GandCrab ransomware is spreading wildly through several known vulnerabilities

Oct 1, 2018Elley
Learn more about 360 Total Security

GandCrab ransomware is one of the most popular ransomware families recently. The latest version of the ransomware has been updated to 5.0.1. In September, 360 Security Center found that the spread of GandCrab ransomware began to grow rapidly that many files on Windows servers were encrypted. The ransomware is currently spreading through several known vulnerabilities, including Fallout Exploit tool which was added in September.

GandCrab ransomware is spreading wildly through several known vulnerabilities

How is GrandCrab spread?
Currently, GrandCrab is commonly spread through the following methods:
1. Disguise itself as normal software or be bundled in cracked software to induce users to download
2. Crack weak passwords
3. Use Apache Tomcat exploit
4. Use Jboss and WebLogic server flaws
5. Exploit Struts vulnerability

The latest changes in the GrandCrab sample
The latest version of the ransomware randomly generates a string of 5 characters in length as the file suffix and write the suffix to the SOFTWAREkeys_datadata registry, instead of using a fixed suffix:

 GandCrab ransomware is spreading wildly through several known vulnerabilities

Newly increased the use of Windows 10 privilege vulnerability (CVE-2018-0896):

 GandCrab ransomware is spreading wildly through several known vulnerabilities

Newly added PowerShell scripts to perform encryption:

 GandCrab ransomware is spreading wildly through several known vulnerabilities

Reminder
The users who use the servers mentioned above should update the software used by the servers to fix security vulnerabilities. Fortunately, 360 Total Security can defend against these kinds of attacks. Hence, we recommend users that they should install 360 Total Security to protect their systems.

Learn more about 360 Total Security