Tuesday, April 15, 2025
HomeRansomwareNew Version of GandCrab Ransomware Attack via Compromised Websites using SMB Exploit...

New Version of GandCrab Ransomware Attack via Compromised Websites using SMB Exploit Spreader

Published on

SIEM as a Service

Follow Us on Google News

The new version of GandCrab ransomware discovered that attack the target system using SMB exploit spreader through compromised websites that posed as a download site.

GandCrab Ransomware Attack is wide spreading Ransomware nowadays with newly updated futures under constant development to target various countries.

Gandcrab Ransomware attackers widely scanning the internet web pages to find out the vulnerable websites and leverage it to distribute the ransomware in wide.

- Advertisement - Google News

This new version of Gandcrab contains the long hard-coded list of compromised websites that used to connect with it.

The attacker using a specific pseudo-random algorithm to choose the predefined word to generate Complete URL for each host and the final URL generated by following format  www.{host}.com/data/tmp/sokakeme.jpg.

Once the malware obtains the data, it connects to the URL  sends encrypted (and base64-encoded) victim data such as  IP Address, User name, Computer name,   Network DOMAIN, List of Installed AVs,  Operating System, Processor Architecture, Network and Local Drives etc.

Later on, GandCrab Ransomware Attack kill the specific listed of the process such as msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlwriter.exe,  oracle.exe,  synctime.exe, etc to ensure the full encryption of targeted files.

This killing process operation would helps to ensure that encryption routine to successfully complete its goal without any interruptions.

GandCrab Ransomware Attack – SMB Exploit

A various reports claiming that this version of the GandCrab malware can self-propagate via an “SMB exploit” which is also used to propagate for  WannaCry and Petya/NotPeta ransomware attacks in the second quarter of last year.

The new extent of the changes. The code structure of the GandCrab Ransomware Attack was completely rewritten. And, according to Kevin Beaumont, a security architect based in the U.K., the malware now uses the EternalBlue National Security Agency (NSA) exploit to target SMB vulnerabilities and spread faster.

Based on the investigation report, a module called “network f**ker” is supposed to be responsible for performing the SMB exploit.

According to Fortinet, in spite of this string, we could not find any actual function that resembles the reported exploit capability.  Since this string is not connected to any actual exploit spreading function that we could uncover, it seems much more likely that it is simply referring to the encryption of network shares, and not for any sort of exploit propagation.

“We have provided this analysis to help prevent the possibility of unnecessary panic in the community. It is not meant to discredit any reports or personalities, but until we get a hold of hard evidence of its existence, we currently consider GandCrab’s SMB exploit propagation as only being speculative. Fortinet said.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

The Future of Authentication: Moving Beyond Passwords

Traditional passwords have been the cornerstone of digital security for six decades, but their...

CentreStack 0-Day Exploit Enables Remote Code Execution on Web Servers

A critical 0-day vulnerability has been disclosed in CentreStack, a popular enterprise cloud storage...

Over 100,000 WordPress Plugin Vulnerability Exploited Just 4 Hours After Disclosure

Over 100,000 WordPress websites have been exposed to a critical security vulnerability, following the...

Hackers Use Microsoft Teams Chats to Deliver Malware to Windows PCs

A sophisticated cyberattack campaign has emerged, leveraging Microsoft Teams chats to infiltrate Windows PCs...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

HelloKitty Ransomware Returns, Launching Attacks on Windows, Linux, and ESXi Environments

Security researchers and cybersecurity experts have recently uncovered new variants of the notorious HelloKitty...

RansomHub Ransomware Group Hits 84 Organizations as New Threat Actors Emerge

The RansomHub ransomware group has emerged as a significant danger, targeting a wide array...

Sensata Technologies Breached: Ransomware Attack Key Systems

Sensata Technologies Holding PLC, a global leader in sensor solutions and electrical protection, is...