FortiGuard Labs Threat Research
GandCrab V3 Accidentally Locks Systems with New ‘Change Wallpaper’ Feature
GandCrab is one of the most talked about ransomware families this year primarily due to its increasing distribution volume, as we described in our previous article. At the end of last month, FortiGuard Labs discovered a new spam wave from the same campaign delivering the latest version, GandCrab v3.
In this new version, following in the footsteps of past infamous ransomware families such as Locky and Sage, this latest version now also changes the wallpapers of its victims. However, when we analyzed this new feature we found a bug that can be detrimental to its goals, as well as more frustrating to its unfortunate victims.
New Spam Wave, Same Old Tricks
The attack chain is practically the same as the one discussed in our previous article. Only this time, it uses Visual Basic Scripts as downloaders instead of Java Scripts.
Fig.1 KTIS’ visualization of spam mails with attached VBS scripts downloading GandCrab v3
Same goes for the email content. The next figure shows a sample spam email that was caught by FortiMail delivering the latest version of this malware.
Fig.2 Sample email from this spam wave caught by FortiMail
From Wallpaper Change to Accidental Screen Lock
As mentioned, GandCrab now also changes its victim’s Desktop wallpapers to display a ransom note, a tactic which has long been used by other ransomware families. It’s as if seeing strange filename extensions and unusable files, not to mention actual ransom notes in every directory, are not enough signs of the device being infected. Even worse, however, we found a bug in this new feature when we tested it with Windows 7.
After this malware has encrypted the victim’s files, it forces the system to reboot. On our tests with Windows 10 and Windows 8.1 systems, the malware was able to change the wallpaper and the systems were able to start up normally, as expected.
Fig.3 Windows 10 infected with GandCrab v3 after reboot
On Windows 7 however, for some reason booting does not finish but instead gets stuck at a point before the Windows Shell is completely loaded. That means an infected user would not have the Windows interface to interact with, rendering the entire machine seemingly unusable – reminiscent of the old lock screen ransomware behaviour. Only the ransom note wallpaper and TOR Browser download site can be seen by the user.
We know this wasn’t intentional because the instructions on the ransom note tells the user to read a copy of one of the“CRAB-DECRYPT.txt” ransom notes scattered around the system for further instructions. And for the average user, that would at least require the Windows interface to do it.
Fig.4 GandCrab ransom note text
One way to force the reboot to proceed is by executing the Task Manager through the keyboard (CTRL+SHIFT+DEL) and terminating the malware process. Although for an average user, finding an actual malware from the list of running processes can be a complicated undertaking. Furthermore, this malware has an autorun mechanism, which means it will just execute again upon reboot. So to prevent the “lock screen” in subsequent reboots, after the user terminates the process the malware executable located in APPDATA%\Microsoft\<random chars>.exe (e.g. gvdsvp.exe) must be deleted. Deleting its autorun registry is also recommended:
SubKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
Name: <random chars> (e.g. solmnyduktr)
Value: %APPDATA%\Microsoft\<random chars>.exe (e.g. gvdsvp.exe)// Placeholder
Fig.5 Infected Windows 7 screen after reboot
Conclusion
Seeing a ransom note and realizing that all of your files are gone is frustrating on so many levels. And it’s even more frustrating (if that’s even possible) when on top of that you also lose your access to the machine. Malware flaws with unintended consequences are really quite common, which is another reason why being extra cautious with unsolicited emails is very important. As a general rule, any unexpected emails with attachments (an executable or a document) must be scanned and verified first before opening. And as always, create isolated backups for your important files.
GandCrab’s new feature does not work well across the board. But the fact that the actors behind it are actively developing it says something about the level of motivation that they have in carrying out their criminal enterprise. And it makes this malware campaign even more dangerous.
Solution
Fortinet users are protected with the following solutions:
· Emails are blocked by our FortiMail FortiGuard Virus Outbreak Protection Service
· Files in the attack chain are detected by FortiGuard Antivirus
· Malicious download URLs and C2s are blocked by our FortiGuard Web Filtering Service
· FortiSandbox rates any execution point in the attack chain as “High Risk”
IOCs
GandCrab V3
4fb5ea4fd30838756fa643c399c3d82e952f60e25de4127c4d0b9849dc617d1e (GandCrab v3) - W32/GandCrab.KAD!tr.ransom
Emails
1f33e2efd415c0fbb428ab65da8649b985e7475191e316e24ec6abfa4da955e6
08c0dcecb2f3d9c4567a0af6c9949d048631603e460a83aaa627756c1100b2d3
78293681ec1a9d591f9f0b43245ecb2d407ae85da364f91dab917057bd3b33f4
VBS Downloaders
59e1a31e8ee30f00baf230d25e6b655d3779fbbcba1b2c109864520e51156960 -
VBS/GandCrab.KAD!dldr
7be804f1918cb6f6519642270f81ccd8558021931832438313891081cdd3eb78 -
VBS/GandCrab.KAD!dldr
389e1b29a38a1a2f65d36a7c8308eb7dc321fa2431652a5993a13ef6a6992578 -
VBS/GandCrab.KAD!dldr
Added Registry
SubKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
Name: <random chars> (e.g. solmnyduktr)
Value: %APPDATA%\Microsoft\<random chars>.exe (e.g. gvdsvp.exe)
Network
http[:]//185.189.58.222/bamm.exe (download URL)
carder.bit (C2)
ns1.wowservers.ru (DNS Server)
Check out our latest Quarterly Threat Landscape Report for more details about recent threats.
Sign up for our weekly FortiGuard intel briefs or for our FortiGuard Threat Intelligence Service.
