GandCrab Ransomware Puts The Pinch On Victims
(Jul 31, 2018)
GandCrab is a quickly evolving malware that is currently in its fourth version of development. Threat actors developing this piece of malware has quickly improved its code since its first version, and now is adding comments in it to mock law enforcement, security researchers, as well as "NoMoreRansom.com" which had previously been able to decrypt the GandCrab's encryption keys. The malware uses one of four initial attack vectors:1. Remote desktop connections that have weak security2. Phishing emails with malicious links or attachments3. Legitimate programs that contain malicious trojans with the malware 4. Exploit kits such as RigEK and othersThe goal of this ransomware it to gain an illicit profit, mainly in the form of the cryptocurrency DASH, though Bitcoin is also used. The newest version of the malware uses Salsa20 to encrypt the infected machine's files instead of RSA and AES. Like many other malwares, this malware checks the machine's operating language, and will not drop the malicious payload if the system operates in Russian or certain former Soviet languages.
Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated about the risks of spear phishing and how to identify such attempts. This code is not professionally written and contains many bugs, however, it is actively updated on a frequent basis so it is crucial to remain cognizant of the attack vectors. As the code sophisticates, the detectability will be reduced unless an organization is already aware.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.