GandCrab ransomware has received many updates during the past few months, and it has now been seen that it’s trying to infect victims using the EternalBlue exploit. GandCrab typically spreads via spam emails, however the latest version, GandCrab 4, is being distributed through compromised websites and has added the .KRAB extension for encryption purposes. GandCrab 4 switched to the Salsa20 stream cipher for data encryption and removed older features such as its C&C communication for encrypting files. The malware executable and download links are updated frequently. Just a few days after the release of GandCrab 4, GandCrab 4.1 was seen in the wild showing signs of network communication. Since the malware is utilizing the EternalBlue exploit, Windows XP and Windows Server 2003 systems are being targeted along with modern operating systems. According to researchers, “the EternalBlue exploit targets a security bug in Windows’ Server Message Block (SMB) on port 445. The flaws, however, only impact older operating system versions, mainly Windows XP and Windows 7.” Microsoft had released a patch for vulnerability before the exploit became public. Users are advised to patch their systems to prevent infection.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased