GandCrab Ransomware Spreads Via NSA Exploit
12.7.18 securityweek Ransomware
GandCrab, a ransomware family that has received numerous updates in recent months, is now attempting to infect Windows XP machines using the NSA-linked EternalBlue exploit.
The malware is usually spreading via spam emails, but GandCrab 4, which first emerged earlier this month, is being distributed via compromised websites, Fortinet says. The malware now appends the .KRAB extension to the encrypted files.
The new variant also includes an overhaul in terms of code structure, has switched to the Salsa20 stream cipher for data encryption, and also removed some of the older features. More importantly, it no longer requires command and control (C&C) communication to encrypt files.
“For this latest release, we have found numerous infected websites injected with malicious pages. These pages instantly redirect users to a separate page containing the actual download link leading to the GandCrab executable,” Fortinet explains.
Both the malware executable and the download links are being updated regularly, the security researchers say. In fact, within days after version 4 emerged, the ransomware authors released GandCrab 4.1, which has already showed signs of network communication.
More importantly, as security researcher Kevin Beaumont has discovered, the ransomware is also attempting to spread through the National Security Agency’s EternalBlue SMB exploit.
The most interesting aspect of this new capability is the fact that Windows XP and Windows Server 2003 systems too are targeted, along with modern operating systems.
The EternalBlue exploit targets a security bug in Windows’ Server Message Block (SMB) on port 445.The flaws, however, only impact older operating system versions, mainly Windows XP and Windows 7.
The exploit wasn’t previously working on Windows XP out of the box, but that did not prevent ransomware such as WannaCry to attempt to spread using it. In fact, numerous malware families have been abusing the exploit to date, including the NotPetya wiper.
Microsoft patched the vulnerability that EternalBlue targets before the exploit became public, and even pushed an emergency patch for Windows XP to keep users safe from WannaCry.
Thus, as Beaumont points out, the best defense against GandCrab and any malware spreading via EternalBlue is to apply the available patch for all operating systems, including the older Windows XP and Windows Server 2003.
“Many antivirus products have dropped support for Windows XP and 2003, which makes this problematic. You probably want to make sure staff know not to download things from BitTorrent, install unknown software, run keygens, access random USB sticks etc.,” Beaumont notes.