The notorious GandCrab ransomware was updated in a new version, 4.1, which uses a worm-based attack that targets older servers and machines, running Windows.
The GandCrab developers have gotten smarter and they have started pushing their nasty ransomware virus to Windows XP and older server versions. The trick is to use a well-known SMB vulnerability, whose main goal is to target those operating systems because of one reason – they are already regarded as no longer eligible for security updates and support by Microsoft.
The GandCrab 4.1 Variant Uses Different Encryption Than Before
GandCrab ransomware which initially started to be active during January, 2018 and has swiftly risen to becoming one of the most popular ransomware viruses in the world. And not only this, but the ransomware is constantly getting updated and is being released in the dark web by it’s devs. And not only this, but the latest version of the virus also uses the algorithm Salsa20, that is way faster than the traditional RSA-2048 that was originally used by the virus in it’s predecessor variants. The Salsa20 cipher is well known in the cyber-security world, primarily because of the fact that it was used with the notorious Petya ransomware virus.
The new version of GandCrab is also infecting victims via more than one obfuscated method as well. It uses WordPress sites which have been compromised in order to make it possible to slither it’s malware. The hackers are also very swift as they often update their download URLs very often in order to keep pushing the malware despite antivirus software blocking it. In addition to this, malicious e-mail spam messages should also be considered as they were used by all of GandCrab’s previous versions and amount to over 80% of malware infections over the world.
Another method which was also reported by security experts is the usage of software patches or cracks for different well known programs which users want to crack and use the full versions of.
The Hackers Mock Security Researchers
The hackers who are behind the GandCrab virus not only sell their malware on the deep web to interested parties who want to make money by “switching to the dark side” but they have also included offensive remarks towards well-known security analysts. Furhtermore, the ransomware, which has reportedly been made by people who know what they are doing and are likely from Russia or somewhere from Asia have been reported to set a new extension to recognize the new variant from the old one. The older variant which used the .crab file extension has now been replaced with the newer .krab extension which may arrive in both capital and small letters depending on whether or not the version is 4.0 or 4.1.
Other than that, nothing in particular has been changed with GandCrab and the ransomware still demands money in cryptocurrencies to be paid somewhere in the $500 to $1000 range in DASH tokens.