A fourth version of the GandCrab ransomware was discovered in July 2018, but researchers are just starting to understand the extent of the changes. How does this version of GandCrab ransomware differ from previous versions and who is at risk?
For many complex reasons, legacy systems may be present in an environment, and the options to secure them can be very limited. This makes them a particularly high-risk vector for attacks and, consequently, incident response costs could be significant. Likewise, there is an emerging trend of ransomware targeting those legacy systems.
An update to the GandCrab ransomware was identified in July 2018. Some of the changes included the use of the EternalBlue exploit in an attack against vulnerable Windows systems via the server message block and over the network into a ransomware worm. This update enabled hackers to target Windows XP and Windows Server 2003 systems.
Likewise, the new GandCrab attack includes functionality so that it doesn’t need a command-and-control mechanism to operate, making it easier to attack an air-gapped environment. According to Fortinet, the update also changed the attack’s encryption functionality to potentially make it faster.
With this updated malware, legacy systems are at the highest risk since many antimalware tools reasonably stopped supporting Windows Server 2003 and Windows XP. These same systems may not have been patched, making them vulnerable to the EternalBlue exploit. Likewise, the system may use an administrative account by default, creating additional risk.
Enterprises using good security hygiene will have the security controls in place to stop the GandCrab ransomware, but they may still have vulnerable legacy systems on their networks. These legacy systems may require network access, making them vulnerable to attack without the necessary controls to prevent vulnerable systems from being infected with the GandCrab ransomware.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)