[ad_1]
One of the most active forms of ransomware has been updated with a new way of encrypting data as the gang behind the malware to make sure it remains as damaging as possible .
GandCrab ransomware appeared in January of this year and quickly grew to become one of the most popular forms of file lock malware. It is sold cheaply on the web as "malware-as-a-service" and regularly receives updates from its developers.
The latest version of the ransomware has been published and contains what the Fortinet researchers describe as "a redesign"
One of the biggest changes in version 4 of GandCrab is that the cryptographic mechanism is pbaded from RSA-2048 to much faster Salsa20 stream encryption, which allows to encrypt files faster than before.Salsa20 mechanism has already been implemented by Petya ransomware.
This version of GandCrab is proposed Victims via compromised WordPress sites that encourage users to download system tools via links that download malicious software, download links are updated regularly, but they do not decide how it will be distributed again by Phishing emails at some point in the future.
See also: Ransomware: Not dead, it becomes much more so urnois
As with previous versions of the ransomware, it checks to see if the system is in a Russian-speaking country and if so, will not go ahead with the encrypting files. This, combined with the way GandCrab is sold on Russian hacking forums, indicates that the authors are probably from this region of the world.
Those behind GandCrab even jeopardize security researchers by adding their names and strange insults to the ropes
Victims who are unlucky enough to be infected by ransomware have their files encrypted with a new extension ".KRAB".
The updated encryption mechanism also allows files to be encrypted even if the user is not connected to the Internet – unlike previous versions needed to connect to his command and control server before Encrypting files
In addition to not needing connectivity to encrypt files, security researcher Kevin Beaumont points out that GandCrab can now be propagated via an SMB exploit – including the ability to compromise machines running Windows XP and Windows Server 2003 from this way. This is the first time that ransomware has been able to propagate organically to these older operating systems, the EternalBlue exploit that powered WannaCry ransomware "has never worked against targets XP out of the box, "writes Beaumont
. Internet access and the impact on older XP and 2003 systems suggest that some older environments may be threatened by poor security practices, "he adds.
The new technique of extension and encryption is complemented by an updated ransom. GandCrab has encrypted files with data about the encrypted PC.
See also: Ransomware: An Executive Guide for One of the Biggest Threats on the Web
Few things have changed with the payment page – ransomware charges $ 500 to pay in bitcoin or cryptocurrency Dash in exchange for the return of the files. The price doubles to $ 1,000 if the ransom is not paid in a few days.
Like other forms of ransomware, the researchers warned that ransom should not be paid – as this only encourages criminals to make this illicit way of gaining money work. silver
. do not download the malicious payload in the first place – especially unreliable sources.
"Users are advised to always be very cautious with files downloaded from the Internet, especially pirated applications." Joie Salvio, Senior Threat Investigator at Fortinet, wrote in a blog post [19659002] LEARN MORE ABOUT CYBER CRIME
Source link