GandCrab V4.1 ransomware is using SMB exploit to spread around

Newest GandCrab version uses vulnerable websites to attack potential victims

GrandCrab V4.1 comes out right after V4 and is filled with new features.

Right after the 4th version of GandCrab ransomware was discovered, security experts reported the detection of 4.1 version. While the 4th malware's version has been spreading with the help of malicious pages injected into the legitimate sites, this new version is using numerous compromised websites presenting themselves as sources for software cracks.

Also, the new fact related to this ransomware is the Network Communication feature used to send encrypted victim's data with its developers. According to the article from Fortinet,^[1] the names of sites used for this type of communication are set using a pseudo-random algorithm that selects predetermined words and joins them into a sequence. Sets of words chosen from the pre-defined list and final URL is formed in a format: “www.{host}.com/word1/word2/fname.extension.” After connecting to the newly-set URL, GandCrab sends encrypted data, including the victim's IP address, username, operating system and so on.

Moreover, the malware might also use SMB exploit, making the attack similar to WannaCry^[2] and Petya^[3] ransomware attacks which used EternalBlue^[4] last year. This ability to self-propagate has been causing a wind in the cybersecurity world after these scandals.

Speculation behind the ransomware attack

It is more than obvious that GandCrab has received numerous changes during the last few months. While it is the same file-encrypting malware that causes the loss of important data to its victims, these new features used for virus distribution and communication with its developers are believed to cause a massive stir in the IT world.

However, there also are many mixed opinions on the exploit itself:

Even more curious, the fact is that sending victim information to all live hosts in the list is illogical in a practical sense, given that a single successful send would have been enough for its purposes. With these points in mind, we have started to think that this function is either experimental, or simply there to divert analysis and that the URLs included in the list are just victims of a bad humor.

Many sources, as the same Fortinet article, are claiming that this GrandCrab SMB exploit was only speculative. The functionality is not discovered, but it might be added as a feature later. Microsoft has already presented an update called MS17-010 to fix the vulnerability.

Patching can help if it is done in time

In this case, patching^[5] cannot be ignored as exploited vulnerabilities or flaws can lead you to the infiltration of malware. Besides, downloading vulnerability patches can eliminate specific bugs, improve the stability of the operating system, fix security issues. Patching is an essential preventative measure when keeping machines up-to-date and safe from threats.

Most of the cyber attacks take advantage of these hardware or software issues, and patching is needed. This also means that updating software can help in prevention. Unfortunately, the unpatched software can become a magnet for malware and cause a lot of damage.

There were a lot of instances where even the OS companies analyzed these issues and information about the tendency in updating the equipment. Expired antivirus software can be one of the most exploited vulnerabilities. People are not always careful and protecting their machines. The more different security software you use, the less likely you are risking to get a cyber infection.