GandCrab In Huge Profit As SMBv1 Exploit Is Dismissed
As the world recovers from the WannaCry ransomware epidemic of 2017, the Server Message Block version 1 protocol has received a lot of press for being a highly-exploitable attack surface. Support for SMBv1 was enabled by default on all versions of Windows, while it has been already replaced by the more secure version 2 since the release of Windows Vista in 2006. The world can no longer afford a repeat past mistakes by leaving an out-of-date vulnerable protocol enabled, even though it may have been succeeded by a newer version. In their credit, Microsoft made sure that SMBv1 is no longer installed by default in Windows 10 build 1709 and later prevented the repeat success of a WannaCry successor.
Ransomware development has become a crazy profitable business for virus authors, even today in 2018, which is why firms need to establish a credible and effective backup system to recover from these types of attack. Cybercriminals are continually developing new successors of WannaCry ransomware with the hopes that more future victims will pony up the cryptos in defeat.
A new family of ransomware under the name “GandCrab” has been making a name for itself in the industry. Now in its version 4.1, GandCrab is rumored to have taken a page from the WannaCry playbook by exploiting the same SMBv1 vulnerability. Windows 7, Windows 8, and versions of Windows 10 and older than 1709 still come with SMBv1 enabled by default. Because of the legal applications are not compatible, not all system administrators have been able to remove the vulnerable protocol. Kevin Beaumont, a security researcher for the threat assessment firm DoublePulsar, clarified the truth of the rumor. “Since this string is not connected to any actual exploit spreading function that we could uncover, it seems much more likely that it is simply referring to the encryption of network shares, and not for any sort of exploiting propagation.” The string he referred to was about GandCrab’s module named “network f**ker,” but it remains to be seen if such a module executes during GandCrab’s infection.
The persistence of Windows XP and Server 2003 is also a troublesome fact because it increases the attack possibilities of any malware that uses the SMBv1 vulnerability. Beaumont explains further, “Impacting legacy XP and 2003 systems suggest some older environments may end up at risk where there is poor security practice — e.g. no working antivirus software. Since we had not seen any technical report for the claim, we decided to investigate and confirm this rumor since this functionality was not observed during our previous analysis.”
Instead of the SMBv1 exploit, GandCrab ransomware has a comprehensive list of dodgy websites who serve as its command and control center. Once a connection is established, the infected computer’s basic information such as hostname, IP address, network name, username, and the name of the antivirus installed in Windows are sent to the remote server. Fortinet researchers studying GandCrab have not found any further action or instruction coming from the remote server after it receives the stolen PC information. “This new version of the GandCrab malware contains an unusually long hard-coded list of compromised websites that it connects to. In one binary, the number of these websites can go up to almost a thousand unique hosts. Even more curious, the fact is that sending victim information to all live hosts on the list is illogical in a practical sense, given that a single successful send would have been enough for its purposes. With these points in mind, we have started to think that this function is either experimental or simply there to divert analysis and that the URLs included in the list are just victims of a bad humor.”
Aside from that illogical function, GandCrab has been a successful strain of malware. In just its first two months of activity, the virus authors responsible for releasing GandCrab have already raked in at least $600,000. As malicious authors continue to refine GandCrab to counter publicly available decryptors, their profits grow while those of businesses decrease.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.