Ransomware is a type of computer virus was made infamous by WannaCry in 2017. Two years ago millions of victims paid ransom money to its creators just to desperately restore their encrypted files. The “business model” was very successful, WannaCry developers had estimated total revenue of $4 billion that year. Today in 2019, we saw the growth and decline of a variant of ransomware, with a business model patterned to the software industry’s Software-as-a-Service (SaaS), the infamously named Ransomware-as-a-Service (RaaS).
Unlike other ransomware before it, GandCrab made its “business model” friendly for external “investors” to join, for shared income. With the GandCrab team, their clients receive a “ransomware starter pack.” Which includes the ransomware software itself, access to the payment infrastructure created by the GandCrab team (to collect ransom from the victims) and the “expertise” of their client support team. The client support team interacts with each individual customer on-demand, for a price. They can be reached in case of a problem with operating the ransomware is concerned. This is similar with how a support agent can help you in case you have a problem with your tech gadgets.
GandCrab finally met its end, not from the hands of the authorities, not even due to the diligent work of the antivirus industry, but because the people behind it believed that they already “profited enough.” Their RaaS model was very successful, thanks to the millions of unpatched Windows PC that are still connected to the Internet without even a protection from a router-firewall. GandCrab’s customers just need to make minor modification from the template ransomware, which includes branding, logos and contact information, and the ransomware will come into existence bearing the identification of the specific GandCrab’s customer. The team was confident that they would maintain its undetectable state until such time that they can pull the plug themselves, and that already came to pass.
The antimalware industry itself had trouble with controlling the speed and infection rates of GandCrab-like ransomware in the wild. Each variant is owned by its respective entities, ask for ransom payment by depositing to specific Bitcoin wallet of its respective “owners” (GandCrab customers). GandCrab-variant of ransomware takes advantage of the already patched vulnerability in RDP (Windows Remote Desktop Protocol). It was so severe to a point that Microsoft bent backwards, issued a patch even for non-supported version of Windows: XP and Vista.
Of course, with GandCrab closing its doors (voluntarily), it will not be surprising if we can see another black-market company following its footsteps, offering RaaS. But the reality of the situation, all of us can help with strengthening and hardening system security. The below habits will be very helpful in lessening the chances of becoming the next victim of ransomware:
Operating system and Internet-facing apps update
Operating systems such as Windows, Linux and MacOS have their individual functionality to download patches from their respective vendors. These patches include essential software that plugs security vulnerabilities and fixes for critical-level bugs. Internet facing apps like the web browser, media players and instant messengers should also be updated as soon as it becomes available. Most of the time a locked down operating system is still compromised due to vulnerable Internet-facing apps that was not updated to a patched version.
Never delay an offer to install updates
Windows 10 has a habit of automatically install updates and forces system restarts after an update has finished. Yes, it is annoying, corporate users can propose delays for such critical updates, but home users have no such option. Upon receiving the notification, please allow the updates to proceed. Delaying an update that fixes a zero-day bug for example is the worst disservice to users of the computer.
Use a Windows PC behind a NAT (of a hardware firewall, in case of corporate users)
Never connect the Windows PC directly to the modem, yes it is convenient but this will expose the PC from external interference and attempts for unknown parties to infiltrate. Only use a PC behind a NAT (Network Address Translation) as it comes with filters that will suffice in order to block unauthorized access.
Shutdown unused and unneeded services in Windows
Not everyone with a Professional edition of Windows require RDP for example. This exact service had been the main target of GandCrab before it was decommissioned by its authors. The more services running on the computer, the wider the attack surface that the hacker groups can test their tools with, exposing your computer and critical data to cyber attacks. Kindly audit all the services, determine if such service is still needed, if not disable it, that reduces the attack surface massively speaking.