Gandcrab Ransomware Continues Agile Development With New 4.1 Version

What Is It?

Researchers have previously noted that the developers of Gandcrab ransomware appear to have adopted an agile development model as they’ve been releasing new versions that improve both the functionality and the underlying code.

This trend appears to be continuing as security vendor Fortinet discovered version 4.1 of Gandcrab only two days after the release of version 4.0. Due to such a rapid release schedule, Gandcrab is currently considered to be the most prolific ransomware family, responsible for over 50,000 infections and $600,000 in ransom payments in a two-month period earlier in 2018.

The new Gandcrab 4.1 added the more efficient Salsa2.0 encryption algorithm, removing the most commonly used RSA-2048. The most significant change is the malware now contains a lengthy list (in one case, nearly 1,000 long) of hardcoded command and control (C2) websites. The remainder of the C2 URLs is created from lists of words, allowing the final URL to appear to be randomly generated. The malware sends a variety of system information to the C2 site, including if the keyboard is using a Russian layout and the installed anti-virus product(s). Currently there appears to be no good reason to send this information, but it is potentially a feature that’s still under development. The malware will also terminate various processes belonging to Office, database, email and similar applications prior to encrypting files. Though not unique to Gandcrab, this ensures the user’s most current files will be encrypted, therefore maximizing the user’s motivation to pay the ransom.

According to Fortinet, one feature that Gandcrab does not yet include is the ability to propagate using network file shares, through the use of the EternalBlue exploit. This functionality is expected to be included in future versions.

How Does It Propagate?

The malware does not yet contain the necessary code to self-propagate. In this case, it has been observed being downloaded from compromised websites that claim to offer pirated software, but instead (somewhat ironically) serve the ransomware.

When/How Did BluVector Detect It?

Five samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average of 43 months prior to their release.

All Threat Reports