Malware News GandCrab: The New King of Ransomware?

[silversurfer]

Content source

https://www.securityweek.com/grandcrab-new-king-ransomware

Cryptominers have plateaued, GandCrab is the new king of ransomware, adware -- surprise! -- is as prolific as ever, and VPNFilter might herald a new genre of sophisticated multi-purpose malware. These are some of the conclusions drawn from the Malwarebytes Cybercrime tactics and techniques report for Q2, 2018.

The details come from an analysis (PDF) of the telemetry obtained from the millions of computers using Malwarebytes software. It confirms what has been seen elsewhere: "Ransomware detections dropped this quarter on both the consumer and business sides by 12 and 35 percent, respectively."

This doesn't mean that ransomware has gone away. GandCrab has been the most prolific, partly down to its use by the Magnitude botnet. A decryptor for GandCrab is available on the NoMoreRansom website; but Malwarebytes warns, "there's always a risk that the latest versions being distributed by various exploit kits have no solution in place."

 

[LASER_oneXM]

source: Vaccine Available for GandCrab Ransomware v4.1.2

Vaccine Available for GandCrab Ransomware v4.1.2

AhnLab, a South Korea-based cyber-security firm, has released today a vaccine app that blocks the GandCrab ransomware from taking root and encrypting users' files.
This vaccine app works by creating a special file on users' computers that the GandCrab ransomware checks before encrypting user data.
This file is named [hexadecimal-string].lock and is saved at the following locations.

Win XP: C:\Documents and Settings\All Users\Application Data
Win 7, 8, 10: C:\ProgramData

Vaccine app tricks GandCrab ransomware

The hexadecimal ID is generated based on the computer's volume information of the root drive and a custom Salsa20 algorithm and is unique per user.
GandCrab creates this file to know if a computer has already been infected and prevent users from running the ransomware executable twice and double-encrypting and permanently destroying their data.
The AhnLab vaccine app can create this file in advance, before a user might get infected, hence tricking the ransomware into thinking it has already locked the victim's data.

No SMB spreader

The GandCrab ransomware has slowly become the most widespread ransomware strain in use today. Version 4.1.x, in particular, has recently grabbed some headlines.

Back at the start of the month, a security researchers spotted that GandCrab added support for the EternalBlue NSA exploit, suggesting the ransomware could use it to spread to other nearby computers on the same network via the SMB protocol. But in a later report, Fortinet said this self-propagation routine doesn't seem to be used by the ransomware at all.