Pinchy Spider, the cybercrime group behind malware GandCrab, has adopted a new approach to infecting victims. It is no longer using mob tactics to find and infect its victims. Instead, the latest approach is more reminiscent of a military surgical strike or, as cyber security vendor CrowdStrike calls it, Big Game Hunting.
The approach makes sense. The more copies of a malware that are in existence, the quicker security vendors can identify it. This allows them to provide customers with detection capabilities to block the malware. In the case of GandCrab and other ransomware, it also means that those teams developing decryption tools have more source material to work with.
Last month, Bitdefender labs released a decryption tool for GandCrab v5.1. It came a day after GandCrab v5.2 was been seen in the wild. This overlap between decryption tools and new versions is nothing new. But what has got everyone’s attention is the change of direction that Pinchy Spider and those who spread GandCrab have taken.
More skilled affiliates get more money
Like a number of other malware developers, Pinchy Spider uses an affiliate programme to spread its product. This is a sensible approach as it helps the Pinchy Spider focus on the malware while the distributors are responsible for infections. It also acts as a wall between Pinchy Spider and those tracking and remediating attacks.
The affiliate program is kept to a manageable size. CrowdStrike reports that the affiliates are well rewarded saying: “The program is operated with a 60-40 split in profits (60 percent to the customer), as is common among eCrime actors, but PINCHY SPIDER is also willing to negotiate up to a 70-30 split for “sophisticated” customers.”
It is that level of sophisticated customer that is on the increase. CrowdStrike reports that Pinchy Spider is: “advertising for individuals with remote desktop protocol (RDP) and VNC (Virtual Network Computing) skills, and spammers who have experience in corporate networking.”
According to Marie Clutterbuck, CMO of data recovery specialist Tectrade: “The GandCrab ‘gang’ is particularly dangerous as the monetisation technique is different from other attacks like Wannacry and Ryuk. Rather than other groups which demand one lump sum payment as ransomware, GandCrab attacks demand payments on a per-PC basis. In a network of hundreds, if not thousands, of systems, an attack could potentially cost millions.
“According to a recent report, overall infection numbers have declined by 26 percent, but they have increased by 9 percent in business. Hackers know that businesses house data that is much more valuable and will likely have the funds to pay the ransom. With this in mind it is vital that organisations employ zero day recovery approach that, in the event of a ransomware attack, can ensure that they can get their systems back online without having to pay any fee – and fast.“
CrowdStrike seeing well crafted GandCrab attacks
This combination of better affiliate skills and network knowledge is what concerns CrowdStrike. It the threat actor can move laterally through a victims network, they can choose to only infect high value targets. This could be the Chief Accountants computer or the server holding financial or key business data.
Infecting those key machines increases the chance of a pay-out. In fact, evidence from other security companies and surveys, shows that companies are increasingly willing to pay a ransom to get key data back.
Evidence of this new approach was seen by CrowdStrike Intel in mid-February. It watched an attack, the attacker:
- Fails to infect the victim on the first visit
- Returns later to carry out further reconnaissance of the victims network
- Returns the following day and manually removes the security software that was blocking the GandCrab infection
- Uses RDP and stolen credentials to access and then infect other machines in the network with GandCrab
This is not just about the persistence of the threat actor. The CrowdStrike Intel team points out that they were using system administration tools to move laterally through the target network. This is not an isolated case. CrowdStrike reports that a separate attack saw an enterprise domain controller compromised which led to multiple infections. In this case the threat actor used the victims IT systems management software to progress the attack.
Precision strikes require better skills
Sophisticated threat actors know that changing their approaches can increase success rates. This makes it harder for defenders to put in place simple rules to detect attacks. But changing approaches is not always simple. Anyone can change and improve their spam and phishing campaigns. However, creating highly targeted spear phishing takes time, data and planning.
In the case of GandCrab, the affiliates are having to develop new attacks against target networks. It is not enough to ‘chuck it at the wall and see what sticks’. They need to spend time doing more reconnaissance of the target. That comes with its own risks and challenges of being detected. A good threat actor will have to deploy multiple techniques and tools to avoid giving themselves away.
That recon is just the first step. Once a foothold has been established in a network they will need to work out how to maintain it. That means obfuscation of the attack and the breach. As scanning and security tools improve, this gets harder. At the same time, the threat actor needs to continue to do recon, this time inside the target network. Adopting the same tools that the victims own IT team use makes sense. But that takes time and knowledge.
If the threat actor succeeds, they have access to the very high value machines and data sets inside the victims network. This gives them a far higher chance of a pay-out and, judging by what we are seeing, those pay-outs are getting easier to obtain.
Pinchy Spider is actively recruiting those threat actors with these skills. It is increasing the share of the spoils that they get to incentivise them to learn new skills. It also compensates them for the time taken to carry out these attacks.
Enterprise Times: What does this mean
Less than a year ago, many cyber security vendors were saying that ransomware had run its course. They were, as is often the case, mistaken. The attackers just shifted their focus and improved their attacks.
As the attackers increase their skills and obfuscate their attacks the success rate goes up. What is surprising is that despite ransomware being a major talking point for over three years, companies are still caught out by it.
This latest evolution of attacks by those distributing GandCrab is a much more serious concern. The usual defensive approach is to improve endpoint protection and the frequency of effective backups. Effective, of course, means that they are also testing to make sure that data can be restored.
The two questions that organisations now need to ask themselves:
- Can you defend against these sophisticated attackers?
- Do you have the right backups that means you don’t have to pay out a ransom?
If not, you need to change your approach now.