There are multiple complaints from users of torrent sites that their downloaded files contained the GandCrab ransomware and other malware, TorrentFreak recently reported. More specifically, files shared by CracksNow, a popular uploader of software cracks and keygens, have been infected.
GandCrab, Malware Hidden in Torrents
Several torrent sites have banned the account of the popular software uploader CracksNow. The software and cracks were repeatedly flagged as malicious and some came with the GandCrab ransomware. While malicious torrents are nothing new, it’s rare for this to happen via a “trusted” uploader.
As a result of these infections, torrent sites The Pirate Bay, TorrentGalaxy, and 1337x banned the account of CracksNow. Of course, these cases are not surprising at all since torrents are one of the most popular ways to get infected by malicious software.
Torrent site moderators have to review a number of reported torrents on a daily basis, and malware is often found in them. An admin of the 1337x website has shared with TorrentFreak that “they have a system in place to ensure that things don’t get out of hand. This includes an approval process for uploaders”. As it can be expected, the system isn’t flawless.
“It is a daily battle to sort the scumbags from the legit uploaders and staff work very hard but it’s not foolproof. What I will say is staff are very quick to adapt to all the new ways people try to beat our systems,” the admin said.
The same admin also said it was rather rare for a trusted uploader like CrackNow to “go rogue”.
Last week, it was revealed that GandCrab ransomware has been distributed with the help of [wplinkpreview url=”https://sensorstechforum.com/cve-2017-18362-kaseya-plugin-gandcrab/”]a two-year-old security flaw (CVE-2017-18362) in a software package used by remote IT security companies. The vulnerability has been exploited to grant access to vulnerable networks and distribute the ransomware payload.
GandCrab 5 strains have also been [wplinkpreview url=”https://sensorstechforum.com/new-gandcrab-5-strains-distributed-ransomware-service/”]distributed as ransomware-as-a-service. Last year, the operators behind the attacks were partnering with a malware crypting service called NTCrypt. This is a malicious tool that is used to enhance the malicious code and make it more difficult to remove, adding an extra layer of stealth protection.