Gandcrab ransomware found in websites.
GandCrab ransomware continues to spread and adapt to shifting conditions recently back in relevance on the backs of several large scale spam campaigns. GandCrab payload was found hiding on legitimate but compromised websites. When these infected sites were analyzed, they were filled with vulnerabilities stemming from outdated software, highlighting one of the biggest issues when it comes to security.
Most small businesses aren't aware that a new vulnerability has been released against a web framework and even if they did, most lack the know how and timee to frequently update the software that the companies' websites rely on. Hackers, on the other hand, are able to quickly take advantage of these vulnerabilities and begin scanning the internet looking for potential victims. Leveraging these compromised sites in spam campaigns are increasingly effective because hackers don't need to maintain persistence, or anything other than copying a file to a specific location that they can point to systems, allowing for infection.
In just one week of observations by researchers, four identical attacks were found. Using e-commerce order lures, the spam emails contain rudimentary body text and either an attached ZIP file or VBScript files, when opened, pulled GandCrab off a website. The researchers found that the malware was actually being served from legitimate websites rather than malicious links, including a WordPress site for an herbal medicine. Examining the website, shows a host of issues in the website's code, including the use of default credentials and multiple MySQL vulnerabilities. It was also running old versions of the Wordpress content management system.
Sites that use old software are easy targets for hackers and that using them to serve malware saves them the hassle of registering domains, buying VPS, and configuring a web server to host the files. The other added advantage is that hackers can benefit from the web reputation of the site they compromise, which helps bypass some blacklisting.
GandCrab spreads by using the RIG and GrandSoft exploit kits, as well as via email spam. There's also a GandCrab Affiliate Program, according to recent research from Check Point, which pays participants about 60 to 70 percent of the ransom revenue in return for full technical support. One of the largest affiliates distributed 700 different versions of the malware during the month of March alone. GandCrab is under constant development, with its creators releasing new versions frequently. It does the typical things ransomware does, including encrypting files with the .CRAB extension, changing the user's background and taking advantage of Tor for communication. In one case the malware quickly adapted to get around a free decryption tool released by Interpol.
Gandcrap is the latest reason why stopping malware distribution is a problem. It shows why securing websites is a challenging and necessary task. As an example of how challenging resolving these issues can be, one of the sites, despite being shut down briefly, was serving GandCrab again in a few days. Even though cryptomining is quickly becomming the next big thing in malware, there are still billions of dollars to be made in ransomware. With evolving tactics like using legitimate sites to hide the payload proving to be effective, making money is an easier task. Threats like GandCrab are going to continue, there are millions of web pages running on platforms that have thousands of vulnerabilities. Because most of these sites are created and maintained by small organizations that don't have the resources to react to emerging vulnerabilities, this will be a problem for the foreseeable future.