Only two days after the release of GandCrab
ransomware 4.0, FortiGuard Labs researchers discovered a newer version (v4.1). This version still uses the same method to spread, and the website to be compromised is disguised as a cracking software download site.
Researchers say GandCrab ransomware v4.1 includes a very long hard-coded list of infected websites to which it is connected. In a binary file, the number of these sites has reached nearly a thousand.
Also, to survive the full URL of each website, GandCrab v4.1 uses a pseudo-random algorithm to select from multiple sets of predefined words. The final URL is in the following format (e.g. www.{host}.com/data/tmp/sokakeme.jpg).
After successfully connecting to the URL, GandCrab v4.1 sends the encrypted (and base64 encoded) victim data to the infected website, which contains the following infected system and GandCrab information:
IP Address
· User name
· Computer name
· Network DOMAIN
· List of Installed AVs (if any exists)
· Default System Locale
· Keyboard Russian Layout Flag (0=Yes/1=No)
· Operating System
· Processor Architecture
· Ransom ID ({crc of volume serial number} {volume of serial number})
· Network and Local Drives
· GandCrab Internal Info:
o id
o sub_id
o version
o action
The researchers pointed out that to ensure the smooth encryption of the target file, GandCrab v4.1 may kill the following processes:
– msftesql.exe
– sqlagent.exe
– sqlbrowser.exe
– sqlwriter.exe
– oracle.exe
– ocssd.exe
– dbsnmp.exe
– synctime.exe
– agntsvc.exeisqlplussvc.exe
– xfssvccon.exe
– sqlservr.exe
– mydesktopservice.exe
– ocautoupds.exe
– agntsvc.exeagntsvc.exe
– agntsvc.exeencsvc.exe
– firefoxconfig.exe
– tbirdconfig.exe
– mydesktopqos.exe
– ocomm.exe
– mysqld.exe
– mysqld-nt.exe
– mysqld-opt.exe
– dbeng50.exe
– sqbcoreservice.exe
– excel.exe
– infopath.exe
– msaccess.exe
– mspub.exe
– onenote.exe
– outlook.exe
– powerpnt.exe
– steam.exe
– thebat.exe
– thebat64.exe
– thunderbird.exe
– visio.exe
– winword.exe
– wordpad.exe
Killing these processes allows the cryptographic routine to complete its target without any undesired interruptions. Also, these target file types typically contain data that is valuable to the victim, thus increasing the likelihood that the victim will consider paying for their documents.