1. "Syrian Key" incident overview

GandCrab V5.2, also known as "Grand Theft Virus" (originated from the "Syrian Key" incident that took place in 2018), is the latest variant of GandCrab ransomware. A Syrian father named Jameel posted a message on Twitter saying that his computer data was encrypted by GandCrab. Because he could not pay the “ransom”, he could no longer see the photos of the younger son who lost his life in a war. The picture below is a screenshot of Jameel's message for help.

After seeing the message, the GandCrab ransomware authors immediately issued an apology stating that they had no intention of infecting Syrian users, and released the decryption keys for some Syrian infected users, hence the GandCrab is also called "Grand Theft Virus".

2. Ransomware analysis

GandCrab V5.2 ransomware is implanted into user's host mainly through spam. Once executed, it will encrypt user data, causing inaccessibility of critical data or programs, resulting in a paralyzed business system. According to various news, the GandCrab V5.2 ransomware is currently targeted at governments, businesses and universities.

Despite the name "Grand Theft Virus", the GandCrab V5.2 shows no sympathy for other encrypted users and extorts money from the victims, as shown in the figure below.

After the user data is encrypted, a random suffix of 9 lowercase letters as shown in the figure below will be added. Currently, there is no effective way to restore the data, so we remind users to pay attention to prevention.

3. Huawei Weiran Labs recommendations

3.1. Emergency response recommendations for attacked users

3.1.1. Host side

1. Do not open email attachments or links from unknown sources, such as email attachments with suffixes such as .js, .vbs, .exe, .scr, .bat.

2. Isolate the hacked devices by unplugging the cable or modifying the network connection settings etc. to prevent the ransomware from spreading further.

3. Retain the attacked scene and ask professional technicians to complete the forensic operation on the attacked device to analyze the attack path of the ransomware.

4. Shut down or set access policies for common high-risk ports (such as 135, 139, 445, 3389) on other uninfected devices in the LAN.

5. If other devices on the intranet use the same password, you need to modify the password and ensure the complexity of it.

6. A decryption tool (available at https://www.nomoreransom.org/), jointly developed by many antivirus software companies against ransomware, can decrypt files encrypted by some ransomware families, you can try to restore data.

3.1.2. Network side

1. Block access to common high-risk ports, such as 135, 139, 445, 3389.

2. Set the network access control policy to allow only trusted network segments to access the user intranet.

3. Pay attention to network device security logs, such as vulnerability alarms, brute force attacks, etc., to assist in locating attack paths and attack techniques.

3.2. Persistent defense against GandCrab V5.2

3.2.1. Host side

1. Do not open email attachments or links from unknown sources, such as email attachments with suffixes such as .js, .vbs, .exe, .scr, .bat.

2. According to the importance of the data, establish a proper data backup strategy and periodically back up the data. If it is a cloud server, be sure to take a snapshot to ensure that the data can be recovered and the business can run normally.

3. Use a complex password which contains uppercase and lowercase letters, number and special symbol, and is not less than 10 characters. Do not use pure numbers such as telephone numbers, employee identification number as password to increase the difficulty of brute force.

4. Set account lockout policy to disable login or lock the user account for a period of time after 5 incorrect password inputs to increase the difficulty of brute force.

5. Timely update system software such as Windows and browsers to prevent ransomware from attacking through vulnerabilities.

6. Install anti-virus software and update the virus database in time to improve defense ability against known viruses.

7. According to business needs, shut down or set access policies for common high-risk ports (such as 135, 139, 445, 3389).

8. Turn on and set the host firewall policy to allow only trusted IPs to access specific services.

3.2.2. Network side

1. At the network boundary, set a strict network access control policy, open only the necessary services to the outside, and only allow trusted IPs to access the necessary services.

2. Segment the internal network and set strict access control policies between different functional networks, especially paying attention to high-risk ports 135, 139, 445, 3389, etc., to reduce the possibility of lateral diffusion of ransomware.

3. If a firewall has been deployed, it is recommended to enable and set the intrusion detection function to block and enhance the difficulty of brute force attacks.

4. If you have deployed an email security appliance or a file detection appliance, it is recommended to pay attention to suspicious emails and their attachments to prevent ransomware from spreading through email.

5. Pay attention to logs of security appliance (such as firewall) to detect suspicious attacks and prevent them in advance.

6. Establish a blacklist and whitelist mechanism for intranet to prevent the browser from jumping to a malicious webpage.

3.2.3. Solution

According to several propagation methods of ransomware mentioned above, we know that mitigating ransomware attacks relies on comprehensive perception, detection and analysis of ransomware propagation pathways. In addition, we can reduce the damage caused by ransomware attacks by establishing a good data backup strategy.

It is recommended to deploy Huawei SDSec security solution. The main components include:

1. Deploy Huawei's next-generation firewall or intrusion detection system to block detection behaviors before ransomware delivery, such as brute-force and exploits.

2. Deploy CIS Big Data Intelligent Analysis Platform for security situational awareness. CIS can issue policies across the network to block the spread of ransomware by receiving traffic information and detection results of trapping switch, firewall and sandbox.

3. Deploy switch and firewall that support trapping feature to induce ransomware to invade the emulation service and capture its intrusion behavior and report the detection result to CIS Big Data Intelligent Analysis Platform, thereby reducing the probability of real systems being attacked and minimizing losses.

4. Deploy sandbox for file detection. The firewall can restore traffic to files, and send files that need to be detected to the sandbox for detection. The sandbox detection result can be sent to the CIS Big Data Intelligent Analysis Platform. The following figure shows the detection result of Huawei FireHunter6000 series sandbox appliance on GandCrab V5.2.