GandCrab

In January 2019, it was reported that some domains that were registered at GoDaddy had been sending ransom bomb threats... These messages appeared to be from domains owned by legitimate, well-known brands. The group... was exploiting a vulnerability in GoDaddy’s DNS setup platform... They would then use the automated service to send mail from dormant domains.

The Gandcrab ransomware affiliate program first surfaced in January 2018, and paid enterprising hackers huge shares of the profits just for hacking into user accounts at major corporations.

A remote attacker is able to exploit a server-side request forgery (SSRF) vulnerability in the WebDAV plugin to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance.

These messages appeared to be from domains owned by legitimate, well-known brands... They would then use the automated service to send mail from dormant domains.

A primary suspect for malicious code download and in-memory execution in the recent period is PowerShell... PowerShell is launched with Invoke-Expression cmdlet evaluating code downloaded from a Pastebin web page using the Net.WebClient.DownloadString function, which downloads a web page as a string and stores it in memory.

Citrix ADC maintains a vulnerable Perl script (newbm.pl) that, when accessed via HTTP POST request ... allows local operating system (OS) commands to execute. Attackers can use this functionality to upload/execute command and control (C2) software ... and gain unauthorized access to the OS.

First advertised in early 2018, GandCrab initially spread through spam emails containing malicious attachments.

The Gandcrab ransomware affiliate program first surfaced in January 2018, and paid enterprising hackers huge shares of the profits just for hacking into user accounts at major corporations.

The Gandcrab ransomware affiliate program first surfaced in January 2018, and paid enterprising hackers huge shares of the profits just for hacking into user accounts at major corporations.

Obfuscation and polymorphic nature of malware make them more difficult to identify by Antivirus system.

Obfuscation and polymorphic nature of malware make them more difficult to identify by Antivirus system.

The Gandcrab ransomware affiliate program first surfaced in January 2018, and paid enterprising hackers huge shares of the profits just for hacking into user accounts at major corporations.

One popular technique we're seeing at this time is the use of living-off-the-land binaries — or "LoLBins"... LoLBins are used by different actors combined with fileless malware and legitimate cloud services to improve chances of staying undetected within an organisation, usually during post-exploitation attack phases.

Popular malware like Sodinokibi and Gandcrab have used reflect DLL loaders in the past that allows attackers to load a dynamic library into process memory without using Windows API... the obfuscated Cobalt Strike beacon... gets deobfuscated with a static XOR key and loaded into memory using reflective loading techniques.

The Gandcrab team would then try to expand that access, often siphoning vast amounts of sensitive and internal documents in the process.

In addition, in some cases, extensive data were also spied on and threatened with the publication of this, unless a ransom was paid.

...pioneered the practice of double extortion — charging victims once for a key needed to unlock hacked systems, and a separate payment in exchange for a promise not to publish stolen data.

- 08.20.2019 16:56:51 Release date Panel is ready Cryptolocker is ready ... - 10.02.2019 15:28:23 1.6 ransomware update changed encryption algorithm added our own key generator (not pseudo keys)

The perpetrators demanded large ransom payments in exchange for decrypting and not leaking data.