August 16, 2018 By Shane Schick 2 min read

Security researchers reverse engineered the updated GandCrab ransomware and discovered new features that improve its ability to evade detection and impede analysis by defense teams.

First discovered in January, GandCrab is now the most powerful threat of its kind, whether directed at a single person or an entire company, according to a July 31 threat report from McAfee.

GandCrab is similar to its peers in that it dupes users into installing it, locks them out of their devices and demands payment in cryptocurrency before restoring access. These new ransomware attacks can be introduced through a variety of attack vectors, from traditional phishing emails to Trojans, fake programs and exploit kits.

New Ransomware Attacks Hiding in Layers of Encryption

While a series of bugs in GandCrab’s code suggests that the ransomware isn’t the work of professionals, according to the researchers, it has unique characteristics that should put security teams on high alert. The most recent versions, for example, use an algorithm called Salsa20 to encrypt files instead of slower and less efficient alternatives such as the Advanced Encryption Standard (AES) and RSA.

By generating random Salsa20 keys and initialization vectors for each file, GandCrab essentially guards itself with a series of encryption layers that prevent victims from breaking it open again. Security teams would need a private key to get at the embedded public key. In addition, since GrandCrab deletes itself and any “shadow volumes” that might otherwise remain on an infected device, it is difficult for researchers to learn about new ransomware attacks after the fact.

Defend Your Data With Last Resort Containment

Given how quickly this ransomware has become valuable to cybercriminals and the promotion it may be getting on underground forums, it may not always be possible to shut GandCrab out of corporate networks. In its “Ransomware Response Guide,” IBM X-Force recommends a method called last resort containment to help organizations respond when they can’t quickly or easily figure out where new ransomware attacks are coming from.

Steps to consider in this process include shutting down all file shares, taking them offline and restricting them by network. This can help decrease the likelihood that the ransomware will encrypt the shares and help businesses avoid paying fees to recover their stolen files.

Source: McAfee

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today