A few days ago, I wrote about the return of the GandCrab ransomware (v4), a new version appeared in the threat landscape and experts at BleepingComputer first reported it.
Security experts from Fortinet recently detected a new version of the threat, the GandCrab ransomware 4.1 that is being distributed through compromised websites designed to appear like download sites for cracked applications.
As the GandCrab ransomware 4 version, the new variant uses the Salsa2.0 stream cipher to encrypt data instead of the RSA-2048 encryption that was used in early versions of the threat.
The code of the latest variant 4.1 includes a list of websites to which the malware connects to sends data related to the infected machine (i.e. IP address, username, computer name, network domain, and, if present, a list of anti-malware tools on the system).
“Only two days after the release of GandCrab 4.0, FortiGuard Labs found a newer version (v4.1) being distributed using the same method, which is through compromised websites disguised as download sites for cracked applications.” reads the analysis published by Fortinet.
“With this new version, GandCrab has added a network communication tactic that was not observed in the previous version.”
Why does the new variant send data to a large number of websites?
According to Fortinet, there is no evidence that those websites in the hard-coded list have actually been compromised, this circumstance suggests the authors of the malware are testing the functionality or have put it there as a diversionary tactic.
“However, we found no definitive evidence that the hard-coded websites included in the malware had actually ever been compromised to act as servers or download sites for GandCrab.” continues the analysis.
“Even more curious, the fact is that sending victim information to all live hosts in the list is illogical in a practical sense, given that a single successful send would have been enough for its purposes. With these points in mind, we have started to think that this function is either experimental, or simply there to divert analysis and that the URLs included in the list are just victims of a bad humour.”
The analysis of the ransomware revealed that the GandCrab ransomware 4.1 kills numerous processes that can interfere with the file encryption process. For example, it kills msftesql.exe, sqlagent.exe, oracle.exe, msaccess.exe, powerpnt.exe, and wordpad.exe to encrypt high-value files used by most popular applications, such as Microsoft Office Files, Steam, Oracle, etc.
“Over the past few days, numerous reports have been circulating claiming that this version of the GandCrab malware can self-propagate via an “SMB exploit”” continues the analysis.
“However, in spite of this string, we could not find any actual function that resembles the reported exploit capability. (It may also be relevant to report that this string was actually first found in v4.0 and not in v4.1, at least in the samples that we have analysed.) Since this string is not connected to any actual exploit spreading function that we could uncover, it seems much more likely that it is simply referring to the encryption of network shares, and not for any sort of exploit propagation.”
Summarizing the threat continues to evolve, but it can not spread via SMB shares yet.
(Security Affairs – gandcrab ransomware 4.1, cybercrime)