The GandCrab Ransomware Creators Announced Their Retirement, but Poorly Protected MySQL Servers Are Still at Risk

GandCrab Ransomware Developers Announce Their Retirement

Shortly after its first appearance in early-2018, GandCrab's popularity grew, and it quickly became the most prominent name on the Ransomware-as-a-Service (RaaS) market. GandCrab's commercial success was so massive, that for the last twelve months or so, it has been by far the most widespread strain of ransomware. The crooks distributed it through spam, exploit kits, and they also used it in targeted attacks against big organizations.

The business model was simple: wannabe crooks would go to GandCrab's creators and ask for a build, and the ransomware developers would deliver the goods in exchange for a percentage of the profits. But how much did the GandCrab operators make exactly? Well, apparently, the answer is "enough".

GandCrab's operators announce their retirement

Last week, ZDNet's Catalin Cimpanu heard rumors about a potential shutting down of the GandCrab operation. He was pointed to a post on one of the hacking forums where the ransomware service was aggressively marketed. It does indeed suggest that what is currently the biggest threat of this kind is about to disappear.

Cybercriminals are not renowned for their modesty, but the amount of bragging was pretty huge even by their standards. In addition to claiming that they've made $150 million (which they've apparently legalized through various businesses) in a year, GandCrab's operators quoted earnings per week for their customers of about $2.5 million, and they proudly announced that overall, cybercriminals using their ransomware had earned more than $2 billion.

GandCrab's operators now reckon that it's time for a "well-deserved retirement". They said that the forum advertisements have already been suspended and asked their customers to wind down their operations within the next 20 days. There is some news for the victims as well.

Criminals threaten to delete all encryption keys and leave victims locked out

GandCrab's operators are not the first group of ransomware distributors to announce their retirement. In most cases, however, when crooks decide to walk away, they usually release the all-important decryption keys that can help victims retrieve their data which, when you think about it, is the most logical thing in the world. After all, after the ransomware operation is over, the crooks have absolutely no use for the keys.

The GandCrab gang, however, decided that they will be nasty all the way to the end and explained in their forum post that they will delete all the decryption keys meaning that users who are unwilling to pay the ransom might never see their data again. We'll need to wait and see whether the crooks will follow through with their promises. In the meantime, a question pops up.

Is GandCrab's demise good news?

Coming up with a definitive answer is not as easy as you might think. On the one hand, having one less ransomware strain to worry about is always good news. That being said, GandCrab's disappearance won't just leave an empty hole.

Another ransomware family is bound to take the crown as the most serious threat of this kind, and unlike some GandCrab versions that allowed security researchers to create free decryption tools, its successor might come with a more secure encryption mechanism which will leave users with no other choice but to either pay the ransom or kiss their data goodbye.

All in all, GandCrab's disappearance won't make the internet a safer place. In fact, a recent GandCrab campaign might even give cybercriminals some new ideas.

GandCrab's legacy

On May 19th, less than two weeks before the ransomware gang announced their retirement, researchers from Sophos noticed that crooks were using a somewhat unusual infection vector to spread GandCrab.

They were after Windows servers that host MySQL databases, and they completed the attack by using the 3306 port to upload a malicious DLL file, brute-forcing the database's root password, and running the library which downloaded and executed a GandCrab sample.

There was nothing especially new, clever, or sophisticated about the attack from a technical standpoint. That being said, picking it was a good move for the hackers. They knew that by hitting a single server, they can bring an entire organization to a halt, and they also knew that because sysadmins make some mistakes when they're setting up their IT infrastructure, the attack is more likely to succeed.

The GandCrab operators have hopefully disappeared from the threat landscape for good, but other cybercriminals will probably see the potential in attacking MySQL servers through the method described above. This means that if you run a MySQL installation, you must make sure that it's as secure as possible. The first steps include setting a strong root password and ensuring that the networking configuration is properly set up.

June 3, 2019

Leave a Reply