Hackers Are Hunting for Bigger Game with New Version of Ransomware

Accounteks ConsultingNews

Pinchy Spider and GandCrab sound like scoundrels in a super-hero comic book, but they are real-life villains in the business world. Learn how to defend your company against the Pinchy Spider hacking group’s latest tactics and its newest version of the GandCrab ransomware.

Back in January 2018, a hacking group known as Pinchy Spider launched the GandCrab ransomware. It quickly became a dangerous form of ransomware, thanks to the group continually making adaptations to it.

Pinchy Spider has not slowed down in its quest to make GandCrab more deadly. Researchers recently discovered that a new version of the ransomware is making the rounds. Just as important, they discovered signs that Pinchy Spider is trying to catch bigger prey with it.

 

The Growing Trend of Big Game Hunting

Big game hunting is a growing trend among cybercriminals. To quickly increase revenue, hackers are turning to more targeted attacks of bigger game. For example, instead of sending phishing emails to the masses to spread malware, cybercriminals are using reconnaissance and sophisticated delivery methods to reach specific targets that will yield more profits.

Big game hunting fits well with Pinchy Spider’s “ransomware-as-a-service” business. In other words, it lets other cybercriminals (aka “customers”) use the malware it creates to carryout cyberattacks for a share of the profit. Typically, the hacker group uses a 60-40 ratio to split the profits, where 60% goes to the customers. However, Pinchy Spider is now advertising that it is willing to negotiate up to a 70-30 split for “sophisticated” customers. This change coupled with the fact that Pinchy Spider is actively recruiting hackers with networking, Remote Desktop Protocol (RDP), and virtual network computing experience is leading security analysts to believe that Pinchy Spider is hopping onto the big game hunting bandwagon.

 

GandCrab Well Suited for Big Game Hunting

GandCrab is well suited for targeted attacks of bigger game. While most ransomware is distributed through phishing emails, GandCrab takes a different route to its victims. It is distributed through exploit kits. Cybercriminals use these kits to find and exploit known software vulnerabilities in order to carry out malicious activities. In this case, Pinchy Spider created several exploit kits to look for weaknesses in the Java Runtime Environment, Adobe Flash Player, Microsoft Internet Explorer, and other software. If found, the kits exploit the vulnerabilities to launch VBScript, JavaScript, and other types of code that installs GandCrab.

Once the ransomware is installed on a computer, it does not immediately start encrypting the files on it. Instead, it lays dormant while the hackers try to use RDP and credentials they stole from the compromised machine to access and install the ransomware on other computers — preferably hosts or servers — in company’s network. In one instance, the cybercriminals were able to access a business’s domain controller (DC). They then used the IT systems management application installed on the DC to deploy GandCrab throughout the network.

When the hackers have finished infecting the targeted computers, they trigger GandCrab to start encrypting files with an RSA algorithm. GandCrab then demands payment in Dash (a form of cryptocurrency) to decrypt the files. While most ransomware blackmailers demand one payment to unlock the files on all the infected machines, Pinchy Spider and its customers request payment on a per-computer basis, especially if hosts or servers have been compromised.

 

How to Protect Your Business against GandCrab

Taking several measures can go a long way in protecting against a GandCrab attack:

  • Patch known vulnerabilities by regularly updating all software on each computer in your company, including workstations, hosts, and servers. Patching will eliminate many of the vulnerabilities that exploit kits use to access machines.
  • Make sure the security software is being updated on each computer. Even hosts and servers should be running security software. It can help defend against known ransomware threats and other types of malware attacks.
  • Secure RDP. Hackers like to exploit RDP to access businesses’ hosts and servers, so it needs to be secured. There are several ways to do this, such as deploying an RDP gateway and limiting who can use RDP to log in to the network.
  • Use two-step verification for the service and software accounts on your hosts and servers. That way, even if a password is compromised, it cannot be used to gain access to those accounts. If using two-step verification (also known as two-factor authentication) is not possible, at least use strong account passwords and implement an account lockout policy to foil brute force password-cracking attacks.
  • Regularly back up files and systems, and make sure the backups can be successfully restored. Although having restorable backups will not prevent a GandCrab attack, you won’t have to pay the ransom if the attack is successful.

We can help you implement these measures as well as provide recommendations on how to further protect against GandCrab and other types of ransomware.

 

Locky ransomware: source code flickr photo by Christiaan Colen shared under a Creative Commons (BY-SA) license