Blue Hexagon Blog

Why Time To Verdict Matters: A Look At Gandcrab Ransomware-as-a-service

CDC asks law enforcement to step in after fake impersonation campaign spotted in the wild spreading ransomware.

Gandcrab has evolved into a Ransomware-as-a-service platform and several campaigns not related to the original threat actors have started using it. Many campaigns begin with emails related to current events such as Valentine’s day and lure users into opening malicious attachments or links which then download the ransomware payload.

From late February onwards until last week, Blue Hexagon Labs observed a new wave of attacks using the latest version of the Gandcrab ransomware; this time impersonating the CDC and providing information about a flu pandemic.  

The latest campaign begins with an email impersonating the CDC and asking the user to open a directions document as shown below.

The document looks innocuous but entices the user to click for more details related to the urgent flu pandemic.

This click unleashes obfuscated scripts that then use powershell to download an executable hosted on an attacker-controlled domain. That executable delivers the main Gandcrab ransomware to the victim.

Gandcrab is a sophisticated threat that keeps evolving especially as security providers have made decryptors available. Reports indicate that the threat actors could be earning 100s of millions of dollars and now have a revenue sharing model (e.g 30% of the ransom note) with other groups that use it as a service. The ransom notes are dynamically priced based on the characteristics of infected systems. Not only is the ransomware provided as a service; but for an additional fee, botnets are also provided to distribute email campaigns to begin the attack.

In such RaaS models, attacks are constantly mutating, since a large number of groups are taking the base service and customizing attacks with mutated documents, binaries and C&C servers and protocols. Current network threat solutions are unable to keep up with these increasing numbers of signatures that are constantly evolving. In the latest CDC attack, the document, C&C infrastructure and ransomware payload were all new and easily evaded perimeter defenses when first introduced with detection rates ranging from 10-15%. After 3 days, detection rates had reached 50% but by then, the attackers had moved on to another set of payloads and C&C infrastructure. The table below summarizes the 3 components of this attack, the timeline of detection and the time to verdict for Blue Hexagon.

The timeline of the attack shows that the email and attached malicious document was initially delivered at around 12:00 hrs on the day of the attack. Since victims don’t read and click emails right away it took time until 14:13 hrs for the malicious C&C and ransomware payload to be seen in the wild. All these components of the attack had between 10-15% detections rates initially when it mattered. Even after several hours, the two payloads were not highly detectable. Majority detection consensus (>50%) was seen only 72 hours after the attack! By this time, the server hosting the ransomware had already been taken down a full 7 hours and 46 minutes after the initial C&C was observed and 10 hrs after the first set of emails were sent out. The window of time the threat had to wreak havoc was large.

This is why time to verdict matters. Detecting after hours have passed doesn’t help as a detection at all, because by that time, attackers have moved on to the next mutation. Blue Hexagon’s proprietary HexNet deep learning models detected all three components of this threat without having seen them before. More importantly, these verdicts were given instantaneously in less than a second when it really mattered.

Given enough time, everyone can reach consensus and flag a new threat. In this case it took 72 hours. However, in the first 10 hours after the attack started, the infections were already happening because no perimeters had added signatures to defend against this attack. By the time the majority consensus on detection happened, the C&C server was already down and the attackers had moved on to the next mutation which would again evade defenses.

This cycle of mutation→ evasion→ eventual detection→ next mutation is the reason why breaches occur despite the number of tools deployed for cyber defense. If all the tools focus on detection with big data, correlation and advanced algorithms but ignore the time to verdict, cyber risk is not reduced since defenses are always late to the game.

At Blue Hexagon, we believe that time to verdict is the security metric that defines the security posture of an organization. The longer this metric is, the more investment needed in hunting for threats after they have got in with E-W and SIEMs. Shortening the time to verdict can assist overburdened SOC teams to focus on high value threats and reduce the risk of lateral movement and data breach.

Shortening the time to verdict while simultaneously making an accurate verdict (low FPs/FNs) is a challenging technical problem. Our experience is that real time deep learning is the only technology that can attempt to optimize these two metrics together.