A new variety of GandCrab ransomware (GandCrab v5) has been shared. GandCrab is an extremely popular ransomware threat that is made available to affiliates under the ransomware-as-a-service distribution model. Affiliates receive a cut of the profits from any ransoms payed by people they manage to infect.
GandCrab was first made public released in January 2018 and fast grew into one of the most widely used ransomware variants. In July it was named the main ransomware threat and is regularly updated by the authors.
There have been many changes made in GandCrab v5, including the change to a random 5-character extension for encrypted files. The ransomware also implements an HTML ransom note rather than dropping a txt file to the desktop.
Bitdefender made free decryptors available for early versions of the ransomware, although steps were implemented by the authors to improve security for version 2.0. Since version 2.0 was released, no free decryptors for GandCrab ransomware have been created.
Recovery from a GandCrab v5 infection will only be possible by meeting the ransom – around $800 in the Dash cryptocurrency – or by restoring files from backups. Victims are only given a short period of time for paying the ransom before the price to decrypt doubles. It is therefore vital that backups are created of all data and for those backup files to be reviewed to make sure files can be recovered in the event of disaster.
Since this ransomware variant is made available under the ransomware-as-a-service model, different vectors are used to share the ransomware by different threat actors. Earlier versions of the ransomware have been shared via spam email and through exploit kits such as RIG and GrandSoft. GandCrab v5 has also been confirmed as being shared via the new Fallout exploit kit.
Traffic is sent to the exploit kit using malvertising – malicious adverts that redirect users to exploit kits and other malicious websites. These malicious adverts are placed on third party advertising networks that are used by many popular websites to generate an extra income stream.
Any user that clicks one of the malicious links in the adverts is sent to the Fallout exploit kit. The Fallout exploit kit contains exploits for several old flaws and some relatively recent exploits. Any user that has a vulnerable system will have GandCrab ransomware silently installed onto their device. Local files will be encrypted as well as files on all network shares, not just mapped drives.
Whenever a new zero-day vulnerability is found it doesn’t take long for an exploit to be incorporated into malware. The publication of proof of concept code for a Task Scheduler ALPC vulnerability was no different. Within a few days, the exploit had already been adopted by hackers and incorporated into malware.
The exploit for the Task Scheduler ALPC vulnerability permits executable files to operate on a vulnerable system with System privileges and has been incorporated into GandCrab v5. The exploit is believed to be used to carry out system-level tasks such as deleting Windows Shadow Volume copies to make it more difficult for victims to recover encrypted files without paying the ransom. Microsoft has now released a patch to correct the flaw as part of its September Patch Tuesday round of updates, but many firms have yet to apply the patch.
The key step to take is to ensure that recovery from a ransomware attack is possible is to ensure backups are begun. Without a viable backup the only way of recovering files is by paying the ransom. In this instance, victims can decrypt one file for free to show that viable decryption keys exist. However, not all ransomware variants permit file recovery.
Stopping ransomware infections requires software solutions that obstruct the main attack vectors. Spam filtering solutions like SpamTitan stop dangerous messages from being delivered to inboxes. Web filters such as WebTitan stop end users from visiting malicious sites known to host exploit kits. Remote desktop services are often exploited to obtain system access, so it is vital that these are disabled if they are not required, and if they are, they should only be accessible through VPNs.
Patches should be applied quickly to stop weaknesses from being exploited and advanced anti malware solutions should be used to find and quarantine ransomware before files are encrypted.