Ransomware continues to be a scourge on enterprise networks. The rise -- and eventual fall -- of GranCrab is illustrative of how quickly this kind of malware is evolving. Last month, its creators announced their retirement, claiming they had made millions in payouts collected. That was perhaps good timing on their part, since this week the FBI announced it has the decryption keys for several different versions of the malware. Researchers figured out the keys after the group behind some of the attacks took pity on one of their Syrian victims, who complained about having to pay the $600 ransom. The group then published a decryption key that allowed all Syrians to unlock their files gratis. That in turn helped others to develop the master keys that were posted this week.
Brian Krebs followed the money trail of the GranCrab authors in a recent post of his own. He doesn’t think their retirement is genuine: they have simply “regrouped and re-branded due to the attention from security researchers and law enforcement.” The money they have so far collected is too good to pass up. Their next exploit may be found in a new strain of the Revil or Sodinokibi malware. This strain is using an old Windows CVE-2018-8453 vulnerability for privilege escalation. In the general malware context that in and of itself isn’t really newsworthy, but it is rare for ransom-based attacks. Kaspersky has this dissection of its operations. This is the second flaw that this malware has leveraged: earlier this spring, Cisco Talos found the malware taking advantage of the CVE-2019-2725 flaw in Oracle’s WebLogic code that could allow file system access over a web connection. This second issue was more readily detected by numerous malware scanners and quickly patched.
The discovery of this strain is also noteworthy for three other reasons. First, it shows how these old zero-day flaws move from being used by nation state hacking groups to more criminal elements. This seems to be happening more often. Second, the code contains a backdoor encryption key that allows the malware authors to decrypt any file on a victim’s PC, which seems to indicate that the ransomware is being distributed widely as a cloud-based service, which is also becoming more popular. Finally, researchers have found similar methods of compromise between Revil and GranCrab, which could be the second act of the GranCrab authors or a copycat operation.
Let's go back to talking about the ransoms themselves. The amount of funds being collected could be a reason why the U.S. Conference of Mayors recently passed a resolution at its latest meeting in Hawaii last month. (Scroll down the page until you see this particular resolution.) They formally oppose ransom payouts, claiming that at least 170 local and state government entities have been attacked since 2013, with 22 just since the beginning of 2019, and three in May and June. Of course, passing such a resolution and actually backing that up with action are two different things. It could motivate many city managers to not report any payouts of future attacks.
The GranCrab story is an intriguing one, to be sure. And it shows that defenders have to stay on their toes to keep up with the changing nature of malware in the modern era.