Alert: Ransomware Variant GandCrabV5.0.3

Sangfor Elsa Lv1Posted 18 Oct 2018 18:40

While some are encouraged by seeing the number of ransomware families drop by 71% in recent years, the number of variants discovered has increased by a staggering 46%. Recently, the Sangfor security team discovered GandCrabV5.0.3, a new GandCrab ransomware variant which has infected many users across Asia. While there is no way to decrypt files once they’ve been encrypted by GandCrabV5.0.3, Sangfor is issuing this security alert to remind customers and users to be proactive in preventing infection from this new and dangerous ransomware.

Virus: GandCrabV5.03
Virus Type: Ransomware
Affected Region: Several regions in Asia
Threat Level: High
Propagation: It spreads via RDP brute-force attack, emails, vulnerabilities, websites loaded with Trojan and cannot propagate via local area network.

Virus Distribution
It has been less than a year since GandCrab ransomware was discovered for the first time in January 2018. It variants (v1.0, v2.0, v2.1, v3.0, v4.0, V5.0) appeared subsequently, playing a very destructive role and at the time of writing, there is no way to decrypt files.
This variant encrypts files with RSA and AES cryptography, appends them with a random extension and asks users to pay a ransom to decrypt encrypted files. This ransomware spreads via RDP brute-force attack, email, vulnerabilities and websites loaded with trojans, rather than spreading itself through other devices on the local area network while still encrypting files in shared folders.


Sample Analysis
The attack procedure is as follows:


1. RDP Penetration
First, the hacker penetrates a host via RDP brute-force attack and uploads a hacking kit, including process management tools, scanners, password capturing tools, brute-force tools and ransomware vectors Some tools are encrypted and compressed by the hacker to prevent them from being detected and removed by antivirus software. The compression password is 123.


2. Kill Antivirus Process
After uploading the hacking kit to a compromised host, the hacker attempts to kill the antivirus process using the process management tool ProcessHacker.
3. Perform Scanning
The hacker then uses scanners KPortScan, NASP and NetworkShareNetworkShare to scan LAN hosts in order to find more vulnerable targets.
4. Password Dump
The hacker uses Mimikatz to dump the host login password and WebBrowserPassView to access passwords stored by the browser.  Since there is a possibility that different users use the same login password, the hacker can use stolen passwords to log onto other hosts.
5. Perform Brute-force Attack
The hacker uses DUBrute to perform an RDP brute-force attack against LAN hosts.
6. Run Ransomware
HW contains the ransomware vector HW.5.0.2.exe and a HW.txt file which stores the powershell command used for performing fileless ransom. The hacker can run ransomware vector or execute powershell command to perform the ransom.


The attack procedure is as follows:


Perform process traversal and kill the following processes:


At the time of writing, there is no decryption tool for victims although infected hosts may be quarantined or disconnect them from network. Sangfor recommends that you perform a virus scan and set up protections as soon as possible.

Ransomware Detection
1.Sangfor offers customers and users free anti-malware software to scan for and remove the ransomware virus. Simply download it from:
2. Sangfor NGAF is capable of detecting this ransomware virus.

1. Fix the vulnerability by installing the corresponding patch on the host.
2. Back up critical data files regularly to other hosts or storage devices.
3. Do not click on any email attachment from unknown sources and not download any software from untrusted websites.
4. Disable unnecessary file sharing.
5. Strengthen computer passwords and avoid using the same passwords for multiple computers. Of one computer is compromised, all other computers may also be compromised.
6. Earlier GandCrab ransomware sometimes makes use of RDP. Please disable RDP if it is unnecessary for your business. When a computer is attacked, Sangfor NGAF or EDR is recommended to block port 3389 and other ports to stop ransomware from spreading.
7. Sangfor NGAF can prevent brute-force attacks. Turn on brute-force attack prevention on NGAF and enable Rule 11080051, 11080027 and 11080016.
8. For Sangfor NGAF customers, update NGAF to version 8.0.5 and enable antivirus Engine Zero. For customers using Sangfor NGAF versions earlier than 8.0.5, update your antivirus database to 20181017.

Like this topic? Like it or reward the author.

Creating a topic earns you 5 coins. A featured or excellent topic earns you more coins. What is Coin?

Enter your mobile phone number and company name for better service. Go

Zwlligad Lv1Posted 18 Nov 2018 23:19
I am aware of ransomware, Gand Crab seems to be a remake of WannaCry.
No the crooks do not extort money directly, they would rather steal your PC resources with hidden miners such as PowerGhost ; again, it all revolves around crypto currency, what a nice invention ... ing-crypto-at-work/

Trending Topics

Board Leaders