This ransomware just added new tricks to spread faster and infect Windows XP PCs

A change in encryption mechanism and the ability to strike Windows XP machines via an SMB vulnerability improves GandCrab's ability to proliferate.
Written by Danny Palmer, Senior Writer

One of the most active forms of ransomware has been updated with a new means of encrypting data as the gang behind the malware look to ensure it remains as damaging as possible.

GandCrab ransomware first emerged in January this year and quickly rose to become one of the most popular forms of the file-locking malware. It's sold cheaply on the dark web as 'malware-as-a-service' and has regularly received updates from its developers.

Now the latest version of the ransomware has been released and contains what researchers at Fortinet describe as "an overhaul in terms of the code structure" - and some new tricks up its sleeve.

One of the biggest changes in GandCrab version 4 sees the encryption mechanism switched from RSA-2048 to a much faster Salsa20 stream cipher, enabling files to be encrypted more quickly than before. The Salsa20 mechanism was previously been implemented by Petya ransomware.

This version of GandCrab is served up to victims via compromised WordPress websites which encourage users to download system tools via links which result in the malware being downloaded -- researchers say the malware executable and download links are being updated regularly. However, they don't rule out it once again being distributed by phishing emails at some point in the future.

See also: Ransomware: Not dead, just getting a lot sneakier

As with previous versions of the ransomware, it checks to see if the system is in a Russian speaking country and if this is the case, won't go ahead with encrypting the files. This, combined with how GandCrab is sold on Russian hacking forums, points to the authors likely being from this region of the world.

Those behind GandCrab even taunt security researchers in the malware code, by adding their names and strange insults into the strings.

Victims who are unfortunate enough to become infected with the ransomware have their files encrypted with a new extension ".KRAB".

The updated encryption mechanism also allows the files to be encrypted even if the user isn't connected to the internet -- as opposed to previous versions that needed to connect to a command and control server before file encryption.

In addition to not requiring connectivity to encrypt files, security researcher Kevin Beaumont points out that GandCrab can now also spread via an SMB exploit -- including the ability to compromise machines running Windows XP and Windows Server 2003 in this way.

It's the first time ransomware has been able to organically spread itself to these older operating systems, the leaked EternalBlue exploit which powered WannaCry ransomware "never worked against XP targets out of the box", Beaumont writes.

"Being able to spread without internet access and impacting legacy XP and 2003 systems suggests some older environments may end up at risk where there is poor security practice," he added.

The new file extension and encryption technique is joined by an updated ransom note which shows the key GandCrab has encrypted files with alongside data about the encrypted PC.

See also: Ransomware: An executive guide to one of the biggest menaces on the web

Not much has changed with the payment page -- the ransomware demands $500 to be paid in bitcoin or Dash cryptocurrency in exchange for the return of the files. The price doubles to $1000 if the ransom isn't paid within a few days.

Like with other forms of ransomware, researchers have warned that the ransom shouldn't be paid -- as this only encourages the criminals that this illicit means of making money works.

But there's a simple way to avoid becoming victim: don't download the malicious payload in the first place -- especially from untrusted sources.

"Users are advised to always be extra cautious with files downloaded from the Internet, especially cracked applications. Not only do these violate copyright laws, they also pose a great risk, especially for untrained users," Joie Salvio, senior threat researcher at Fortinet wrote in a blog post.


Editorial standards