New Alert: GandCrab Ransomware V5.0.4

29/10/2018 18:57:18

The GandCrab ransomware family has had quite an active 2018 (previous alerts having been issued for GandCrab 4.0, GandCrab 5.0 and GandCrab 5.0.3), and the epidemic continues with the latest alert from Sangfor, warning you to look out for the newest variant, GandCrab5.0.4.


The Sangfor security team recently discovered the newest variant, GandCrab 5.0.4, is on the rise, having victimized numerous Asian hospitals who experienced significant business interruption. Analysis of samples discovered that GrandCrab 5.0.4 uses RSA and AES algorithms to encrypt most of the files in a system, appends randomly-generated extensions to those encrypted files and demands ransom from victims. Currently, there are no decryption methods available.


The ransomware spreads via RDP brute-force attacks, email, unpatched vulnerabilities and Trojan infected websites, rather than infecting other devices on the local area network, but is capable of encrypting files in shared folders.


GandCrab 5.0.4 is very similar to GandCrab 5.0.3 in all aspects except that 5.0.4 is using hard-coding with a photo of specific person and lashes out at that particular person.

Sangfor provides detection and protection solutions against both GandCrab 5.0.3 and GandCrab 5.0.4 ransomware.


Attack Procedure
The attack procedure, similar to GandCrab 5.0.3, is as shown below:


GandCrab 5.0.4 ransomware hard-codes an image, as shown below


Additionally, it drops a photo of Valery Sinyaev* on victim's PC and lashes out at this person.

*Valery Sinyaev is a Finance and Operating professional for a logistics company in Russia.

Kill Process:
Perform a process traversal and stop the attack using the following processes:

First, kill security software.



Second, kill application software including database apps.


The exempted regions/countries are same as GandCrab 5.0.3:
•    419 (LANG_RUSSIAN RUSSIAN)
•    422 (LANG_UKRAINIAN UKRAINE)
•    423 (LANG_BELARUSIAN BELARUS)
•    428 (LANG_TAJIK TAJIKISTAN)
•    42B (LANG_ARMENIAN ARMENIA)
•    42C (AZERBAIJAN, LATIN AMERICA (AZ))
•    437 (LANG_GEORGIAN GEORGIAN)
•    43F (LANG_KAZAK KAZAKH)
•    440 (LANG_KYRGYZ KYRGYZ)
•    442 (LANG_TURKMEN TURKMENISTAN)
•    443 (UZBEKISTAN, LATIN (UZ))
•    444 (LANG_TATAR RUSSIA (RU))
•    818 (UNKNOWN)
•    819 (UNKNOWN)
•    82C (LANG_AZERI AZERBAIJAN, CYRIL (ARIZONA))
•    84 (LANG_UZBEK UZBEK)

New Exempted Region for GandCrab 5.0.4:
•    415 (LANG_POLISH)

File Encryption Process:
Performs file traversal, encrypts files and appends randomly-generated extensions to those files.


Deletes disk volume shadow.
After files are encrypted, a “ShellExecuteW” function is used to call the process wmic.exe to delete the disk volume shadow.


Finally, a ransom note is generated and the desktop wallpaper changed, as shown below:


This ransomware has very similar structure and process to GandCrab5.0.3.



Solutions

At the time of writing, there is no available decryption tool. You may only quarantine infected hosts and disconnect them from network. Sangfor recommends performing a virus scan and setting protections as soon as possible.

Ransomware Detection
1.    Sangfor offers customers and users free anti-malware software to scan and remove ransomware viruses. Simply download it from:
http://go.sangfor.com/anti-bot-tool-20181029
2.    Sangfor NGAF is capable of detecting and removing this ransomware virus.

Protection
1.    Fix the vulnerability by installing the corresponding patch on the host.
2.    Back up critical data files regularly to other hosts or storage devices.
3.    Do not click on any email attachment from unknown sources and do not download any software from untrusted websites.
4.    Disable unnecessary file sharing permissions.
5.    Change and strengthen your computer password and do not use the same password for different computers to avoid compromising a series of computers.
6.    GandCrab ransomware may make use of RDP. Please disable RDP if it is unnecessary for your business. When computers are attacked, use Sangfor NGAF to block port 3389 and other ports to stop ransomware from spreading.
7.    Turn on Sangfor NGAF brute-force attack protection and enable Rule 11080051, 11080027 and 11080016.
8.    For Sangfor NGAF customers, update NGAF to version 8.0.5 and enable antivirus Engine Zero.

Perform security scan and virus removal on the whole network. We recommend Sangfor NGAF to detect, prevent and protect your internal network.


Consultancy and Services
Contact us by any of the following means to gain consultancy and support services for free.
1.    Call us at +60 12711 7129 (7511)
2.    Visit Sangfor Community (http://community.sangfor.com) to connect with a Virtual Agent.



Our Social Networks

Global Service Center:

COPYRIGHT © 2000-2018 SANGFOR TECHNOLOGIES INC. ALL RIGHTS RESERVED.