This malware is quite new but it has spread quickly and has the ability to affect Windows XP machines and newer versions. It also utilizes SMB vulnerabilities to make it proliferate faster.
GandCrab was seen in the wild January of this year and quickly became one of the more popular form of file-locking malware. This is due to the fact that the developers sold it cheaply on the dark web as ‘malware-as-a-service’ and continuously send updates from the developers.
As mentioned, they send out regular updates and security researchers found out that the code structure was given an update or overhaul that gives it an edge with new tricks up its sleeves.
GandCrab version 4.0 is already out there. Its encryption mechanism switched from RSA-2048 to a much faster Salsa20 stream cipher, enabling files to be encrypted more quickly than before. The malware got the idea to use the Salsa20 mechanism from the Petya ransomware.
Researchers found out that this GandCrab release is being distributed to unknowing victims via compromised WordPress websites which encourage users to download system tools via links which result in the malware being downloaded. Take note, these are being updated regularly by the malware developers. It may even spread via phishing emails in the near future.
Previous versions of the ransomware is designed to check to see if the computer is located in a Russian speaking country. If this parameter is true, it will not encrypt files. With this information together with the fact it is sold on Russian hacking forums, it is safe to say that the developers might be from the same region.
Encrypted files use the file extension “.KRAB”. Names and strange insults can be found in the malware code that might have been left there to taunt security researchers.
Here is the annoying part, the updated encryption method they are not using allows the files to be encrypted even without internet access, thus not requiring a command-and-control server.
Security researcher Kevin Beaumont points out that GandCrab can now also spread via an SMB exploit — including the ability to compromise machines running Windows XP and Windows Server 2003 in this way.
Compared to previous malware like the leaked EternalBlue exploit used in WannaCry ransomware, it never worked on Windows XP out of the box. However, GandCrab is able target Windows XP machines and older operating systems.
“Being able to spread without internet access and impacting legacy XP and 2003 systems suggests some older environments may end up at risk where there is poor security practice,” says Beaumont.
The new file extension and encryption technique is joined by an updated ransom note which shows the key GandCrab has encrypted files with alongside data about the encrypted PC.
Same as any other ransomware, it demands for payment. In this case is $500 to be paid via bitcoin or Dash cryptocurrency before files are to be returned. However, this doubles when its internal countdown clock runs out in a couple of days.
People have been warned time and again to not pay the ransom. But some chose to do so to avoid inconvenience just in case they are in a hurry or left with no other option.
All of this would have been avoided if they do not download and run things from untrusted sources. Always with a word of caution to be very very cautious with files being downloaded over the internet. Being paranoid with security sometimes saves you a lot of time and money with repairs and damages you could incur. Better safe than sorry.
Was this helpful?
As we value quality over quantity, we have focused our unified I.T. services to Small and Medium businesses only to Arizona specifically in Phoenix, Scottsdale, Glendale Metro areas.
Our technicians are available the very instant you call us; thereby, ensuring no interruption of your usual business operations. In case you can’t access our contact page, our phone support is always available to cater to your calls. Just give us a ring at 480-464-0202