Malware Information

[Exclusive] How to Block Encryption of GandCrab v4.1.2 (Kill-Switch) – Update (v4.1.3)

On July 13, AhnLab shared the method to block encryption of GandCrab v4.1.1; Fortinet announced a similar information on July 9. However, on July 17, GandCrab 4.1.2 version was newly found as below. There was a message inserted that seemingly ridicules both security vendors. – “#fortinet & #ahnlab, mutex is also kill-switch not only lockfile ;)” Figure 1. Twitter post on GandCrab v4.1.2 (Reference: Addition of the message was not the only change in 4.1.2 version. It also complicated the algorithm of *.lock filename creation which is a key to prevent encryption and extended the length of filename from 8-byte to 20-byte. AhnLab ASEC confirmed that the changed filename creation algorithm is Custom Salsa20, a partially modified Salsa20 and developed…

GandCrab Ransomware Included in Javascript Prompting to Remove V3

While monitoring the distribution process of GandCrab ransomware in Korea, AhnLab ASEC has detected the feature that prompts to uninstall V3 Lite from the distribution script; it only targets V3 Lite. Figure 1 – Obfuscated script code Distribution script contains obfuscated Javascript as shown in Figure 1, and the main function of Javascript is found as Figure 2 when unobfuscated. Figure 2 – Unobfuscated script code There are two techniques that unobfuscated Javascript shown in Figure 2 runs GandCrab ransomware. The path of GandCrab downloaded via technique that uses powershell(no.2) was confirmed to be****. The internal version of all GandCrab is v4.3.  Execution Technique of GandCrab ransomware  1. Create and run internally encoded GandCrab executable in user system  2….

GandCrab Ransomware Distribution Begins in Korea

A new ransomware named GandCrab is also being distributed in Korea. The ransomware infects PC when user visits a website vulnerable due to exploit kit. Ever since its first discovery, GandCrab has been distributed incessantly across the cyber sphere. Once PC is infected by GandCrab ransomware, file extension is changed to .GDCB and GDCB-DECRYPT.txt is created. Figure 1. Extension change due to the ransomware When GandCrab ransomware is executed, it copies itself as ‘%appdata%\Microsoft\[Randomstr{6}].exe’ adds to registry so it can remain in PC and secure its persistence for execution. File creation path   %appdata%\Microsoft\[Randomstr{6}].exe  Registry  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Table 1. Copying file and registering auto run for a continuous execution Afterward, it checks if a certain process is running and if so, it…