July has been a busy month for the distributors of GandCrab ransomware. After about two months with no major update, the cybercrime gang behind GandCrab released version 4, and a few days later, version 4.1. The primary delivery method is via compromised WordPress websites, which have been hijacked to include fake crack application pages, which in turn redirect to the GandCrab executable. Other distribution methods are Exploit Kits (EK) and malicious email campaigns.
One of the most popular tricks of attackers is to employ packer-based malware, which is modified in the runtime memory using various sophisticated compression techniques. As with previous versions of GandCrab ransomware, this version is packed by a custom packer and uses multiple additional techniques to make it more difficult to detect the malicious code and harder to analyze by security researchers.
Fake crack sites leading to GandCrab ransomware:
Image credit: Bleeping Computer
It iterates over the PEB to find useful functions (locate GetProcAddress and LoadLibrary), build the IAT (Import Address Table) and finally jump to the unpacked sample (read more).
The unpacked GandCrab uses several techniques to avoid detection:
This version of GandCrab ransomware uses the Salsa20 stream cipher to encrypt files instead of RSA-2048 encryption (RSA-2048 encryption is still used, but for a different function).
If the file <8-hex-chars>.lock exists in the AppData directory, GandCrab terminates the process without infecting the system.
The encrypted files use .KRAB as the new file extension.
Additionally, victims receive a KRAB-DECRYPT.txt file which serves as the ransom note.
Image credit Fortinet
Morphisec’s Moving Target Defense based technology prevents the attack before it can perform any type of malicious activity. Morphisec customers are and have always been protected from the attack out of the box, no updates needed.
If you don’t have Morphisec installed, you can create an <-8hex-char>.lock file in the SYSTEM APPDATA folder(e.g C:\ProgramData), which causes the malware to terminate without infecting the system. However, this is not a permanent solution as this can easily be disabled in future versions.
Hashes: