GandCrab Ransomware Infects Windows Computers at Lightning Pace

GandCrab Ransomware Infects Windows Computers at Lightning Pace

GandCrab ransomware is back and stronger than its preceding versions, with upgrades meant to cause further damage as it encrypts users’ data.

GandCrab is different than the traditional form of ransomware like WannaCry that is delivered to a user through spam email. Instead, this ransomware is distributed through “exploit kits,” in which cybercriminals take advantage of a system’s vulnerabilities to launch malware onto a computer. For example, one means in which GandCrab is distributed includes the RIG exploit kit that uses Internet Explorer and Flash Player to launch attacks via JavaScript and Flash and distribute malware.

As the ransomware first emerged in January, it has become a popular choice in file-encryption malware. Cybercriminals purchase the program from the dark web as ‘malware-as-a-service’ and receive continuous updates from its developers, this recent update acting as “an overhaul in terms of the code structure” according to researchers at Fortinet.

As part of a big change to its 4th version, GandCrab has switched from RSA-2048 to a faster Salsa20 stream cipher (previously used by Petya ransomware) that allows file-encryption to be done at damaging speeds.

Users can be affected via compromised WordPress websites that encourage its victims to download system tools using a provided link, thereby installing the malware onto the computer. Such links are regularly updated to fit cybercriminals’ needs, this according to researchers. The links can still be sent through phishing emails as well.

Like its previous versions, GandCrab’s new version still checks a system to see if its operated in a Russian speaking country; if so, the ransomware will halt file-encryption. Such behavior from the program including how the malware is sold on Russian hacking forums lead researchers to believe that its developers come from that region.

Interestingly, GandCrab’s creators even taunt security researchers through insults coded into the malware strings. Once a user’s computer has been impacted by the ransomware, files end up with the extension “.KRAB”.

With this new update, the encryption mechanism still proceeds even when the user isn’t connected to the internet. Additionally, GandCrab can also compromise machines running Windows XP and Windows Server 2003, spreading via a Server Message Block (SMB) exploit (commonly used in file sharing for Windows).

This is the first time that ransomware could spread to such older operating systems. Even WannaCry “never worked against XP targets out of the box,” as security researcher Kevin Beaumont points out.

He explains how GandCrab’s ability “to spread without internet access and [impact] legacy XP and 2003 systems suggests some older environments may end up at risk where there is poor security practice."

After computer infection, the user’s screen is prompted with a payment page demanding $500 in Bitcoin or Dash cryptocurrency in exchange for their files. If the ransom isn’t paid within the given time amount, the price doubles to $1000.

Researchers always advise against payment of the ransom, as it encourages further cybercriminal activity.

That being said, there are plenty of ways to avoid such ransomware attacks in the first place, namely by avoiding file and application downloads from malicious or untrusted websites. As a precautionary step to impending cyberattacks, it’s always best to stay up-to-date with regular software checks and updates. Having a backup system implemented is also an important step to safeguarding precious information.

Fortunately, there’s Reevert to protect your business against any ransomware attacks. Reevert is an intelligent hybrid backup and storage solution, designed from the ground up specifically to protect businesses against ransomware and data loss. With reliable storage capabilities of hourly data snapshots, physical and virtual server backups within the cloud, and instantaneous data restoration (within seconds), your business can rest assured knowing all files are properly protected.

To view the original article, please click here.

Try Us

Free Trial    Watch Demo


For a hassle free 30 day trial, click the "Free Trial" button, download and deploy a copy of the appliance. No Credit Card required.