Different ways to cook a Crab...

Friday 4 October 14:30 - 15:00, Red room

John Fokker (McAfee)
Alexandre Mundo (McAfee)



During this session we will explain how we are combating the Number One ransomware-as-a-service, GandCrab.

We'll discuss what we have learned from looking at the malware, from finding specific mistakes and indicators to exploiting those mistakes to build a publicly available vaccine.

We also focused our efforts on linking the ransomware and its affiliates to victims. (This is something that is often overlooked by the industry and law enforcement.)

To learn more about the actor behind GandCrab and its affiliates we carried out extensive underground forum research. We did all of this to complete the chain of custody, from victim to perpetrator. By looking at hundreds of GandCrab samples at once we began to find some interesting discoveries and patterns.

During our session we will cover the following topics:

  • Reverse engineering the code
  • The mistake we found, which helped build our vaccines
  • How we extracted and aggregated affiliates from the samples
  • Finding affiliates on underground forums
  • Throwing all this together in a comprehensive timeline and we'll talk about tools to help law enforcement
  • We'll round off with some interactions between us and the actors.

 

 

John-Fokker-web.jpg

John Fokker

John Fokker is Head of Cyber Investigations for McAfee's Advanced Threat Research team. Prior to joining McAfee, he worked at the National High Tech Crime Unit (NHTCU), the Dutch national police unit dedicated to investigating advanced forms of cybercrime. Within NHTCU he led the data science group, which focused on threat intelligence research. During his career he has supervised numerous large-scale cybercrime investigations and takedowns. Fokker is also one of the cofounders of the NoMoreRansom Project. He started his career with the Netherlands Police Agency as a digital forensics investigator within a task force against organized crime. Before joining the national police, he served in the special operations and counterterrorism group of the Royal Netherlands Marine Corps.

@john_fokker

 

silhouette-vb2019.jpg

Alexandre Mundo

Alexandre Mundo, Senior Malware Analyst, is part of Mcafee's Advanced Threat Research team. He reverses the new threads in advanced attacks and researches them on a daily basis. He is focused on APTs and new, and old but very active, ransomware attacks and malware. He performs malware and forensic analysis, teaches junior malware analysts and has developed training courses, workshops and presentations of malware analysis.


   Download slides    Read paper    Watch video

Back to VB2019 Programme page

Other VB2019 papers

A deep dive into iPhone exploit chains

John Bambenek (University of Illinois at Urbana-Champaign)

Panel: Bursting the myths about threat intelligence sharing

Kathi Whitbey (Palo Alto Networks)
Jeannette Jarvis (Fortinet)
Dan Saunders (NTT)
John Fokker (McAfee)

Finding drive-by rookies using an automated active observation platform

Rintaro Koike (NTT Security)
Yosuke Chubachi (Active Defense Institute, Ltd / nao_sec)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.