August 16, 2018
By Shane Schick 2 min read

Security researchers reverse engineered the updated GandCrab ransomware and discovered new features that improve its ability to evade detection and impede analysis by defense teams.

First discovered in January, GandCrab is now the most powerful threat of its kind, whether directed at a single person or an entire company, according to a July 31 threat report from McAfee.

GandCrab is similar to its peers in that it dupes users into installing it, locks them out of their devices and demands payment in cryptocurrency before restoring access. These new ransomware attacks can be introduced through a variety of attack vectors, from traditional phishing emails to Trojans, fake programs and exploit kits.

New Ransomware Attacks Hiding in Layers of Encryption

While a series of bugs in GandCrab’s code suggests that the ransomware isn’t the work of professionals, according to the researchers, it has unique characteristics that should put security teams on high alert. The most recent versions, for example, use an algorithm called Salsa20 to encrypt files instead of slower and less efficient alternatives such as the Advanced Encryption Standard (AES) and RSA.

By generating random Salsa20 keys and initialization vectors for each file, GandCrab essentially guards itself with a series of encryption layers that prevent victims from breaking it open again. Security teams would need a private key to get at the embedded public key. In addition, since GrandCrab deletes itself and any “shadow volumes” that might otherwise remain on an infected device, it is difficult for researchers to learn about new ransomware attacks after the fact.

Defend Your Data With Last Resort Containment

Given how quickly this ransomware has become valuable to cybercriminals and the promotion it may be getting on underground forums, it may not always be possible to shut GandCrab out of corporate networks. In its “Ransomware Response Guide,” IBM X-Force recommends a method called last resort containment to help organizations respond when they can’t quickly or easily figure out where new ransomware attacks are coming from.

Steps to consider in this process include shutting down all file shares, taking them offline and restricting them by network. This can help decrease the likelihood that the ransomware will encrypt the shares and help businesses avoid paying fees to recover their stolen files.

Source: McAfee

 |  |  |  |  |  |  |  | 
Shane Schick
Writer & Editor
Shane Schick is a contributor for SecurityIntelligence.

More from

Threat Research   March 23, 2023

Operational Technology: The evolving threats that might shift regulatory policy

Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. Attacks on Operational Technology (OT) and Industrial Control Systems (ICS) grabbed the headlines more often in 2022 — a direct result of Russia’s invasion of Ukraine sparking a growing willingness on behalf of criminals to target the ICS of critical infrastructure. Conversations about what could happen if these kinds of systems were compromised were once relegated to “what ifs” and disaster movie scripts. But those days are…

Data Protection   March 23, 2023

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them.ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge.Understanding Attack Surface ManagementHere are some key…

Data Protection   March 23, 2023

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor for…

News   March 22, 2023

Hackers are Increasingly Targeting Auto Dealers

Auto dealerships are increasingly concerned with cybersecurity in the face of new regulations and an alarming rise in cyberattacks. The Second Annual Global State of Cybersecurity Report by CDK Global found that 85% of dealerships say cybersecurity is very or extremely important relative to other operational areas. Additionally, 89% say cybersecurity is more important than last year, a 12% increase. Not surprisingly, only 37% of auto retailers are confident in the current protection, which is a 21% decrease from 2021.…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature