What is Gandcrab?
May 15, 2018 | Paul Hafen

Don’t worry folks, ransomware is still alive and kicking!  We haven’t heard too much about these kinds of attack in the news lately, but new methods of holding users hostage are always in development.  The latest strain is called Gandcrab malware. It employs email and vulnerable, legitimate websites to execute its attack on victims.

It starts with an email that contains a text in the subject line that reads, “Your Order# XXXXX"  (has random digits after the "#"). The body of the email has a lot of white space with only a sentence or two.  There is a  ZIP file containing a Word document that has macros which execute the malware.  Other files types have also been detected by Cisco Talos.  These include Certutil.exe which, ironically, is a utility that forms part of Certificate Services.  

The malicious payload is downloaded from websites designed for that purpose, as well as from legitimate sites.  Further investigation by Talos uncovered that the legitimate infected sites were riddled with vulnerabilities that made them unwitting accomplices in the attack.  One of the sites was: hxxp://herbal-treatment-advisory[.]com/c.exe, which is a Wordpress blog. 

The delivery mechanism is different, but the exploitation is more of the same.  It encrypts system files, alters the target system’s OS background, asks for money and uses the TOR network for Command and Control.  

As a final sobering thought, consider how many websites are out there managed by small organizations that don’t have security as their main focus.  It’s a weaponization-rich environment for ransomware R&D teams to use for delivery.  End users can avoid being targets by not opening emails whose senders are unknown.  Check email headers by mousing over the From field in an email to see if the sender looks legitimate.  At a more macro scale, search engines should continue to enforce encryption so site owners get the message.  Site owners should keep their web apps up to date with the newest versions and, if resources permit, use an application security service.  Of course, anti-malware at the gateway and endpoint are good layers of defense.  ContentKeeper's Secure Internet Gateway is able to block strains of this malware. It blocks the main component downloaded from an IP address (not using a domain name).  Our Multi Layered Gateway Security Platform has a Streaming Malware Defense Layer. Bitdefender and Kaspersky are part of this extra layer of protection, which also detects some instances of this malware.

For more than 20 years, ContentKeeper has delivered comprehensive, accessible web security solutions for global enterprises, educational institutions and government agencies. We enable our customers to protect their networks, users and data from cyber threats while embracing mobile technology, Internet of Things (IoT) and cloud-based services. 

About the Author: Paul Hafen is an 18-year veteran in the Cybersecurity field.  He’s co-founder of a security firm and has worked with hundreds of organizations on security projects. A blogger with an emphasis on malware and data loss topics, he researches and reports on the latest vulnerabilities and attacks for ContentKeeper.
 

Sources:

https://www.darkreading.com/endpoint/gandcrab-ransomware-exploits-website-vulnerabilities/d/d-id/1331787?ngAction=register&ngAsset=389473

https://threatpost.com/gandcrab-ransomware-found-hiding-on-legitimate-websites/131897/