Alert: GandCrab v4.0 Ransomware Broke Out

31/08/2018 18:46:20
Sangfor security team recently discovered several ransomware attack events and after immediate analysis discovered a new variant of the GandCrab ransomware family. It uses RSA and AES algorithms to encrypt a majority of system files, appends .KRAB to those encrypted files and demands ransom from the victims.

GandCrab ransomware was first discovered 7 months ago in January 2018. Its variants (v1.0, v2.0, v2.1, v3.0 and v4.0) appeared subsequently, and at the time of this publication there are no known file decryption methods.

While GrandCrab v4.0 spreads via RDP brute-force attack, email, vulnerabilities and trojan infected websites and not through the Intranet, it is capable of encrypting files in shared folders.



Sample Analysis

Attack procedure is as follows:




Encryption by Obfuscation && Decryption in Memory

Because the sample was encrypted through multiprotocol encapsulation and obfuscation, decryption and de-obfuscation need to be performed to obtain the code. First, the Payload code is decrypted in the memory and finally a memory copy is performed. After the property changes, it redirects to the corresponding Payload entry point to demand the ransom.



Elevate Privilege:




Kill Process:

Perform a process traversal and stop the following processes:



Exempt Regions:

GrandCrab v4.0 scans the input method and OS language to determine whether that host should be exempt or not.

The exempted regions/countries are as follow:

419(LANG_RUSSIAN RUSSIAN) 422(LANG_UKRAINIAN UKRAINE)
423(LANG_BELARUSIAN BELARUS) 428(LANG_TAJIK TAJIKISTAN)
42B(LANG_ARMENIAN ARMENIA) 42C(AZERBAIJAN, LATIN AMERICA(AZ))
437(LANG_GEORGIAN GEORGIAN) 43F(LANG_KAZAK KAZAKH )
440(LANG_KYRGYZ KYRGYZ) 442(LANG_TURKMEN TURKMENISTAN)
443(UZBEKISTAN, LATIN(UZ)) 444(LANG_TATAR RUSSIA(RU))
818(UNKNOWN) 819(UNKNOWN)
82C(LANG_AZERI AZERBAIJAN,CYRIL(ARIZONA)) 843(LANG_UZBEK UZBEK)



Generate Public Key:

Hard coded data in the program is used to generate an encrypted RSA public key, as shown below:




Encrypt Shared Folder:

Next, the files in the local area network shared folders are encrypted as shown below:





Encrypt Files:

The hacker then traverses file paths on the host and generates an encrypted file with extension .KRAB as shown below:




Delete Disk Volume Shadow:

After files are encrypted, a ShellExecuteW function is used to direct the process wmic.exe to delete the disk volume shadow. The following message then appears to demand a ransom:




Solutions

There are no decryption tools available for victims at this time. You are advised to quarantine infected hosts and disconnect them from network as well as recommended to perform virus scans and put appropriate protections in place as soon as possible.

Detection and Removal

1. Sangfor offers customers and individuals a free anti-malware software to scan for and remove the ransomware virus (http://go.sangfor.com/edr-tool-20180824).

2. Sangfor NGAF product is capable of detecting and removing this ransomware virus.

Protection

1. Fix the vulnerability quickly by installing the corresponding patch.

2. Back up critical data files regularly to other hosts or storage devices.

3. Do not click on email attachments from unknown sources and not download any software from untrusted websites.

4. Disable unnecessary file sharing permissions.

5. Change and strengthen your computer password and do not use the same passwords for multiple computers to avoid compromising a series of computers.

6. Earlier GandCrab ransomware sometimes made use of RDP.  Please disable RDP if it is not business critical. If computers are attacked, use Sangfor NGAF to block port 3389 and other ports to stop the ransomware from spreading.

7. Turn on brute-force attack protection on Sangfor NGAF and enable Rule 11080051, 11080027 and 11080016.

8. Perform security scans and virus removal on the entire network and enhance network security. We recommend using Sangfor NGAF to detect, prevent and protect your internal network.

Consultancy and Services

Contact us by any of the following means to gain consultancy and support service for free.
1. Call us at +60 12711 7129 (7511)
2. Visit Sangfor Community (http://community.sangfor.com) and ask our Virtual Agent.


Our Social Networks

Global Service Center:

COPYRIGHT © 2000-2018 SANGFOR TECHNOLOGIES INC. ALL RIGHTS RESERVED.