GandCrab ransomware attacks from legitimate websites

A new way to spread GandCrab virus

GandCrab^[1] is definitely the highlight in the ransomware world this year. The file-encrypting virus keeps improving and looking for new ways to reach potential victims. This time researchers found malware lurking on the legitimate, but compromised, websites.

Researchers from Cisco^[2] spotted four ransomware distribution campaigns since the beginning of May. According to the analysis, the attack was launched by exploiting vulnerabilities in outdated software, such as MySQL or WordPress.

The compromised websites downloaded malware payload on the computer as soon as a victim opened macro-enabled Word document sent via malicious spam emails. Within a couple of minutes, all targeted data on the computer becomes useless due to .gdcb or .crab file extensions.

Two legitimate websites downloaded GandCrab payload

Authors of malware launched a new spam campaign to spread GandCrab at the end of April. Malicious emails included a ZIP archive with malicious Word document. Originally, malware payload was downloaded from the hacker-owned domain. However, security researchers noticed that the domain was changed within a couple of days.

On the second of May, researchers reported that pushpakcourier[.]net site is compromised and used for downloading GrandCab payload. Developers of ransomware chosen a legitimate Indian courier company to accompany them in malware distribution.

However, soon after the discovery, the website was taken down. According to the research, the Indian courier company website had several MySQL vulnerabilities that seemed to be exploited by cyber criminals.

A couple of days later similar campaign was noticed on Herbal Treatment Advisory website, which is also legitimate. The compromised herbal-treatment-advisory[.]com website is built on WordPress, and haven’t installed any updates for more than a year.

The interesting and unpleasant fact is that Herbal Treatment website has been compromised in the past and helped cyber criminals to distribute GandCrab. It seems that some people cannot learn from their first mistake.

Cyber criminals are searching for other vulnerable websites

Security specialists have no doubts that authors of GandCrab are scanning the web and looking for new victims. The case of these two compromised websites reminds about the importance of using up-to-date software.^[3]

Website owners or administrators who cannot remember when they installed latest patches or updates, should do it right now. It might be hard to follow all security updates, but it’s important to dedicate some time and check them regularly. It’s important for maintaining business and keeping trust with the customers.

Meanwhile, all computer users are reminded to stay away from suspicious emails,^[4] especially the ones that arrive in the spam folder. The latest GandCrab spam campaign used “Your Order #{Random Digits}” subject line, so if you see such email in your inbox, delete it immediately.

However, subject lines and topics of the malicious emails might differ. For this reason, it’s important to stay vigilant and carefully investigate the letter^[5] before opening any attached files. Even safe-looking Word file might lead to ransomware attack.