GandCrab ransomware evolves again to form new cyber criminal alliances

GandCrab ransomware evolves again to form new cyber criminal alliances

A new version of GandCrab ransomware is evolving and gaining momentum with underground cyber criminal alliances, according to a recent McAfee report. 

According to a recent McAfee report, the latest version 5.0 of GandCrab now partners with a crypter service NTCrypt that provides malware obfuscation to evade anti-malware security products.

An excerpt of the underground alliance: 

“On September 27, the GandCrab crew announced Version 5 with the same showmanship as its earlier versions. GandCrab ransomware has gained a lot of attention from security researchers as well as the underground. The developers market the affiliate program like a ‘members-only club’ and new affiliates are lining up to join, in the hope of making easy money through the large-scale ransomware extortion scheme.”

The ultimate objective of GandCrab is to encrypt most files on a victim’s computer in order to extract ransom payment to unlock the files. 

McAfee says one of the GandCrab version 5.0 releases exploits CVE-2018-8440 in order to elevate privileges, that affects Windows 7 through Windows 10 Server OS versions. This vulnerability was patched last month as part of September patch updates.

The second exploit used by GandCrab targets CVE-2018-8120, that impacts Windows 7, Windows Server 2008 R2 and Windows Server 2008 versions. This vulnerability, patched in May 2018, could allow an elevation of privileges from the kernel. 

“Thanks to a faulty object in the token of the System process, changing this token in the malware results in executing the malware with System privileges,” McAfee said.