’s impact was so strong that even one review posted by their official darkweb accounts was enough to elevate or erase a certain malware product offered for sale. When new loaders or stealers were released, the first question which high-profile members of the underground asked was: “Are these compatible with “Crab?”, while numerous exclusive malware samples, botnets, domain accesses, network credentials, and other auction rounds were closed with the message “sold to GandCrab.”
Shortly said, Crab “abandoned the old ways” of only working with experienced affiliates, and welcomed newcomers motivated enough to join the operation. For many, this was their first ransomware experience, but this wasn’t an issue, since Crab’s ransomware-as-a-service (RaaS) programs and affiliate partnerships were built to serve the inexperienced. Eventually, the “students” of these programs started their own smaller ventures, which brought new ideas to the foundation.
Who participated in Crab ransomware’s business model?
Some of the most successful affiliates include threat actors known by the following nicknames – ford, FloodService, veneno, snowflake. It is noteworthy that entire ransomware collectives such as jsworm and their affiliate PenLat who are behind the JSworm and Nemty ransomware started from GandCrab. Some of the most devoted GandCrab supporters, including Lalartu may have directly contributed to the rise of the Revil (Sodinokibi) RaaS group.
In March this year, CrowdStrike researchers said that the criminal group behind the infamous GandCrab ransomware is nicknamed Pinchy Spider.
It’s curious to note that the program offered a 60-40 split in profits, with 60 percent offered to the customer. However, the gang was willing to negotiate up to a 70-30 split for customers that are considered more “sophisticated”, researchers say.
GrandCrab 5.2, released in February, 2019 came right after a decryption tool for the previous version appeared for victims. According to CrowdStrike researchers, the “development of the ransomware itself has been driven, in part, by PINCHY SPIDER’s interactions with the cybersecurity research community. GandCrab contains multiple references to members of the research community who are both publicly active on social media and have reported on the ransomware”.
At that time, Pinchy Spider criminals were advertising GandCrab to individuals with remote desktop protocol (RDP) and VNC (Virtual Network Computing) skills, and spam operators who had experience in corporate networking.
The researchers also provided an example of such an advertisement which said the following: “Spammers, working with landing pages and corporate networking specialists — do not miss your ticket to a better life. We are waiting for you.”
The emergence of the truniger collective
It is curious to note that one of the most successful hacker collectives that emerged from GandCrab’s depths is TeamSnatch also known as truniger:
At the beginning of their cybercrime career, truniger (who then referred to themselves in singular) was fascinated with carding and e-skimming. According to them, they have started with a sum of money obtained from a legitimate job, which was invested in the financial fraud digital infrastructure. This criminal avenue, however, quickly exhausted truniger’s funds and lead them into financial hardship. In attempts to dodge these dire circumstances, the hacker began investigating Remote Desktop Protocol (RDP) vulnerabilities, specifically, brute-forcing RDPs to access different databases.
This vector proved to be more efficient and shortly after, truniger started to investigate various ways to monetize the obtained accesses. Not surprisingly, the ransomware-as-a-service model was a logical next step. The collection had already gained some experience and knowledge regarding ransomware, anti-virus vulnerabilities, and backdoors in legitimate software. They even tested their skills in a partnership with Rapid ransomware.
By August 2018, truniger hackers encrypted more than 1,800 devices, and were finally noticed by GandCrab. Long story short, the truniger collective illustrated how quickly one actor can grow into a well-working cybercrime group.
Starting from minor carding operations, truniger evolved with the help of GandCrab RaaS and even created their own version of a ransomware program, the researchers concluded.