It was only a few months back that free decryption tools
were made available for GandCrab version 5.0 - 5.0.3. And, while these tools
are yet to be made public, a new version of GandCrab has appeared. The
developers of GandCrab released the new version - GandCrab v5.1 - within
24 hours of the release of the decryption tools.
The latest version of the ransomware comes with a variety of distribution changes and UX updates to the GandCrab TOR sites.
Multiple attack vectors and distribution techniques
Highlighting on the attack vectors of the ransomware, the
researchers said, “The primary attack vector for ransomware remains RDP ports,
but GandCrab has a diverse array of distribution methods. While RDP-based
ransomware attacks remain popular, automated attacks using exploit kits such as
Fallout EK, Emotet, or credential stealers like Vidar have been linked to
GandCrab infections as well.”
Given the wide use of these broadly available toolkits, the
ransomware authors have increased the average size of GandCrab ransomware.
Hidden private chat
The ransomware’s TOR site comes with a hidden private chat
that can be enabled using one of the discount codes. This allows dishonest data
recovery firms to hide the final cost of the GandCrab decryption process from
its customers, along with their chats with the GandCrab support.
The discount code can be requested over chat. However, it can only be activated on the systems of targeted users.
“After entering the code, the applicable discount is displayed and the USD ransom amount on the payment pages is automatically adjusted. Discounts range from 5-20% depending on the size of the ransom,” the Coveware researchers added.
The payment process for GandCrab v5.1 remains the same. Here, the affected users are required to pay the ransom in Dash rather than in Bitcoin. “The wallet address for each page is unique and is rigged to trigger an updated screen on the TOR site once the correct amount of coins hits the wallet,” the researchers explained.
In addition to chat support, the automated test decryption feature remains bug-free. Victims of an attack are able to upload a small image for proof of decryption. The site will offer the decrypted file back via download. We imagine considerably development went into making this feature robust. File restrictions ensure no files of value are decrypted for free.
In addition to the new distribution and infection patterns,
the GandCrab developers invested some time into their UX. The GandCrab v5.1 TOR
site features new crab cartoon graphics (an homage to Mr. Krabs a SpongeBob
SquarePants character). The graphics give the impression that the developers
feel their ransomware is little more a prank, rather than a serious existential
attack on a business or a person’s data.
IOC Details :
HASH Value | Ransomware Name |
e07f475828212386fd2d2bd4564302546989a33ae5926e176e36ba0704172c44 | pycoin/jigsaw Ransomware |
3ea16fdf81960c5bd56902d4ea7dd448fd07d6a6a56dd8ad8a234bad6209439c | GandCrab5.1 Downloader |
711a691cb3dbc151c34dfb05c72670ce724f97aeb28375777430cc16e784b72a | GandCrab5.1 Downloader |
ce8a3474f1be9d750b5a5d5447e8f66b651d215799c1b5acb261296426542659 | GandCrab5.0.9 |
7088cc169c4727bba6e2ac418ef356c93fdeeec5a305770a567ca04839d095fa | GandCrab5.0.9 |
Maliciuos URL |
hxxp://92.63.197.153/m/1.exe |
hxxp://www[.]pushpakcourier[.]net/js/kukul.exe |
hxxp://185.189.58[.]222/bam.exe |
hxxp://gandcrabmfe6mnef[.]onion |
92.63.197.60 |
92.63.197.48 |
auoegfiaefuageudn.ru |
uwgfusubwbusswf.ru |
78.46.77.98:80 (www.2mmotorsport.biz) |
92.123.102.115:80 (isrg.trustid.ocsp.identrust.com) |
92.123.102.25:80 (ocsp.int-x3.letsencrypt.org) |
217.26.53.161:80 (www.haargenau.biz) |
217.26.53.161:80 (www.haargenau.biz) |
74.220.215.73:80 (www.bizziniinfissi.com) |
74.220.215.73:80 (www.bizziniinfissi.com) |
136.243.13.215:80 (www.holzbock.biz) |
136.243.13.215:80 (www.holzbock.biz) |
138.201.162.99:80 (www.fliptray.biz) |
92.123.102.25:80 (ocsp.int-x3.letsencrypt.org) |
192.185.159.253:80 (www.pizcam.com) |
192.185.159.253:80 (www.pizcam.com) |
83.138.82.107:80 (www.swisswellness.com) |
104.18.20.226:80 (crl2.alphassl.com) |
212.59.186.61:80 (www.hotelweisshorn.com) |
212.59.186.61:80 (www.hotelweisshorn.com) |
83.166.138.7:80 (www.whitepod.com) |
92.123.102.25:80 (ocsp.int-x3.letsencrypt.org) |
69.16.175.10:80 (www.hardrockhoteldavos.com) |
104.24.22.22:80 (www.belvedere-locarno.com) |
104.24.22.22:80 (www.belvedere-locarno.com) |
80.244.187.247:80 (www.hotelfarinet.com) |
1 comment:
Post a Comment