Fortinet detected a new version of the GandCrab ransomware, ver 4.1

Do Son July 20, 2018 2 minutes read

Only two days after the release of GandCrab ransomware 4.0, FortiGuard Labs researchers discovered a newer version (v4.1). This version still uses the same method to spread, and the website to be compromised is disguised as a cracking software download site.

Researchers say GandCrab ransomware v4.1 includes a very long hard-coded list of infected websites to which it is connected. In a binary file, the number of these sites has reached nearly a thousand.

Also, to survive the full URL of each website, GandCrab v4.1 uses a pseudo-random algorithm to select from multiple sets of predefined words. The final URL is in the following format (e.g. www.{host}.com/data/tmp/sokakeme.jpg).

After successfully connecting to the URL, GandCrab v4.1 sends the encrypted (and base64 encoded) victim data to the infected website, which contains the following infected system and GandCrab information:

IP Address

·       User name

·       Computer name

·       Network DOMAIN

·       List of Installed AVs (if any exists)

·       Default System Locale

·       Keyboard Russian Layout Flag (0=Yes/1=No)

·       Operating System

·       Processor Architecture

·       Ransom ID ({crc of volume serial number} {volume of serial number})

·       Network and Local Drives

·       GandCrab Internal Info:

o   id

o   sub_id

o   version

o   action

The researchers pointed out that to ensure the smooth encryption of the target file, GandCrab v4.1 may kill the following processes:

– msftesql.exe

– sqlagent.exe

– sqlbrowser.exe

– sqlwriter.exe

– oracle.exe

– ocssd.exe

– dbsnmp.exe

– synctime.exe

– agntsvc.exeisqlplussvc.exe

– xfssvccon.exe

– sqlservr.exe

– mydesktopservice.exe

– ocautoupds.exe

– agntsvc.exeagntsvc.exe

– agntsvc.exeencsvc.exe

– firefoxconfig.exe

– tbirdconfig.exe

– mydesktopqos.exe

– ocomm.exe

– mysqld.exe

– mysqld-nt.exe

– mysqld-opt.exe

– dbeng50.exe

– sqbcoreservice.exe

– excel.exe

– infopath.exe

– msaccess.exe

– mspub.exe

– onenote.exe

– outlook.exe

– powerpnt.exe

– steam.exe

– thebat.exe

– thebat64.exe

– thunderbird.exe

– visio.exe

– winword.exe

– wordpad.exe

Killing these processes allows the cryptographic routine to complete its target without any undesired interruptions. Also, these target file types typically contain data that is valuable to the victim, thus increasing the likelihood that the victim will consider paying for their documents.

Source, Image: Fortinet

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: GandCrab ransomware