New Ransomware Rumored to Spread SMB Exploit
Kacy Zurkus | July 13, 2018
Within two days of news that GandCrab 4.0 ransomware was being distributed by compromising websites disguised as download sites for cracked applications, a newer version (v4.1) was found using the same method, according to Fortinet’s FortiGuard Labs. A distinction not observed in the previous version is that GandCrab now includes an additional network communication tactic, as well as an unusually long hard-coded list of compromised websites to which it connects. “We found no definitive evidence that the hard-coded websites included in the malware had actually ever been compromised to act as servers or download sites for GandCrab,” researchers wrote. One binary reportedly has the ability to include almost a thousand unique hosts that have been compromised. Upon connecting to a URL, the malware then sends encrypted data of its victims, some of which included IP address, user name, computer name, network domain and a list of installed AVs. “Even more curious, the fact is that sending victim information to all live hosts in the list is illogical in a practical sense, given that a single successful send would have been enough for its purposes," said the researchers. "With these points in mind, we have started to think that this function is either experimental, or simply there to divert analysis and that the URLs included in the list are just victims of a bad humor."