New Version of GandCrab Ransomware Attack via Compromised Websites using SMB Exploit Spreader

The new version of GandCrab ransomware discovered that attack the target system using SMB exploit spreader through compromised websites that posed as a download site.

GandCrab Ransomware Attack is wide spreading Ransomware nowadays with newly updated futures under constant development to target various countries.

Gandcrab Ransomware attackers widely scanning the internet web pages to find out the vulnerable websites and leverage it to distribute the ransomware in wide.

This new version of Gandcrab contains the long hard-coded list of compromised websites that used to connect with it.

The attacker using a specific pseudo-random algorithm to choose the predefined word to generate Complete URL for each host and the final URL generated by following format  www.{host}.com/data/tmp/sokakeme.jpg.

Once the malware obtains the data, it connects to the URL  sends encrypted (and base64-encoded) victim data such as  IP Address, User name, Computer name,   Network DOMAIN, List of Installed AVs,  Operating System, Processor Architecture, Network and Local Drives etc.

Later on, GandCrab Ransomware Attack kill the specific listed of the process such as msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlwriter.exe,  oracle.exe,  synctime.exe, etc to ensure the full encryption of targeted files.

This killing process operation would helps to ensure that encryption routine to successfully complete its goal without any interruptions.

GandCrab Ransomware Attack – SMB Exploit

A various reports claiming that this version of the GandCrab malware can self-propagate via an “SMB exploit” which is also used to propagate for  WannaCry and Petya/NotPeta ransomware attacks in the second quarter of last year.

The new extent of the changes. The code structure of the GandCrab Ransomware Attack was completely rewritten. And, according to Kevin Beaumont, a security architect based in the U.K., the malware now uses the EternalBlue National Security Agency (NSA) exploit to target SMB vulnerabilities and spread faster.

Based on the investigation report, a module called “network f**ker” is supposed to be responsible for performing the SMB exploit.

According to Fortinet, in spite of this string, we could not find any actual function that resembles the reported exploit capability.  Since this string is not connected to any actual exploit spreading function that we could uncover, it seems much more likely that it is simply referring to the encryption of network shares, and not for any sort of exploit propagation.

“We have provided this analysis to help prevent the possibility of unnecessary panic in the community. It is not meant to discredit any reports or personalities, but until we get a hold of hard evidence of its existence, we currently consider GandCrab’s SMB exploit propagation as only being speculative. Fortinet said.