Dynamic Analysis on Bypass Method of GandCrab v5.2
In a widely distributed ransomware GandCrab, the code is inserted to bypass a dynamic analysis equipment. Thus, Gandcrab can bypass the detection by getting terminated in dynamic analysis equipment without proper operation or delaying the analysis process. Below are the codes to bypass the dynamic analysis equipment: Anti-Sandbox via SetErrorMode
A New Attempt to Disable Korean Anti-malware Software (GandCrab v5.0.4)
As monitoring the GandCrab distribution script, AhnLab ASEC recently spotted a new method to disable Korean anti-malware software. While the previous version tried to delete the software via executing ‘Uninst.exe’ as Figure 1 below, recently discovered distribution script leverages a new method to terminate V3 software. Figure 1. Code related to
Analysis of CVE-2018-8174 Vulnerability
AhnLab ASEC performed an analysis on IE vulnerability CVE-2018-8174 which is being widely used to distribute ransomware and Korean malware. This vulnerability is used to distribute Magniber ransomware as well, and users must apply security patch to prevent damage that can be done. MS security update page (CVE-2018-8174) – https://portal.msrc.microsoft.com/ko-kr/security-guidance/advisory/CVE-2018-8174 01. Summary
[Exclusive] How to Block Encryption of GandCrab v4.1.2 (Kill-Switch) – Update (v4.1.3)
On July 13, AhnLab shared the method to block encryption of GandCrab v4.1.1; Fortinet announced a similar information on July 9. However, on July 17, GandCrab 4.1.2 version was newly found as below. There was a message inserted that seemingly ridicules both security vendors. – “#fortinet & #ahnlab, mutex is also
GandCrab Ransomware Included in Javascript Prompting to Remove V3
While monitoring the distribution process of GandCrab ransomware in Korea, AhnLab ASEC has detected the feature that prompts to uninstall V3 Lite from the distribution script; it only targets V3 Lite. Figure 1 – Obfuscated script code Distribution script contains obfuscated Javascript as shown in Figure 1, and the main
GandCrab Ransomware Distribution Begins in Korea
A new ransomware named GandCrab is also being distributed in Korea. The ransomware infects PC when user visits a website vulnerable due to exploit kit. Ever since its first discovery, GandCrab has been distributed incessantly across the cyber sphere. Once PC is infected by GandCrab ransomware, file extension is changed
