Rewterz Threat Alert – GandCrab Ransomware – Active IOCs

Severity

High

Analysis Summary

GandCrab – a ransomware-as-a-service variant – was discovered in early 2018. At least five versions of GandCrab have been created since its discovery. GandCrab ransomware encrypts victim’s files and demands ransom money in exchange for decryption keys. GandCrab targets organisations and individuals that use Microsoft Windows-powered PCs. This ransomware has attacked a huge number of systems in India, Chile, Peru, the United States, and the Philippines. This ransomware has been linked to some of the most notorious ransomware outbreaks, resulting in enormous financial losses for victims. To effectively victimize the target, its operators frequently try to imitate reputable services. In January 2020, for example, GandCrab was transmitted in a word document labeled “Flu pandemic warning.doc” that purportedly came from the Centers for Disease Control. The virus is assigned various name by different antivirus software including Trojan.Ransom.GandCrab, Win32/Filecoder.GandCrab, Ransom: Win32/GandCrab, and others

Impact

• Files Encryption

Indicators of Compromise

MD5

3b43bfc5029dc4e3aeabc9305538b530
7932d85c43827f357cb376a8cdfac792
5f2e48de5668bc86caec678c0f3c3d8e
de4b345a676da185d23cd5801d0b0c17

SHA-256

7b70f42b3a08aaaf1d46d4b80de7156c19ddcf1ddd82947dd269db1e9e23bb67
ac7196f5603e796018814fd5d5d3e6d82d802554bb1e222711c09178ae8a475d
dd65f9917c7e353145378f9b70cbcbbec7e52436694f277fadcbb654ecafed28
8723ec9a0f117eda5f8fba7c2766082af4301593bbb7dda11420182ca93e5746

SHA-1

1fb1a1691a49928918c78a68cad1043f99e75872
90ea946d54e51946d72bad893fea31c750e89ef9
30a295a6b157b35fed7187ef68319397be36a3a8
9d554532cf28d1496f55ed4f8f0cd24a380608c6

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Emails from unknown senders should always be treated with caution.
• Never trust or open ” links and attachments received from unknown sources/senders.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets