{
	"id": "b1606b05-6c7e-4f12-8cb3-c3de5cb854dc",
	"created_at": "2026-04-06T01:29:51.015178Z",
	"updated_at": "2026-04-10T13:13:02.117124Z",
	"deleted_at": null,
	"sha1_hash": "a10a88e8a3ab5a32bfe64332cf2f1901cd01882c",
	"title": "GandCrab Ransomware-as-a-Service (RaaS) analysed in depth",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3752321,
	"plain_text": "GandCrab Ransomware-as-a-Service (RaaS) analysed in depth\r\nArchived: 2026-04-06 01:02:57 UTC\r\nVB2019 paper: Different ways to cook a crab: GandCrab ransomware-as-a-service\r\n(RaaS) analysed in depth\r\nAlexandre Mundo Alguacil \u0026 John Fokker\r\nMcAfee, Spain \u0026 The Netherlands\r\nTable of contents\r\nAbstract\r\nThis paper examines the GandCrab ransomware, the biggest Ransomware-as-a-Service (RaaS) threat seen in 2018\r\nand the first half of 2019. Through technical analysis, we discovered several mistakes and indicators in the\r\nmalware. Armed with these findings, we were able to exploit those mistakes and build a publicly available vaccine\r\nagainst GandCrab.\r\nThe hard-coded indicators gave us a method to link individual ransomware samples to affiliates and, by looking at\r\nhundreds of GandCrab samples at once, we gained even more interesting insights into the service model\r\ndynamics. Subsequently, to learn more about the actor behind GandCrab and its affiliates, we carried out extensive\r\nunderground forum research. This multi-angled approach gave us different ways to cook a GandCrab.\r\nOur research was fuelled by a sense that, as an industry, we must realize that we cannot stop cybercrime alone and\r\nthat we should aim to do more than just malware analysis and the writing of detection rules, especially when it\r\ncomes to fighting RaaS-type threats. Unfortunately, we find ourselves in a situation where most of the\r\ncybercriminals involved in ransomware can operate with a certain degree of impunity – ransomware developers\r\nare often in countries that make legal prosecution difficult, and affiliates are hard to catch and can easily move\r\nfrom one RaaS to another, continuing their extortion operations.\r\nWhile law enforcement faces a daunting challenge to bring the individuals responsible to justice, our industry’s\r\nknowledge, data and tooling should help with this task.\r\nIntroduction\r\nThe GandCrab malware made its first appearance at the end of January 2018 and it didn’t take long for it to be\r\ndiscovered by the security community [1]. At that time, no one imagined that GandCrab would eventually grow to\r\nbecome the most prolific Ransomware-as-a-Service threat of 2018 and the first half of 2019. Its growth continued\r\nalmost right up until it ceased to operate in mid-2019.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 1 of 33\n\nLooking back, we believe that its success was due to a combination of factors, from technical to partnering,\r\nmarketing and servicing skills. GandCrab had a large underground forum presence and enjoyed attention from\r\nboth fellow cybercriminals and security researchers. The GandCrab crew operated predominantly on one of the\r\nlargest underground forums, where it acted with a sense of impunity, openly mocked the security industry, and\r\nboasted about its income.\r\nIts growth and open communication style sparked our research, with GandCrab giving us a great opportunity to\r\nlink our malware analysis (capability) with the adversary’s activity (GandCrab and its affiliates) on the\r\nunderground forums.\r\nWe used the Diamond Threat Model [2] as our guideline to structure our research.\r\nWe started out by closely examining the GandCrab ransomware code and all its versions. We looked for mistakes\r\nand to see if it contained any clues or special indicators. That was the basis for building the various vaccines.\r\nFrom an adversary point of view, we closely monitored GandCrab’s activity on the underground forums and\r\ninvestigated other forum users who showed an interest in the ransomware.\r\nFigure 1: Diamond Threat Model: link between the adversary and its capability.\r\nFurthermore, we worked on gathering victim information via telemetry detections from the McAfee backend. Even\r\nthough we had developed a vaccine that prevented encryption, customers could still be exposed to the virus\r\nexecutable and this telemetry allowed us to monitor hits based on hash values. By doing so, we linked potential\r\nvictims not only to the specific malware but also, as discussed in our research, we were also able to link groups of\r\nGandCrab samples to a single adversary or, in this case, an affiliate.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 2 of 33\n\nFigure 2: Linking victims to an adversary via the malware (capability).\r\nThis paper presents the highlights of our extensive research and details our methodology in examining the service\r\nmodel and the top GandCrab affiliates. Before we start with the technical analysis, it is important to understand\r\nthe different versions of the ransomware that have been released.\r\nVersion overview\r\nIn order to be able to identify possible mistakes in the malware, and/or to find ways to disrupt the service model, it\r\nwas important for us to have a clear understanding of the different versions of the malware, its development speed,\r\nand the agility of the actors behind it.\r\nVersion 1\r\nThe GandCrab malware was first discovered in late January 2018 by David Montenegro [1]. At the beginning,\r\nGandCrab only accepted payment of the ransom using Dash, but later included BTC as another method of\r\npayment. GandCrab was not made flawless; the first version and its infrastructure contained several mistakes that\r\nresulted in the development of a free decryptor.\r\nVersion 2\r\nOn 5 March 2018, one week after the release of the decryptor, a new version of GandCrab was discovered by the\r\nresearch collective MalwareHunterTeam [3]. GandCrab had fixed earlier mistakes, rendering the previously\r\ndeveloped decryptor useless. This version had a new extension for the crypted files, different hard-coded domains,\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 3 of 33\n\nand was offered in both .EXE and DLL formats, allowing affiliates to choose their preferred method of spreading\r\nthe ransomware [4].\r\nThe GandCrab crew’s swift response to the release of the decryptor showed that they were agile and determined to\r\nremain active.\r\nThere was already a hard-coded version number in the GandCrab malware, but this was not always accurate. We\r\ncame across numerous strange version numbers that we believe were an attempt to mislead the research\r\ncommunity.\r\nVersion 3\r\nThe third version of GandCrab was spotted around 23 April 2018 by a researcher using the Twitter handle nao_sec\r\n[5]. A later iteration of version 3 was subsequently discovered on 9 May 2018 by a researcher with the Twitter\r\nhandle zswei [6].\r\nVersion 3 was the first to have a different wallpaper and we discovered signs of sub-versions of this iteration,\r\nidentified by subtle changes in the wallpaper and, in some cases, the use of process injection.\r\nVersion 4\r\nAt the beginning of July 2018, version 4 was released. Version 4 featured some significant changes from the\r\nearlier versions. An important difference in version 4.0 was a change in the algorithm used to encrypt files. Earlier\r\nversions used RSA and AES; in version 4 GandCrab switched to Salsa20. We believe that this was mostly done for\r\nspeed. RSA is a powerful but slow algorithm, whereas Salsa20 can encrypt much faster and the implementation is\r\nsmaller. The ransomware generates a pair of RSA keys before encrypting any file. The public key encrypts the\r\nSalsa20 key and the random initialization vector (IV, or nonce) generated later for each file. GandCrab also used\r\nthe registry to keep the generated RSA keys; this later proved vital in making the different vaccines.\r\nTo further increase speed, GandCrab started using another thread to look for network shares besides the normal\r\nencryption thread. The wallpaper introduced in version 3 disappeared.\r\nOne of the most important changes that helped our research was the introduction of more stable administration\r\nusing hard-coded ID and SUB_ID numbers in the ransomware. We believe the GandCrab developers introduced\r\nthis in order to have a tight accounting method for all the affiliate infections, to cope with the growth of the RaaS.\r\nEventually, these hard-coded values proved to be vital in our research to understand the service model through\r\nlarge-scale ID number tracking and linking ID numbers to victims and affiliates.\r\nVersion 5\r\nIn version 5, GandCrab showed real signs of stepping up its game by showcasing new alliances with other\r\ncriminal services to strengthen its supply and distribution networks. One of these alliances became obvious during\r\nversion 4, in which the ransomware started being distributed through the new Fallout exploit kit. In the\r\nannouncement of version 5, the GandCrab crew openly endorsed working with the Fallout exploit kit.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 4 of 33\n\nThis was not the only partnership, though: another alliance was formed with a malware crypter service called\r\nNTCrypt and, later, AlexCrypt. A crypter service provides malware obfuscation to evade detection by anti-malware products. However, the GandCrab crew were not completely ruthless – after receiving a Tweet from a\r\nSyrian victim they decided to unlock all victims in that locale.\r\nOn 25 October a decryptor for GandCrab up to version 5.03 was made available via the NoMoreRansom [7]\r\nplatform. This was a huge blow for the almost untouchable GandCrab ransomware and gave rise to some\r\ninteresting conversations in the cybercriminal underground. Interestingly, it was the user behind the Kraken\r\nransomware, ThisWasKraken, who broke the news first on the forum. Shortly after the release of the decryptor,\r\nGandCrab came out with version 5.04. Based on the compilation dates of the first 5.04 samples we believe that\r\nthis new version was not a direct reaction to the release of the decryptor, but a new version that they had already\r\nbeen planning on spreading. At the end of 2018 the activity slowed down. Judging by GandCrab’s underground\r\nposts (an example of which is shown in Figure 3), the cybercriminal group was working mostly in the\r\nbackground, trying to fix and improve the ransomware.\r\nFigure 3: GandCrab explaining the delays.\r\nGandCrab came back with the release of version 5.1 on 16 January 2019, two days after the Orthodox new year\r\n[8]. However, this victory was short-lived because another decryptor was released at the end of January. In\r\nresponse, the criminals behind GandCrab released version 5.2 a couple of days after the publication of the new\r\ndecryptor. Despite the new version, Europol announced in mid-March [9] that, with the new decryptor, more than\r\n14,000 people had been able to save their encrypted files – a significant blow for the criminals. GandCrab\r\nannounced that it was stopping its business on 31 May 2019, claiming it had made hundreds of millions of dollars\r\nalong the way. Despite the amount of money made, no mercy was shown to the remaining victims and they were\r\nurged to pay the ransom – GandCrab did not release the last keys for free. Luckily for those victims, there came a\r\nfinal version of the GandCrab decryptor, meaning they could also get their files back without paying the ransom.\r\nTechnical malware analysis\r\nAs discussed, several versions of GandCrab have been released since its initial appearance in January 2018. In this\r\npart we will highlight some technical insights into the two major versions: 4 and 5. Although some behaviours\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 5 of 33\n\nwere the same, some significant changes were also observed.\r\nAlgorithms and languages\r\nVersions 4 and 5 encrypted victim files using the Salsa20 algorithm. Previous versions of GandCrab had used AES\r\nas an encryption algorithm. The Salsa20 algorithm has some advantages over AES:\r\nSmall code and very fast. Speed in relation to encrypting files is critical for ransomware. A faster algorithm\r\nis better than a slower one. AES uses the CPU extension behind the scenes.\r\nOpen-source implementation. AES also has open-source implementation, but the Salsa20 implementation\r\nis smaller in code and there are a lot of variants of the algorithm in source code format in C and other\r\nlanguages.\r\nRobust and with no known failures in the algorithm.\r\nSupport for 16- and 32-bit keys with an initialization vector. GandCrab used the 32-bit version.\r\nGandCrab obtained all processes of the system and searched for the common process names, just like other\r\nransomware families such as Cerber. If it detected any of them, it would try to open the process and terminate it\r\nusing the ‘TerminateProcess’ function.\r\nGandCrab checked the language of the victim system before starting the process of gathering information. For this\r\nit used the ‘GetUserDefaultUILanguage’ and ‘GetSystemDefaultUILanguage’ functions. These functions would\r\nget the local language of the victim system and compare it with a hard-coded list that included all CIS countries. If\r\nthe victim system was based in one of the CIS countries GandCrab would terminate.\r\nIn the earlier versions of GandCrab there was no function for detection of the Syrian language. Later, after\r\ndisclosing the decryption keys to victims in that locale, the GandCrab crew added the Syrian language to the hard-coded list.\r\nGandCrab determined the language of the victim machine by reading from a registry entry:\r\n[HKEY_CURRENT_USER\\Keyboard Layout\\Preload]\r\nIt read the value and compared it against the hard-coded language list, checking for the Russian language value\r\n(0x419), for example.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 6 of 33\n\nFigure 4: Language check on the victim’s system.\r\nAfter the language check, GandCrab prepared a string based on the serial number of the main installation of\r\nWindows and some calculation (as a division by 2) in hexadecimal format. To this string the malware added the\r\nextension ‘.lock’ and checked for this file. If it already existed, the malware quit. If not, it continued.\r\nFollowing the release by AhnLab of a program [10] that made this file act as a vaccine, the GandCrab crew\r\nresponded by changing this check – a sign that they were closely monitoring the industry.\r\nAfter that, the malware prepared the RSA public key, which was embedded and crypted with two layers (except in\r\nthe last version of the malware (5.2), which used three layers to protect it). The first layer was a simple XOR\r\noperation with the value 0x5 and the second layer was decryption using the Salsa20 algorithm with a hard-coded\r\nkey (see Figure 5). In v5.2 the third layer was a custom algorithm (the first layer, followed by the two other steps):\r\nVersion 4 to 5.1: XOR + Salsa20\r\nVersion 5.2: custom algorithm + XOR + Salsa20\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 7 of 33\n\nFigure 5: Decrypting the master RSA key in the second layer.\r\nThe key of the Salsa20 algorithm is ‘expa@hashbreaker Dannd 3@hashbr’ (without quotes). It is based on the\r\nname of the author of the Salsa20 algorithm and his Twitter nickname (‘hashbreaker’).\r\nIf the malware could not get the RSA key it would terminate since it was needed later. The RSA key was saved in\r\na global var in a buffer to keep it in blob format.\r\nVictim information and hard-coded values\r\nAfter preparing the RSA key, the ransomware would get information from the victim machine and save it as a big\r\nstring that would later be ciphered with the RC4 (sometimes a custom XOR) algorithm and encoded in Base64 to\r\nsave it into the ransom note.\r\nThe information and fields were as follows:\r\npc_user Name of the user logged into the machine.\r\npc_name Name of the endpoint infected.\r\npc_group Name of the domain or workgroup of the endpoint.\r\nAV Name or names of anti-virus product(s) in the endpoint.\r\npc_lang Name of the language or languages of the endpoint.\r\npc_keyb The type of keyboard on the endpoint.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 8 of 33\n\nos_major The name of the operating system of the endpoint.\r\nos_bit The type of CPU of the infected endpoint.\r\nransom_id Unique value for the victim for the ransom note and Onion web page to pay.\r\nhdd Information about the logic units.\r\nip The IP address of the endpoint.\r\nAfter preparing this big string, it would concat more special fields hard coded in the malware sample. These\r\nvalues were:\r\nid The affiliate id number.\r\nsub_id The sub id of the affiliate id.\r\nversion\r\nThe internal version number of the malware. In the example below, it is ‘4.0’ but the last version\r\nwould have shown ‘5.2’.\r\nThe malware concated these fields with the previously mentioned big string to finally get all the information about\r\nthe system and malware information in plain text.\r\nThe hard-coded values above proved to be of great importance in analysing the RaaS model of GandCrab.\r\nFor example, in this case the final string is as follows (some fields are altered to fool the malware to fill the\r\nfields):\r\npc_user=IDC_UNIT56\u0026pc_name=IDC_SEAT_56\u0026pc_group=WORKGROUP\u0026av=[System Process],\r\nsmss.exe\u0026pc_keyb=0\u0026os_major=MicrosoftWindowsXP\u0026os_bit=x86\u0026ransom_id=6deb15d\r\nd9c2e5c79\u0026hdd=C:FIXED_10725732352/8747036672,E:REMOTE_511503020032/2577879613\r\n44\u0026id=15\u0026sub_id=15\u0026version=4.0\r\nThis big string would be crypted and a Base64 string prepared from it to put in the ransom note between the\r\nmarks:\r\n---BEGIN PC DATA---\r\n---END PC DATA---\r\nPayload execution\r\nAfter these steps the malware started its critical malicious payload that was executed in a number of steps.\r\nThe first step was to verify the file extensions that the malware was not allowed to encrypt. These were stored in a\r\nhard-coded buffer crypted with the value 0x5.\r\nThe extensions that were blacklisted were as follows:\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 9 of 33\n\n.ani\r\n.cab\r\n.cpl\r\n.cur\r\n.diagcab\r\n.diagpkg\r\n.dll\r\n.drv\r\n.lock\r\n.hlp\r\n.ldf\r\n.icl\r\n.icns\r\n.ico\r\n.ics\r\n.lnk\r\n.key\r\n.idx\r\n.mod\r\n.mpa\r\n.msc\r\n.msp\r\n.msstyles\r\n.msu\r\n.nomedia\r\n.ocx\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 10 of 33\n\n.prf\r\n.rom\r\n.rtp\r\n.scr\r\n.shs\r\n.spl\r\n.sys\r\n.theme\r\n.themepack\r\n.exe\r\n.bat\r\n.cmd\r\n.gandcrab\r\n.KRAB\r\n.CRAB\r\n.zerophage_i_like_your_pictures\r\nThe above list is an example of common extensions to avoid, just as other ransomware families use. However,\r\nGandCrab’s list includes some additions that are interesting:\r\n.lock: this extension belongs to the files that the malware creates in each folder to indicate that it is crypting\r\nthem, as a measure to avoid another instance of GandCrab affecting the same folder. Usually this file is\r\nempty; for GandCrab only its presence/absence is important.\r\nThis file extension changed in some samples to ‘.luck’ or ‘.fuck’, so not all versions have the same name.\r\n.zerophage_i_like_your_pictures: this extension does not exist by default in Windows; it is a joke against a\r\nmalware analyst, zerophage.\r\n.KRAB: this extension is included to avoid crypting the files that had already been encrypted.\r\n.CRAB: again, this extension is included to avoid crypting the files that had already been encrypted.\r\nThe newest versions of GandCrab did not use a special extension, instead calculating a random extension\r\nthat could be from 5 to 10 characters in length, depending on the version. In this case GandCrab saved the\r\nrandomly created extension in the registry too, in a special subfolder (with the exception of the last version\r\nwhere this registry write code was removed to destroy the vaccine that had been created). In any event, the\r\nextension was included in the ransom note so the official decryptor (given to the victims when they paid\r\nthe ransom) had the correct extension to search for.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 11 of 33\n\nThe next action of the malware was to create a pair of RSA keys (one public and one private) to protect the keys\r\nthat would later be used to crypt the files.\r\nThe malware reserved two memory buffers with ‘VirtualAlloc’ and acquired the context of the cryptosystem of\r\nWindows using the ‘CryptAcquireContextW’ function with the parameter ‘Microsoft Enhanced Cryptographic\r\nProvider 1.0’.\r\nIn v1 of GandCrab there was a bug at this point where keys could be extracted from memory. After the release of a\r\ndecryptor, the actors resolved this in version 2 using the value 0xF0000000 as a flag.\r\nAfter creating the key pair, GandCrab exported them in two RSA blobs using the ‘CryptExportKey’ function with\r\nthe argument ‘6’ for the public RSA1 key blob and with the argument ‘7’ for the private RSA2 key blob. After the\r\nexports, it destroyed the key pair from memory using the ‘CryptDestroyKey’ function and released the context\r\nusing the ‘CryptReleaseContext’ function. In this case the function returned with TRUE as a result to cause the\r\nmalware to follow the normal flow to crypt shares and files later.\r\nIt is important to understand that the memory reserved for both blobs was not released at this point as it would be\r\nneeded later. By taking a memory dump at this point, both blobs could be retrieved.\r\nBefore version 4.0, GandCrab was creating registry settings that we could use to create a vaccine. If these registry\r\nsettings were already present, and the ransomware failed to create them, the malware would not encrypt and\r\nwould terminate. However, this was adjusted in version 5.2.\r\nAnother protection mechanism that worked with v4.0 and some of v5 (not including 5.2) was to create subkeys in\r\nthe registry and remove all rights for all users (including SYSTEM). This way the subkey could not open because\r\nof the ERROR_ACCESS_DENIED (5) error that not is checked. The malware would create the Salsa20 key, etc.\r\nanyway, but could not save them in the registry and would return FALSE, causing the code flow to delete itself\r\nwithout crypting anything in the endpoint.\r\nThe next action by the malware was to prepare the strings of information about the infected endpoint (that was\r\ncrypted in the previous layer) and the Salsa20 key, IV and RSA2 private key blob (all crypted in the first layer).\r\nFor this, the malware prepared some strings that were hard coded in the code:\r\n--- BEGIN GANDCRAB KEY ---\r\n--- END GANDCRAB KEY ---\r\nBetween these two strings the malware kept in memory the Salsa20, IV and crypted RSA2 buffer but, before that,\r\nit crypted the RSA2 buffer again with another layer.\r\nThe next action was to prepare the ransom note in memory. The malware decrypted the ransom note text with a\r\nXOR value of 0x10. After decrypting the full ransom note, it once again got the system information for the\r\n‘random_id’ and ‘pc_group’ fields. Next, it wrote the previous string with the information of the endpoint and\r\nmalware sample crypted between the two marks ‘ --- BEGIN PC DATA --- ’ and ‘ --- END PC DATA --- ’ and the\r\nSalsa20 key, IV and RSA2 private key blob crypted between the two marks ‘--- BEGIN GANDCRAB KEY --- ’\r\nand ‘ --- END GANDCRAB KEY --- ’.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 12 of 33\n\nWhen the note had been created, the malware prepared to start encrypting files. It would get all logic units that\r\nwere of the type FIXED or REMOTE. For each one discovered, it would create a thread that would encrypt that\r\nparticular unit.\r\nIn this procedure the malware would check if the path was blacklisted. The list of blacklisted paths was as follows:\r\n\\ProgramData\\\r\n\\IETldCache\\\r\n\\Boot\\\r\n\\Program Files\\\r\n\\Tor Browser\\\r\n\\All Users\\\r\n\\Local Settings\\\r\n\\Windows\\\r\nThese strings were hard coded in the binary in the read data section. Later, the malware checked more paths using\r\nthe ‘SHGetSpecialFolderPathW’ function for these paths:\r\nCSIDL_PROGRAM_FILESX86\r\nCSIDL_PROGRAM_FILES_COMMON\r\nCSIDL_WINDOWS\r\nCSIDL_LOCAL_APPDATA\r\nIf the path was one of the blacklisted ones, the thread would finish without encrypting anything. If a valid path\r\nwas discovered, it would write the ransom note in this path with the name ‘KRAB‑DECRYPT.TXT’.\r\nFor each file discovered, it would check the name to avoid the actual directory (name: ‘.’) and the previous\r\ndirectory if it existed (name: ‘..’) and check the flags of the file to see if a directory existed with a TEST operation\r\nwith the value 0x10. Finally, after encryption took place, the ransomware changed the name of the file, adding the\r\nextension ‘.KRAB’.\r\nIt is important to reiterate that the last version of the malware (v5.2) did not use the ‘.KRAB’ extension but instead\r\nused a random extension with 5 to 10 random characters.\r\nFigure 6: Renaming of file to new extension.\r\nOnce all encrypting had taken place it would start to delete the Volume Shadow Copies to prevent restoration of\r\nfiles. If the operating system version was older than Windows Vista, it would prepare a hard-coded string in the\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 13 of 33\n\ncode to delete the shadow volumes in a quiet way:\r\ncmd.exe /c vssadmin delete shadows /all /quiet\r\nIf the OS version was Windows Vista or above, it would prepare the hard-coded text in the code:\r\n\\wbem\\wmic.exe shadowcopy delete\r\nFinally, the malware deleted itself without warning the user or awaiting user interaction.\r\nChanges in GandCrab Version 5\r\nVersion 5 of GandCrab included a lot of changes to make analysis more complex. The authors also fixed a lot of\r\ncode in the last version, ‘5.2’, to avoid problems and vaccines, but that did not stop us from creating working\r\nvaccines for all versions.\r\nOne important change in the 5.x version was the inclusion of exploits to elevate privileges. The exploits were\r\nCVE-2018-8440 [11] by SandboxEscaper [12], and CVE-2018-8120 [13, 14].\r\nThe first version of GandCrab v5 was faulty because it used one exploit directly with IAT calls that do not exist in\r\nWindows XP. This prevented it from working on that OS, but the issue was quickly fixed in the next version.\r\nBoth exploits were used in Windows 7 and newer OS versions to try to get SYSTEM privileges. With CVE-2018-\r\n8120 [15], it tried to steal the system token of the SYSTEM idle process. In the other exploit, the malware tried to\r\nload a special DLL that had crypted code inside, one for 32-bit and another for 64-bit systems.\r\nThese exploits could be blocked if a mutex with a hard-coded name exists in the future infected machine (see\r\nFigure 7).\r\nFigure 7: Check of the mutex – if it already exists, the exploits are blocked.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 14 of 33\n\nSome changes in the v5.2 family included:\r\nInstead of using a hard-coded extension after encryption, it created a name with 5 to 10 random characters.\r\nThe use of two exploits.\r\nChanging the desktop wallpaper on the infected system to a bitmap generated in runtime with the name of\r\nthe active user and the extension used for the encrypted files. This wallpaper was created in a faulty way if\r\nthe vaccine (explained later) was used – in that case the extension did not appear.\r\nThe wallpaper was saved on the hard disk in the %TEMP% folder with the hard-coded name ‘pidor.bmp’\r\n(a very rude word in the Russian language).\r\nThe username was checked with ‘SYSTEM.’ If the user was ‘SYSTEM’, the malware put the name\r\n‘USER’ in the wallpaper. This check was made to avoid changing the wallpaper on an account where\r\nGandCrab had achieved system privileges, presumably because that would have alerted the user to what\r\nhad happened.\r\nThe last version of GandCrab also removed a lot of useless code that been inserted to try to obfuscate some\r\nmacros and static disassembling.\r\nBesides all the layers that GandCrab put in the last version (5.2), an unofficial version ‘5.3’ was uploaded to\r\nVirusTotal with a different ransom note and another RSA public key. We do not know for sure why this happened.\r\nBuilding a vaccine\r\nDuring its development history, GandCrab showed clear differences in programming styles and mistakes made,\r\nwhich supports our hypothesis that multiple programmers worked on the code.\r\nOne of our goals with this ransomware threat was to create a vaccine that could work against it and protect our\r\ncustomers’ systems.\r\nOur approach was to reverse the inner workings of the GandCrab family in order to discover failures in the design\r\nof the malware so that could create effective vaccines.\r\nIn total, six vaccines were crafted. The first was the most interesting because it was clear that a flaw existed in the\r\nlogic of the malware. The GandCrab crew did not fix this until version 5.\r\nThe vaccine was based on code stored in the registry [16, 17]. The information, without Base64, was the same as\r\nthat which appeared in the ransom note in the key part (but in the ransom note it was encoded in Base64 to print\r\nall characters). One registry subkey was stored in HKLM or HKCU, based on the privileges of the user that ran\r\nthe malware. It used the public RSA key generated in runtime to protect the private RSA key of the victim.\r\nThe flaw in the design was that it didn’t use these registry values in later versions, even in the official decryptor.\r\nThe malware checked for the existence of this subkey and values. If it found the public RSA key called ‘public’ it\r\ndid not check the content to see if it was correct. If the value in the subkey was empty, or contained some random\r\ncontent, the malware believed that the victim machine was already infected and skipped all processes to encrypt\r\nfiles. In this case the malware launched the network thread anyway, if the victim had Internet connectivity, but the\r\ncritical and most dangerous part was never launched. For the wallpaper change, a bitmap file was created in\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 15 of 33\n\nruntime and stored with the hard-coded name ‘pidor.bmp’ in the %TEMP% folder of the infected system. Another\r\nvaccine that we made cleaned this file and removed the wallpaper, exchanging it for a clean wallpaper [18].\r\nThis vaccine worked for at least six months after its release to the public. It took until early this year, and the\r\nrelease of version 5 of GandCrab, for this part of the code to be cleaned and the vaccine thus rendered useless.\r\nAnother vaccine [19] came about from a clear design flaw, and an indication that the GandCrab crew did not care\r\nabout the coding: in version 5 a hidden window was created with a hard-coded class name. When it was reversed\r\nand analysed, it only took us five minutes to make a new vaccine in a program that searched the full system, on an\r\nx-period basis, for the window with this class name (see Figure 8).\r\nFigure\r\n8: Searching for GandCrab window.\r\nThis was because the chosen class name was not present in Windows, thus action could be taken against it without\r\nany risk of harm to the operating system.\r\nWhen the program detected the window, it would get the PID of the process linked to that window and, with the\r\nPID, it was able to close and terminate it. This meant that, with this vaccine, it was impossible for GandCrab to\r\nrun – when it created and ‘showed’ the window, the vaccine would discover it and terminate it.\r\nThis vaccine was fixed more quickly than others, in the cleaning up of code that GandCrab undertook, making the\r\nvaccine useless.\r\nOther vaccines [20] included a search for a mutex name and creation of it in the system before infection even\r\noccurred; the flaw here was that the mutex name was always the same, regardless of what machine was affected.\r\nEven if it had been variable, it was very easy to mimic the same behaviour and create a successful vaccine (the last\r\nvaccine that worked with version 5.2 protected the system in this way). The GandCrab gang knew this, and\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 16 of 33\n\nsometimes changed the mutex name, but the vaccine was able to create the last two mutex names, meaning the last\r\nand previous versions were covered.\r\nPrior to this vaccine, the GandCrab crew made another mistake that allowed us to create a new vaccine in a matter\r\nof minutes. They made a global atom in the machine, so our vaccine only needed to make the atom beforehand to\r\nprotect the system. That was fixed when the mistake was discovered.\r\nFigure 9 gives an overview of the timeline of the different GandCrab versions, our vaccines and the public\r\ndecryptors.\r\nFigure 9: Version and vaccine timeline.\r\nFor malware to be successful, it needs to be effective, but it does not have to be flawless. As we have discussed,\r\nthe various versions of GandCrab were full of little mistakes and errors that allowed us to build several different\r\nvaccines.\r\nThus, an important part of GandCrab’s success was its service model and marketing.\r\nGandCrab is a prime example of a Ransomware-as-a-Service threat. RaaS follows a structure where the\r\ndevelopers offer their product to individuals, affiliates or partners, who are responsible for spreading the\r\nransomware and generating infections. The developers take a percentage of the earned income and the rest goes to\r\nthe affiliates.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 17 of 33\n\nFigure 10: High-level overview of the GandCrab RaaS model.\r\nOperating a RaaS model can be lucrative for both parties involved:\r\nDeveloper’s perspective\r\nThe malware author(s) request a percentage per payment for use of their ransomware product. This way the\r\ndevelopers have less risk than the affiliates spreading the malware. The developers can set certain targets\r\nfor their affiliates regarding the number of infections they need to produce. In a way, this is very similar to\r\na modern sales organization in the corporate world.\r\nSubsequently, a RaaS model offers malware authors a safe haven when they operate from a country that\r\ndoes not regard developing malware as a crime. If their own nation’s citizens are not victimized, the\r\ndevelopers will not be prosecuted.\r\nAffiliate’s perspective\r\nAs an affiliate you do not have to write the ransomware code yourself; less technical skill is involved. RaaS\r\nmakes ransomware more accessible to a greater number of users. An affiliate just needs to be accepted in\r\nthe criminal network and reach the targets set by the developers. As a service model it also offers a level of\r\ndecentralization, where each party sticks to their own area of expertise.\r\nIf proper administration of infections per affiliate is kept, a RaaS business model (developer/affiliates\r\npercentages) ensures that everyone gets a piece of the proverbial ‘pie’.\r\nPartnerships to ensure growth\r\nDuring its lifetime we observed several essential partnerships being established between the GandCrab\r\nransomware and other facilitating services. The fact that cybercriminals were working together was not a new\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 18 of 33\n\nthing.\r\nIn the cybercriminal underground there are several specialized services that can facilitate the preparation, pre-activity, activity and post-activity of financially driven cybercrime, as described by Erik van de Sandt [21].\r\nFigure 11: Overview by Van de Sandt [21], displaying the services offered on Russian-language cybercriminal\r\nforums that predominantly facilitate financially driven computer-focused crimes. Each serves a specific purpose in\r\nthe preparation, pre-activity, activity and post-activity of the commission of crime, and the protection of crime and\r\nthe criminal.\r\nOften, cybercriminals will choose to interact with several facilitating services to ensure that they have all the\r\nnecessary elements in place to commit their intended crime. However, it is less common to see facilitating services\r\nforming alliances amongst themselves to become more successful. Recently, Goznym was another good example\r\nof cybercriminal services working together to gain more revenue [22].\r\nBy choosing to work together, facilitating services expose themselves to a certain risk since they must trust their\r\nnewly formed alliance with their partner. However, having a good reputation in the underground and an overall\r\nfeeling of impunity helps providers of those services to form partnerships.\r\nGandCrab was a perfect example of a service, in this case ransomware, that teamed up with other services such as\r\nRIG and the Fallout exploit kit. These alliances helped GandCrab’s customers spread ransomware on a larger\r\nscale, thus generating more income and traffic for both services.\r\nGandCrab even used its popularity to issue an underground tender to find a new crypter service [23]. A crypter\r\nservice provides malware obfuscation to evade detection by security products.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 19 of 33\n\nFigure 12: Underground tender announcement for a new crypter service.\r\nEventually, NTCrypt won the tender and from then on offered a special price for customers of GandCrab.\r\nFigure 13: NTCrypt announcing that it had won GandCrab’s crypter tender.\r\nThis behaviour is very similar to legitimate companies forming strategic partnerships and undertaking mergers and\r\nacquisitions to stimulate growth, gain a competitive advantage and increase market share. Therefore, observing\r\nthe formation of alliances between facilitating services and a Ransomware-as-a-Service provider can be a sign of\r\nsignificant growth of operations.\r\nLinking the ransomware to affiliates\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 20 of 33\n\nThrough our technical analysis, we established that, starting from version 4, GandCrab included certain hard-coded values in the ransomware source code:\r\nid: the affiliate id number.\r\nsub_id: the sub id of the affiliate id – we suspect that affiliates can sub rent infections to their own partners,\r\nidentifiable via the sub_id number. However, more research is needed to confirm this.\r\nversion: the internal version number of the malware.\r\nVersion 4 included a significant number of changes overall and we believe that these changes were made by the\r\nauthors partly to improve administration and make GandCrab more scalable to cope with its increased popularity.\r\nA successful service model is dependent on a tight administration of earnings because every party needs to feel\r\nthat they receive what they have earned.\r\nBased on the hard-coded values it was possible for us, to a certain extent, to extract the administration information\r\nand create our own overview.\r\nWe hunted for as many different GandCrab samples as we could find using YARA rules, industry contacts and\r\ncustomer submissions. The sample list we gathered is quite extensive but not exhaustive.\r\nFrom the collected samples we extracted the hard-coded values and compilation times automatically, using a\r\ncustom-built tool. We aggregated all these values together in one giant timeline from version 4, all the way up to\r\nversion 5.2 (Figure 14).\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 21 of 33\n\nFigure 14: Small portion of the timeline of collected samples (note the first four may be timestomped).\r\nAt the time of writing we have collected 314 different samples. The collected samples were run simultaneously on\r\nthe McAfee backend to find any internal detection telemetry.\r\nOf all our collected samples we only found four that had an irregular compile time. This anomaly might indicate\r\ndeliberate timestomping [24], or it could be a defect from unpacking. The rest of the samples had compile times\r\nthat correlated closely with the release dates mentioned on the forums and the security product detection dates.\r\nID and SUB_ID characteristics observed\r\nParent-child relationship\r\nThe extracted IDs and Sub_IDs showed a parent-child relationship, meaning that every ID could have more than\r\none SUB_ID (child), but every SUB_ID only had one ID (parent).\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 22 of 33\n\nFigure 15: The activity of ID number 41 (parent) and its corresponding SUB_IDs (children).\r\nID increments\r\nOverall, we observed a gradual increment in the ID number over time. The earlier versions generally had lower ID\r\nnumbers and higher ID numbers appeared in the later versions.\r\nHowever, there were relatively low ID numbers that appeared in many versions.\r\nThis observation aligned with our theory that the ID number corresponds with a particular affiliate. Certain\r\naffiliates remained partners for a long period of time, spreading different versions of GandCrab; this explains the\r\nID number appearing over a longer period and in different versions. This theory has also been acknowledged by\r\nseveral (anonymous) sources.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 23 of 33\n\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 24 of 33\n\nFigure 16: Activity of ID number 15, from version 4.0 to version 5.04.\r\nDetermining top IDs/affiliates\r\nWhen we applied the theory that the ID corresponded with an affiliate, we observed different activity amongst the\r\naffiliates. There are some affiliates/IDs that were only linked to a single sample that we found. In some cases that\r\nspecific sample was only found on a single source, like VirusTotal, and there were not any detections on our\r\nMcAfee backend. This could occur when a sample was not spread, for instance, to a McAfee-protected system or if\r\na single sample was, perhaps, indicative of a security researcher, undercover as an affiliate, only uploading their\r\nsample to VirusTotal. Another reason why affiliates might appear only for a short period is failure to perform. The\r\nGandCrab developers had a strict policy of expelling affiliates that underperformed. Expelling an affiliate would\r\nopen a new slot that would receive a new incremented ID number.\r\nOn the other hand, we observed several very active affiliates, of which ID number 99 was by far the most active.\r\nWe first observed ID 99 in six different samples of version 4.1.1, growing to 35 different samples in version 5.04.\r\nBased on our dataset we observed 71 unique unpacked samples linked to ID 99.\r\nBeing involved with several versions (consistency over time), in combination with the number of unique samples\r\n(volume) and the number of infections (based on industry malware detections) could effectively show which\r\naffiliate was the most aggressive and possibly the most important to the RaaS network.\r\nThis can be compared to a top sales person in any normal commercial organization. Given that the income of the\r\nRaaS network is partly dependent on the performance of its top affiliates, disrupting a top affiliate would have a\r\ncrippling effect on the income of the RaaS network, internal morale and overall RaaS performance.\r\nSUB_ID role\r\nBased on the child relationship of the SUB_ID we believe that this number might represent a build number or a\r\nmethod for the affiliate to run its own partner program for other individuals. Unfortunately, based on the\r\ninformation available, we are unable to determine its role with absolute certainty at this time.\r\nOverview versions and ID numbers\r\nUsing an online tool called RAWGraphs [25] we created an alluvial graphic display of the entire dataset, showing\r\nthe relationship between the versions and the ID numbers. This is shown in Figure 17 – a more detailed overview\r\ncan be supplied on request.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 25 of 33\n\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 26 of 33\n\nFigure 17: Overview of versions and IDs.\r\nTop performing affiliates immediately stood out from the rest as the lines were thicker and more spread out.\r\nInformation like this can help law enforcement decide where to focus their valuable resources. From a security\r\nindustry perspective, affiliate analysis will further ensure chain of custody, since a direct link from victim, sample\r\nand responsible affiliate can be drawn.\r\nTop affiliates missing in 5.2\r\nWhen looking at the overview it does stand out that none of the top affiliates/ID numbers were present in version\r\n5.2. We are unable to explain the exact cause of the absence of these IDs, but this might have been an early\r\nindicator that the end of GandCrab was imminent.\r\nCombining the sample timeline with a timeline of forum postings\r\nOne of the other key factors that made GandCrab popular was its forum presence and marketing strategy. Every\r\nnew version was announced in a grand fashion (see Figure 18), almost comparable to those of major software\r\ncompanies.\r\nFigure 18: Announcement of GandCrab v5.\r\nThe timely announcements of new versions on the Exploit.in forum offered a way of checking if the compile\r\ntimes and hard‑coded version numbers matched up with the announcements by the actor. Based on all the samples\r\nwe collected, only four had a different compile date; the rest of the samples found had a compile date a couple of\r\ndays before the new version announcement, or shortly after. We proceeded to add the timestamps of the\r\nannouncements to the sample timeline and colour-coded them in yellow, as shown in Figure 19.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 27 of 33\n\nFigure 19: GandCrab forum announcement of version 5.03.\r\nIn addition to version announcements, the GandCrab Exploit.in forum thread also formed a lively discussion\r\nplatform for individuals supporting and interested in the RaaS. Several forum users posted openly about their\r\naffiliation with GandCrab and spoke highly of the profits they earned.\r\nFigure 20: Forum posting of a user stating their affiliation with GandCrab ransomware.\r\nThis type of endorsement bears similarities to the social marketing of direct sales-based products. We are\r\nuncertain as to whether the affiliates endorsing GandCrab were doing this out of free will or if it was part of an\r\ninternal marketing scheme. Overall, looking at the forum postings, one cannot help but notice that GandCrab\r\ngained a cult status amongst its followers.\r\nColour coding and affiliate research\r\nWe added all the relevant forum thread postings to the existing timeline and colour-coded the postings based on\r\ntheir content. Forum users that stated that they were an affiliate were coded blue. Posts expressing positive\r\nsentiment towards GandCrab were colour-coded green and those expressing negative sentiment were coloured red.\r\nBy adding the forum postings, the timeline gave an accurate representation of the actors interested in GandCrab\r\nand the evolution of the actual ransomware over time.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 28 of 33\n\nFigure 21: Timeline of version 5.03 announcement, enhanced with colour-coded forum postings.\r\nContinued analysis\r\nThe colour-coded timeline overview provided several options for deeper affiliate research:\r\nA user stating that they were affiliated with the RaaS at a moment X in time could serve as a reference\r\nmarker that the person must have joined the RaaS prior to their statement. When we compared the\r\nstatement timestamp to the ransomware ID numbers around the same time, we could estimate that the user\r\nmust have had an ID number that was no higher than the highest ID number at the time of their statement.\r\nThis offered a coarse method to link affiliates to a reduced number of ransomware samples.\r\nCreating an overview of all the interests per affiliate/username on this and other forums gave us insight into\r\na person’s interests (good or bad), which could be used for identification of the individual. Subsequently,\r\nanalysing previous user activity could provide insight into their cybercriminal skill progression. Generally\r\nspeaking, cybercriminals make more operational security (OpSec) mistakes earlier on in their career.\r\nThe end of GandCrab\r\nOn Friday, 31 May 2019, the GandCrab crew released a statement saying that they were closing their business.\r\nThat a RaaS was closing was not unusual, but GandCrab did it in a fashion true to its nature – overt, and with a lot\r\nof bravado.\r\nFigure 22: The GandCrab crew announces the end of its operations.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 29 of 33\n\nLooking closely at this statement, there are some interesting observations to be made:\r\n‘We successfully cashed this money and legalized it in various spheres of white business both in real life and on\r\nthe Internet.’\r\nThis means that they could have had a money laundering system in place to mix their earnings from the criminal\r\nunderworld with legitimate businesses.\r\n‘For a year of working with us, people have earned more than $ 2 billion.’\r\n‘We personally earned more than 150 million dollars per year.’\r\nWe think that this amount is largely exaggerated. Over the year, the NoMoreRansom decryptors helped a lot of\r\nvictims to get their files back and prevented millions of dollars from falling into the hands of the GandCrab crew.\r\nHowever, based on the number of infections, we do believe that the individuals would have enough money to\r\nretire. Subsequently, our observations of the top affiliates being absent in version 5.2 might indicate an internal\r\nissue as a reason to stop.\r\n‘We have proven that by doing evil deeds, retribution does not come.’\r\nThis again emphasizes the strong sense of impunity felt by the GandCrab crew and its affiliates. This is a\r\nworrisome thought since the space that GandCrab left will probably be filled quickly by a new RaaS system.\r\nPunishment always come after the crime, but we hope that, in this case, it will come sooner rather than later.\r\n‘Victims – if you buy, now. Then your data no one will recover. Keys will be deleted.’\r\nThis got a bit mangled through Google Translate but the original statement urged victims to pay up because the\r\nGandCrab crew were planning to delete all the decryption keys. It is kind of strange that the self-proclaimed\r\nmillionaires did not show the slightest compassion. This statement evoked a lot of reaction in the forum thread\r\nwhere other well-respected users urged publication of the remaining keys to the public.\r\nFigure 23: Forum moderator urging release of the remaining keys.\r\nEventually, the GandCrab account requested suspension and deletion of all posts on the forum. The moderators\r\ndid suspend the account but left the posts intact.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 30 of 33\n\nFigure 24: Deactivation of the GandCrab account.\r\nConclusion\r\nWe started our research on GandCrab by carefully dissecting the malware and discovering its inner workings and\r\nsecrets. The hard-coded indicators in the malware and GandCrab crew’s forum presence led us to dig deeper into\r\nthe inner workings of the RaaS model. By doing so we gained some valuable insights:\r\nSuccessful ransomware does not have to be the best coded ransomware, but the developers do have to be\r\nagile.\r\nIn order to grow, a RaaS model needs good accounting – to make sure that everyone gets their share.\r\nIn order to grow, a RaaS system needs strong alliances with complimentary services to drive infections and\r\nprofits.\r\nThe success of a RaaS system is dependent on its affiliates; strong affiliates have a large influence.\r\nDisruption of top affiliates can have a crippling effect on the income, morale and overall success of the\r\nRaaS.\r\nA timeline analysis of a RaaS system can offer a method to single out top affiliates and spot potential\r\nevents early on.\r\nAs an industry we must realize that we cannot stop cybercrime alone; we should aim to do more than just malware\r\nanalysis, especially when it comes to fighting RaaS-type threats. Unfortunately, we live in a situation where most\r\nof the cybercriminals involved in ransomware can operate with a level of impunity; the ransomware developers\r\nare often in countries that make legal prosecution difficult and affiliates that are not caught can easily move from\r\none RaaS to another and continue their extortion operations.\r\nLaw enforcement faces a daunting task to bring the individuals responsible to justice, but our industry’s\r\nknowledge, data and tooling can help with this task. The best way to cook a Crab is together.\r\nGandCrab might have shut down its operations but its developers and affiliates have still not been arrested and\r\nwill probably continue to be active in cybercrime in one way or another.\r\nReferences\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 31 of 33\n\n[1] Montenegro, D (@CryptoInsane). Twitter status. 26 January 2018.\r\nhttps://twitter.com/CryptoInsane/status/956803455833853952.\r\n[2] Caltagirone, S.; Pendergast, A.; Betz, C. The Diamond Model of Intrusion Analysis.\r\nhttps://apps.dtic.mil/dtic/tr/fulltext/u2/a586960.pdf.\r\n[3] MalwareHunterTeam (@malwrhunterteam). Twitter presence. https://twitter.com/malwrhunterteam.\r\n[4] MalwareHunterTeam (@malwrhunterteam). Twitter status. 5 March 2018.\r\nhttps://twitter.com/malwrhunterteam/status/970746661231263745.\r\n[5] nao_sec (@nao_sec). Twitter status. 23 April 2018. https://twitter.com/nao_sec/status/988451194573017088.\r\n[6] Jawe (@zsawei). Twitter status. 10 May 2018. https://twitter.com/zsawei/status/994454718406578176.\r\n[7] NoMoreRansom. https://www.nomoreransom.org/.\r\n[8] Orthodox New Year 2019. Calendar Date.com. https://www.calendardate.com/orthodox_new_year_2019.htm.\r\n[9] EC3 (@EC3Europol). Twitter status. 19 March 2019.\r\nhttps://twitter.com/EC3Europol/status/1107984687253868545.\r\n[10] Cimpanu, C. Vaccine Available for GandCrab Ransomware v4.1.2. Bleeping Computer. 19 July 2018.\r\nhttps://www.bleepingcomputer.com/news/security/vaccine-available-for-gandcrab-ransomware-v412/.\r\n[11] CVE-2018-8440. GitHub. https://github.com/sourceincite/CVE-2018-8440.\r\n[12] SandboxEscaper (@sandboxescaper). Twitter presence. https://twitter.com/sandboxescaper (suspended by\r\nTwitter).\r\n[13] CVE-2018-8120. GitHub. https://github.com/unamer/CVE-2018-8120.\r\n[14] Leeqwind. Win32k NULL-Pointer-Dereference Analysis by Matching the May Update.\r\nhttps://xiaodaozhi.com/exploit/156.html.\r\n[15] Threat Landscape Dashboard CVE-2018-8120. McAfee. https://www.mcafee.com/enterprise/es-es/threat-center/threat-landscape-dashboard/vulnerabilities-details.cve-2018-8120.html.\r\n[16] Valthek. AntiCrab. http://29wspy.ru/reversing/AntiCrab.zip.\r\n[17] Valthek. AntiCrab32. http://29wspy.ru/reversing/AntiCrab32.zip.\r\n[18] Valthek. AntiCrabWithoutPersistenceAndRemoveWallpaper32.\r\nhttp://29wspy.ru/reversing/AntiCrabWithoutPersistenceAndRemoveWallpaper32.zip.\r\n[19] Valthek. GandCrabSucksVaccine. http://29wspy.ru/reversing/GandCrabSucksVaccine.zip.\r\n[20] Valthek. GandAtom. http://29wspy.ru/reversing/GandAtom.zip.\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 32 of 33\n\n[21] van der Sandt, E. Deviant Security: The Technical Computer Security Practices of Cyber Criminals. 2019.\r\nhttps://research-information.bristol.ac.uk/files/194364696/DEVIANT_SECURITY_EHAVANDESANDT.pdf.\r\n[22] Europol. Goznym malware: cybercriminal network dismantled in international operation. 16 May 2019.\r\nhttps://www.europol.europa.eu/newsroom/news/goznym-malware-cybercriminal-network-dismantled-in-international-operation.\r\n[23] Mundo, A.; Fokker, J.; Roccia, T. Rapidly Evolving Ransomware GandCrab Version 5 Partners With Crypter\r\nService for Obfuscation. McAfee. 10 October 2018. https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rapidly-evolving-ransomware-gandcrab-version-5-partners-with-crypter-service-for-obfuscation/.\r\n[24] MITRE ATT\u0026CK. Timestomp. https://attack.mitre.org/techniques/T1099/.\r\n[25] RAWGraphs. https://rawgraphs.io/.\r\nSource: https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analy\r\nsed-indepth/\r\nhttps://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/\r\nPage 33 of 33",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/"
	],
	"report_names": [
		"vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth"
	],
	"threat_actors": [
		{
			"id": "b753c6a8-a83d-47bc-829d-45e56136eb7d",
			"created_at": "2023-01-06T13:46:38.97802Z",
			"updated_at": "2026-04-10T02:00:03.169611Z",
			"deleted_at": null,
			"main_name": "GozNym",
			"aliases": [],
			"source_name": "MISPGALAXY:GozNym",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775438991,
	"ts_updated_at": 1775826782,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a10a88e8a3ab5a32bfe64332cf2f1901cd01882c.pdf",
		"text": "https://archive.orkl.eu/a10a88e8a3ab5a32bfe64332cf2f1901cd01882c.txt",
		"img": "https://archive.orkl.eu/a10a88e8a3ab5a32bfe64332cf2f1901cd01882c.jpg"
	}
}