Different ways to cook a Crab...

Presented at VB2019, Oct. 4, 2019, 2:30 p.m. (30 minutes)

During this session we will explain how we are combating the Number One ransomware-as-a-service, GandCrab. We'll discuss what we have learned from looking at the malware, from finding specific mistakes and indicators to exploiting those mistakes to build a publicly available vaccine. We also focused our efforts on linking the ransomware and its affiliates to victims. (This is something that is often overlooked by the industry and law enforcement.) To learn more about the actor behind GandCrab and its affiliates we carried out extensive underground forum research. We did all of this to complete the chain of custody, from victim to perpetrator. By looking at hundreds of GandCrab samples at once we began to find some interesting discoveries and patterns. During our session we will cover the following topics: * Reverse engineering the code * The mistake we found, which helped build our vaccines * How we extracted and aggregated affiliates from the samples * Finding affiliates on underground forums * Throwing all this together in a comprehensive timeline and we'll talk about tools to help law enforcement * We'll round off with some interactions between us and the actors.

Presenters:

• Alexandre Mundo - McAfee
  Alexandre Mundo Alexandre Mundo, Senior Malware Analyst, is part of Mcafee's Advanced Threat Research team. He reverses the new threads in advanced attacks and researches them on a daily basis. He is focused on APTs and new, and old but very active, ransomware attacks and malware. He performs malware and forensic analysis, teaches junior malware analysts and has developed training courses, workshops and presentations of malware analysis.
• John Fokker - McAfee
  John Fokker John Fokker is Head of Cyber Investigations for McAfee's Advanced Threat Research team. Prior to joining McAfee, he worked at the National High Tech Crime Unit (NHTCU), the Dutch national police unit dedicated to investigating advanced forms of cybercrime. Within NHTCU he led the data science group, which focused on threat intelligence research. During his career he has supervised numerous large-scale cybercrime investigations and takedowns. Fokker is also one of the cofounders of the NoMoreRansom Project. He started his career with the Netherlands Police Agency as a digital forensics investigator within a task force against organized crime. Before joining the national police, he served in the special operations and counterterrorism group of the Royal Netherlands Marine Corps. @john_fokker

Links:

• https://www.virusbulletin.com/conference/vb2019/abstracts/different-ways-cook-crab
• https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-FokkerMundo.pdf
• https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/

Similar Presentations:

• DEF CON 24 (2016) / Light-Weight Protocol! Serious Equipment! Critical Implications!
• DeepSec 2016 „Ten“ / Malicious Hypervisor Threat - Phase Two: How to Catch the Hypervisor
• VB2018 / Behind the scenes of the SamSam investigation