Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

GandCrab Ransomware Spreads Via NSA Exploit

GandCrab, a ransomware family that has received numerous updates in recent months, is now attempting to infect Windows XP machines using the

GandCrab, a ransomware family that has received numerous updates in recent months, is now attempting to infect Windows XP machines using the NSA-linked EternalBlue exploit.

The malware is usually spreading via spam emails, but GandCrab 4, which first emerged earlier this month, is being distributed via compromised websites, Fortinet says. The malware now appends the .KRAB extension to the encrypted files.

The new variant also includes an overhaul in terms of code structure, has switched to the Salsa20 stream cipher for data encryption, and also removed some of the older features. More importantly, it no longer requires command and control (C&C) communication to encrypt files.

“For this latest release, we have found numerous infected websites injected with malicious pages. These pages instantly redirect users to a separate page containing the actual download link leading to the GandCrab executable,” Fortinet explains.

Both the malware executable and the download links are being updated regularly, the security researchers say. In fact, within days after version 4 emerged, the ransomware authors released GandCrab 4.1, which has already showed signs of network communication.

More importantly, as security researcher Kevin Beaumont has discovered, the ransomware is also attempting to spread through the National Security Agency’s EternalBlue SMB exploit.

The most interesting aspect of this new capability is the fact that Windows XP and Windows Server 2003 systems too are targeted, along with modern operating systems.

The EternalBlue exploit targets a security bug in Windows’ Server Message Block (SMB) on port 445.The flaws, however, only impact older operating system versions, mainly Windows XP and Windows 7.

The exploit wasn’t previously working on Windows XP out of the box, but that did not prevent ransomware such as WannaCry to attempt to spread using it. In fact, numerous malware families have been abusing the exploit to date, including the NotPetya wiper.

Microsoft patched the vulnerability that EternalBlue targets before the exploit became public, and even pushed an emergency patch for Windows XP to keep users safe from WannaCry.

Thus, as Beaumont points out, the best defense against GandCrab and any malware spreading via EternalBlue is to apply the available patch for all operating systems, including the older Windows XP and Windows Server 2003.

“Many antivirus products have dropped support for Windows XP and 2003, which makes this problematic. You probably want to make sure staff know not to download things from BitTorrent, install unknown software, run keygens, access random USB sticks etc.,” Beaumont notes.

Related: GandCrab Ransomware Breaks Windows 7 Systems

Related: One Year After WannaCry Outbreak, EternalBlue Exploit Still a Threat

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.