GandCrab's New Evasive Infection Chain


GandCrab's New Evasive Infection Chain (May 7, 2019)

Threat actors distributing the “GandCrab” have been identified to have added some new techniques to their campaign, according to Cybereason researchers. GandCrab, which is estimated to be responsible for 40% of all worldwide ransomware attacks as of February 2019, is an evolving threat that targets individuals and companies. This campaign distributes GandCrab using a phishing email with a Korean document attachment. The attachment, if opened, prompts the user to enable macros, with code embedded into the document. A fileless infection chain is triggered if macros are enabled to drop the ransomware, making use of Living Of the Land Binaries (LOLBins) to fetch the payload avoiding detection. Once the ransomware runs, the ransom note appears with instructions for the user to send money.

Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. If a reproducible backup is not available, there may be a decryptor available that can assist in retrieving encrypted files. Additionally, educate your employees about the dangers of downloading applications when they are not offered from the website of the official provider/developer. Users should always take caution when receiving an email with an attachment. Any file attachment, especially from an unknown sender should be viewed with the utmost scrutiny and reported to the appropriate personnel.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.