The Power of Fusion Tracking GandCrab

June 13, 2018 • Maggie McDaniel, Diana Granger, Alexandr Solad, and Briana Manalo

Insikt Group

Recorded Future technology collects and analyzes information from an unrivaled breadth of sources and provides invaluable real-time context, packaged for human analysis or integration with security technologies. Recorded Future’s Insikt Group is responsible for identifying insights to reduce business risk for our customers, produce actionable outcomes, and drive informed decision making. In this post, we put ourselves under the microscope and demonstrate how we use our own technology to deliver analyst-generated finished intelligence to our customers, in this case tracking and communicating the threat from GandCrab ransomware.

Recorded Future GandCrab Intel Card

Portion of GandCrab Intel Card displaying a variety of analyst notes capturing relevant analysis.

Bottomline

The incidents of disclosed cyberattacks and data breaches demonstrate that any organization can be blindsided by cyberattacks. Even when the resources are available to staff a cybersecurity function, there is always the risk of missing threats. Insikt Group’s role at Recorded Future is to provide timely, relevant, and actionable threat analysis to a broad customer base covering over 20 verticals at the speed and scale of the internet.

Insikt Group uses Recorded Future to predict emerging threats; conduct comprehensive, insightful research; and produce analysis on demand for Recorded Future customers. We began testing Recorded Future Fusion before it was available for customers, and since then, Insikt Group has used Fusion to produce real-time insights, collaborate, and disseminate analyst-originated finished intelligence to the Recorded Future community.

Since Insikt Group’s transition to Fusion, we have been able to deliver Insikt notes to our customers more efficiently, allowing us to provide analytic commentary across a larger breadth of threats. This analysis is delivered to the customer as a cohesive narrative that they can enrich and deliver to their leadership. Capturing analysis in Fusion provides not only a dynamic collaborative space, but a document of records accessible in the context of the entirety of Recorded Future data.

Recorded Future Timeline of GandCrab Mentions

Timeline demonstrating the ability to create an analytic narrative for an emerging threat in the context of other Recorded Future data using GandCrab as an example.

First Indicators Form the Threat Lead

The first reference to GandCrab malware was posted on January 26, 2018 by Twitter user “@anyrun_app.” After further investigation, Insikt Group analysts discovered that a Russian cybercriminal forum member, GandCrab, introduced a new ransomware as a service (RaaS) that was receiving interest among forum members but could not be used in the Commonwealth of Independent States. On January 28, 2018, we posted this analysis to the Recorded Future community.

GandCrab Post on Russian Cybercriminal Forum

Reference to the original GandCrab post on Russian cybercriminal forum.

Because of the prominence ransomware held in the previous year’s threat landscape, and the feedback GandCrab has received for his RaaS, we assessed that GandCrab could become a significant threat and continued to monitor the threat actor’s activity via Recorded Future and the dark web forums he frequented.

Two weeks later, after tracking GandCrab, we saw him post to the same Russian cybercriminal forum, saying that payment for the GandCrab RaaS was switching from Bitcoin to Dash cryptocurrency. On February 11, 2018, we included the following update:

GandCrab Threat Leads

The second of three threat leads on GandCrab.

In late February, various reports were released regarding the ransomware’s functionality, TTPs, and indicators that allowed us to offer mitigation and remediation strategies.

The Threat Evolves

Not long after European authorities obtained access to GandCrab’s command and control servers and retrieved encryption keys allowing them to create a decryption tool, GandCrab rolled out version 2.0 of his RaaS in a statement posted to the Russian cybercriminal forum on March 7, 2018. The upgrades included a new admin panel, increased encryption of files, and instant payment.

GandCrab2 Noted in Threat Lead Note

GandCrab2 is first noted in a Threat Lead note.

Taking an In-Depth Look

On April 16, 2018, Insikt Group analyst Alexandr Solad published in-depth research to our customer base on GandCrab, which included its prevalence and evolution in the ransomware-as-a-service (RaaS) landscape, characteristics and indicators of its developer, and the ransomware’s TTPs, functionality, and targets. It now serves as the foundational analysis on this threat.

GandCrab Analysis in Insikt Customer Blog

Comprehensive GandCrab analysis as it showed on the Insikt customer blog.

GandCrab Analysis in Recorded Future Fusion

The same analysis viewed in Recorded Future Fusion.

The Fusion Finished Intelligence Advantage

Moving to Fusion allowed our analysts to share and create analysis directly in the Recorded Future product. Analysts use the sharing functions to coordinate on analysis, allow teammates to lend their expertise on research topics, link source material, and add related entities. Being able to review notes and directly produce them in Recorded Future saves the team half the time of the previous workflow, and as a result, our production of Insikt notes for our customers has more than doubled.

These production efficiencies allow Insikt Group to delivery a broader scope of analytic content. The live assessments we can craft around a threat actor, malware, tool, vulnerability, or breach are delivered to the customer as an ongoing analytic narrative, and internally serves as our document of record as these threats evolve over time.

To learn more about Recorded Future Fusion, request a personalized demo.