GandCrab ransomware variant targeting legacy systems: What you need to know

The newest variant of the prolific ransomware forms this year has been updated to include a stolen National Security Agency exploit.
By Jessica Davis
03:07 PM
Share
GandCrab ransomware variant targeting legacy systems

Credit: Fortinet

The newest variant of one of the more prolific ransomware strains this year has been updated to include a stolen National Security Agency exploit and is targeting older Windows PCs no longer supported by Microsoft.

With the NSA EternalBlue exploit, the same hacking tools used in WannaCry and Petya, GandCrab is now targeting SMB vulnerabilities and can proliferate even faster than those attacks.

First discovered in January, GandCrab is among the ransomware-as-a-service for sale on the dark web. The hackers are suspected to be Russian, as the virus will scan to determine the country of origin and won’t infect a Russian-based system.

According to the Fortinet researchers, Version4 of the virus has an overhauled code structure, including the encryption mechanism that has been switched to Salsa20 stream cipher to encrypt files faster than previous versions.

The Salsa20 cipher was used in the original, successful Petya ransomware, not to be confused with the variant used in the June 2017 global cyberattack.

The delivery model is straightforward for ransomware: GandCrab is being spread through spam email, fake crack sites and malicious WordPress sites.

It’s also notable that the computers don’t need to be connected to the internet to be infected, as the new GandCrab doesn’t need to connect to the C2 server before encrypting the victim’s files.

Why it matters to healthcare

The latest GandCrab variant is targeting legacy Windows machines and with about 15 percent of healthcare organizations operating on such outdated systems GandCrab could be another thorn in the sector’s side.

The other issue is that the healthcare sector is notorious for failing to patch devices - even if patches are available - as it can impact the function of the device.

“If we are lazy about patching and upgrading our systems sector-wide, GandCrab will be (somewhat) problematic for the healthcare sector,” said Lee Kim, director of privacy and security for HIMSS North America.

“But, it’s not the 1990s anymore and many healthcare organizations are a bit more proactive with their cybersecurity programs,” she continued. “So, GandCrab is a problem that needs to be addressed. But it likely won’t reach pandemic proportions.”

To determine if they’re vulnerable, IT teams need to make sure their web security gateway is properly implemented and make sure to have solid access controls on website browsing for employees.

“Freely accessing the web is like freely accessing the world (albeit virtually),” said Kim. “Think about putting web security gateways in place and having a good acceptable use policy (if you don’t already).” 

Further, organizations can also mitigate risk by disabling SMBv1 and patching for MS17-010. Upgrading legacy systems is always the most effective option, but for many healthcare organizations it may prove too costly.

There is currently no free decryptor for GandCrab, so shoring up these vulnerabilities should be a top priority.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com