GandCrab V3 Accidentally Locks Systems with New ‘Change Wallpaper’ Feature

GandCrab is one of the most talked about ransomware families this year primarily due to its increasing distribution volume, as we described in our previous article. At the end of last month, FortiGuard Labs discovered a new spam wave from the same campaign delivering the latest version, GandCrab v3.

In this new version, following in the footsteps of past infamous ransomware families such as Locky and Sage, this latest version now also changes the wallpapers of its victims. However, when we analyzed this new feature we found a bug that can be detrimental to its goals, as well as more frustrating to its unfortunate victims.

New Spam Wave, Same Old Tricks

The attack chain is practically the same as the one discussed in our previous article. Only this time, it uses Visual Basic Scripts as downloaders instead of Java Scripts.

Same goes for the email content. The next figure shows a sample spam email that was caught by FortiMail delivering the latest version of this malware.

From Wallpaper Change to Accidental Screen Lock

As mentioned, GandCrab now also changes its victim’s Desktop wallpapers to display a ransom note, a tactic which has long been used by other ransomware families. It’s as if seeing strange filename extensions and unusable files, not to mention actual ransom notes in every directory, are not enough signs of the device being infected. Even worse, however, we found a bug in this new feature when we tested it with Windows 7.

After this malware has encrypted the victim’s files, it forces the system to reboot. On our tests with Windows 10 and Windows 8.1 systems, the malware was able to change the wallpaper and the systems were able to start up normally, as expected. 

On Windows 7 however, for some reason booting does not finish but instead gets stuck at a point before the Windows Shell is completely loaded. That means an infected user would not have the Windows interface to interact with, rendering the entire machine seemingly unusable – reminiscent of the old lock screen ransomware behaviour. Only the ransom note wallpaper and TOR Browser download site can be seen by the user.

We know this wasn’t intentional because the instructions on the ransom note tells the user to read a copy of one of the“CRAB-DECRYPT.txt” ransom notes scattered around the system for further instructions. And for the average user, that would at least require the Windows interface to do it.

One way to force the reboot to proceed is by executing the Task Manager through the keyboard (CTRL+SHIFT+DEL) and terminating the malware process. Although for an average user, finding an actual malware from the list of running processes can be a complicated undertaking. Furthermore, this malware has an autorun mechanism, which means it will just execute again upon reboot. So to prevent the “lock screen” in subsequent reboots, after the user terminates the process the malware executable located in APPDATA%Microsoft<random chars>.exe (e.g. gvdsvp.exe) must be deleted. Deleting its autorun registry is also recommended:

Conclusion

Seeing a ransom note and realizing that all of your files are gone is frustrating on so many levels. And it’s even more frustrating (if that’s even possible) when on top of that you also lose your access to the machine. Malware flaws with unintended consequences are really quite common, which is another reason why being extra cautious with unsolicited emails is very important. As a general rule, any unexpected emails with attachments (an executable or a document) must be scanned and verified first before opening. And as always, create isolated backups for your important files.

GandCrab’s new feature does not work well across the board. But the fact that the actors behind it are actively developing it says something about the level of motivation that they have in carrying out their criminal enterprise. And it makes this malware campaign even more dangerous.

-= FortiGuard Lion Team =-

 

Solution

Fortinet users are protected with the following solutions:

·       Emails are blocked by our FortiMail FortiGuard Virus Outbreak Protection Service

·       Files in the attack chain are detected by FortiGuard Antivirus

·       Malicious download URLs and C2s are blocked by our FortiGuard Web Filtering Service

·       FortiSandbox rates any execution point in the attack chain as “High Risk”

 

IOCs

GandCrab V3

4fb5ea4fd30838756fa643c399c3d82e952f60e25de4127c4d0b9849dc617d1e (GandCrab v3) – W32/GandCrab.KAD!tr.ransom

 

Emails

1f33e2efd415c0fbb428ab65da8649b985e7475191e316e24ec6abfa4da955e6

08c0dcecb2f3d9c4567a0af6c9949d048631603e460a83aaa627756c1100b2d3

78293681ec1a9d591f9f0b43245ecb2d407ae85da364f91dab917057bd3b33f4

 

VBS Downloaders

59e1a31e8ee30f00baf230d25e6b655d3779fbbcba1b2c109864520e51156960
VBS/GandCrab.KAD!dldr

7be804f1918cb6f6519642270f81ccd8558021931832438313891081cdd3eb78
VBS/GandCrab.KAD!dldr

389e1b29a38a1a2f65d36a7c8308eb7dc321fa2431652a5993a13ef6a6992578 –
VBS/GandCrab.KAD!dldr

 

Added Registry

SubKey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce

Name: <random chars> (e.g. solmnyduktr)

Value: %APPDATA%Microsoft<random chars>.exe (e.g. gvdsvp.exe)

 

Network

http[:]//185.189.58.222/bamm.exe (download URL)

carder.bit (C2)

ns1.wowservers.ru (DNS Server)

 

 

 

Check out our latest Quarterly Threat Landscape Report for more details about recent threats.

Sign up for our weekly FortiGuard intel briefs or for our FortiGuard Threat Intelligence Service.



*** This is a Security Bloggers Network syndicated blog from Fortinet All Blogs authored by Fortinet All Blogs. Read the original post at: http://feedproxy.google.com/~r/fortinet/blogs/~3/jFSe5bAuoNs/gandcrab-v3-accidentally-locks-systems-with-new--change-wallpape.html