Every week, the AT&T Chief Security Office produces a set of videos with helpful information and news commentary for InfoSec practitioners and researchers. I really enjoy them, and you can subscribe to the Youtube channel to stay updated. This is a transcript of a recent feature on ThreatTraq. The video features Joe Harten, Director Technology Security, AT&T, Jim Clausing, Principal Member of Technical Staff, AT&T and Stan Nurilov, Lead Member of Technical Staff, AT&T.
Here’s the transcript of the ThreatTraq episode.
Joe: It looks like even ransomware authors can go into early retirement.
Jim: So, Joe, I understand you have a story about it - some more and more authors that are retiring.
Joe: Yes, exactly. I picked this up from Threatpost. Kind of an interesting angle we don’t talk about much. But on the dark web, some researchers picked up on the authors of the GandCrab ransomware issuing a statement that they're retiring, that they're shutting down their infrastructure and they're not going to do any more decryptions and that the GandCrab ransomware is no longer operating. As of June 1st, they shut it down after a little over a year. It had started in January of 2018. So GandCrab is a pretty prominent ransomware. It does standard ransomware - with encrypted files getting a .GDCB file extension. So that's where GandCrab comes from. Available in a host of vectors, including spam, fake software downloads, exploit kits and social engineering targeted ransomware.
The dark web post basically said the authors claim to have made $2 billion, which they equate to approximately $2.5 million per week. So between the ransomware as a service and the fees paid directly to the ransomware operators, 2 billion in about 18 months. From this point forward, they issued a warning. No further decryptions. If you purchase the ransomware now, meaning you operate it, you're not going to get files back for any future victims.
This is kind of the other end of the spectrum. This is the malicious actors' view of their posts to the dark web saying, "You know, we're done. We've washed all our money, we've made a huge bounty and we're getting out of the business."
I just thought it was interesting. You know, we are always looking at from how to protect yourself from ransomware. But it’s interesting to have a glimpse into what it's like to be somebody who is cashing the checks for these things. So I don't know, what do you think Stan or Jim?
Jim: I'm hopeful that law enforcement will catch these guys and bring them to justice.
Joe: Yeah, I agree. I mean with this level of, kind of, braggadocios mentality, posting on the dark web - you hope there's some investigator who's in there somewhere, you know, purporting to be one of their buddies could actually be in law enforcement and maybe they'll come to justice. But that's not the way the story is told right now.
Stan: It almost reminded me of another malware author who rolled Mirai, who did something similar. The creator of the Mirai source code I believe just put it out there and made this big statement of some sort and said, "You'll never catch me," or something like that. And then a few months later, he was caught by, I believe the FBI, or for certain, law enforcement. So I wonder if it's just something where they feel the heat is on and they're just trying to put this false statement out.
Joe: Yeah, I mean I did read that there have been a bunch of decrypters released lately. So their leverage is declining, the subscriptions for the ransomware are decreasing as well. So it also feels like they're getting out before the...
Stan: The market collapses.
Joe: Exactly. Before everybody realizes that their stuff's not valuable anymore. So, it could be a little bit of both.
Jim: The other concern, yeah, there have been some of these decrypters coming out lately. But anybody who gets infected with this now that the backend infrastructure's shut down may be in extra trouble. The websites that were spreading it, all of the exploit kits that were spreading it may or may not have been taken down. So it's back to what we always talk about. The best defense against ransomware is good backups so that you can recover your stuff in case the bad guys choose not to give you a key, even if you do pay. But now in this case where it might not be possible to pay...
Joe: Yeah. I mean, at this point you have to pray that there's some sort of decrypter posted that you can find and figure out how to implement because there's no one to pay anymore.
Stan: The lesson here is you have to be careful about what you click on, be careful what you do online and maybe don't even believe everything you read.