Fraud Management & Cybercrime , Patch Management , Ransomware

Crabby Ransomware Nests in Compromised Websites

Cisco Warns of Dangers of Running Vulnerable Web Applications
Crabby Ransomware Nests in Compromised Websites
Files encrypted by the Gandcrab ransomware have a ".crab" extension. (Photo: India Kirk via Flickr/CC)

The Gandcrab ransomware has been a moving target. Since it was discovered in January, it has become one of the most widely distributed file-encrypting malware programs. Researchers with Cisco say they've now found it seeded within legitimate websites, making it harder to stop its spread.

Cisco has spotted four campaigns within a week that have been spreading Gandcrab, all of which relied on planting the ransomware into legitimate websites, writes Nick Biasini, an outreach engineer with Cisco's Talos Intelligence unit.

The targeted websites all appeared to be running outdated software, which allowed attackers to exploit the vulnerabilities.

"This incident helps shed more light onto one of the biggest challenges we face: compromised websites," Biasini writes. "Most small businesses aren't aware that a new vulnerability has been released against a web framework, and even if they did [know], most lack the expertise and time to be able to frequently update the software that the companies' websites rely upon."

Three Versions

When Gandcrab was first noticed, there was a surprising infection chain that relied on exploit kits, researchers at Malwarebytes wrote in a January blog post. Exploit kits rapidly probe computer for vulnerabilities and launch an attack if one is found.

Exploits kits of late have mostly been observed delivering malware such as remote access tools and virtual currency miners, according to Jerome Segura and Vasilios Hioueras of Malwarebytes. Curiously, however, they're still being used to spread Gandcrab.

After Gandcrab encrypted files, it demanded a ransom between U.S. $300 to $500, payable in the virtual currency Dash. Dash is one of several virtual currencies that have sought to improve on bitcoin by making transactions less traceable.

One of Gandcrab's payment pages, a hidden TOR site. (Source: Malwarebytes)

In less than a month, Gandcrab infected 50,000 machines, according to an alert issued by Interpol on Feb. 28. Just a few weeks after Gandcrab debuted, researchers with security firm BitDefender, in cooperation with the EU's law enforcement intelligence agency - Europol - and Romanian police published a tool that could decrypt files cryptolocked by GandCrab.

But as is often the case, attackers quickly released a second variant of Gandcrab that cryptolocks files in a manner that the tool can no longer decrypt. Files affected by this second version of Gandcrab, as well as a third version that has since appeared, have a ".crab" extension.

Cisco says Gandcrab's developers haven't slowed down, either. Gandcrab "is under almost constant development, with its creators releasing new versions at an aggressive pace," Biasini writes.

The third version of Gandcrab now also replaces a computer's desktop wallpaper with a ransom note, according to security vendor Fortinet.

First Indication Of Trouble: Spam

Potential Gandcrab victims usually receive a spam message with an attachment. The attachment may be a Word document that has been rigged with a macro that downloads a malicious payload from an external site. Cisco says it has also seen Gandcrab spam with VBScript files that perform essentially the same action.

An example of a spam message that leads to the Gandcrab ransomware. (Source: Fortinet)

But rather than registering new domains, Gandcrab's operators have found it easier to search for legitimate but vulnerable websites. Cisco says it found the ransomware being distributed via the website of a courier company in India as well as another site that promotes herbal remedies.

"This allows adversaries to save time and money doing things like registering domains, buying VPS [virtual private servers] and configuring a web server to host the files," Biasini writes. "The added advantage is that they also get to leverage the web reputation of the site they compromise, which could help bypass some blacklisting technologies, at least initially."

It didn't take long for Cisco to find the source of the problems with websites that had been compromised. The Indian courier site ran phpMyAdmin.

"We began looking a little deeper at what possible vulnerabilities could exist, and we ran into a large amount, including default credentials and multiple MySQL vulnerabilities that could be leveraged," Biasini writes. "Shortly after this was discovered, the website was taken down."

The website of a courier in India that was used to plant Gandcrab (Source: Cisco)

Likewise, the herbal remedies website was running a version of WordPress that was more than a year out of date, Cisco says.

Stay Sharp, Keep Patching

There's no way to solve these underlying vulnerability management, patching and information security awareness problems, at least not quickly. Well-funded organizations have the awareness and capabilities to ensure their website aren't easily popped by attackers. But attackers can still choose from a wide pool of poorly protected sites.

"Since most of these pages are created and maintained by small organizations that don't have the knowledge or resources to react to emerging vulnerabilities, this will continue to be a problem for the foreseeable future," Biasini writes.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network