Cybereason Press | Company and Product News

Cybereason’s Nocturnus Research Team Discovers Hackers are Using New, Stealthy Techniques to Deliver GandCrab Ransomware

Written by Cyber Admin | May 7, 2019

Cybereason, creators of the leading Cyber Defense Platform, today announced that researchers detected and prevented a new, stealthy, mechanism aimed at delivering GandCrab ransomware to international manufacturing companies. GandCrab is a notoriously popular and viral form of ransomware responsible for nearly 40 percent of attacks worldwide according to Bitdefender. Its success is built on the Ransomware-as-a-Service business model.

This particular attack began with a phishing email and weaponized Korean Office documents to gain initial entry onto the target machine. The user was lured into running the embedded macro code, which is obfuscated to conceal its true nature and avoid detection. To drop the ransomware, the hackers made use of a multi-stage fileless infection chain with VBA code, WMI objects and JavaScript. It leveraged living-off-the-land binaries to bypass Windows AppLocker and fetch the ransomware payload. The malicious payload was stored on a legitimate online text sharing service, pastebin.com.

“One of the reasons GandCrab has become such a popular form of ransomware is because it follows the Ransomware-as-a-Service (RaaS) business model. This gives cyber criminals of any skillset the ability to use the GandCrab infrastructure through an easy-to-use platform, with 24/7 online support,” said Assaf Dahan, senior director, head of threat research, Cybereason.

Security recommendations to protect against GandCrab and general ransomware attacks include:

Keep regular backups of personal and company endpoints, especially critical endpoints like servers.
Always ensure Windows and any third-party software is updated to the latest version and all security patches have been applied.
Do not pay the ransom fee, as it emboldens the ransomware industry to continue this type of attack. In many cases there is no guarantee that ransomed files will be restored. Additionally, in some cases the data can be decrypted by ad-hoc recovery tools (although this is not always viable).

To learn more about this attack and GandCrab attacks in general, please visit: https://www.cybereason.com/blog/gandcrab-evasive-infection-chain.

About Cybereason
Cybereason, creators of the leading Cyber Defense Platform, gives the advantage back to the defender through a completely new approach to cybersecurity. Cybereason offers endpoint detection and response (EDR), next-generation antivirus (NGAV), and active monitoring services, powered by its cross-machine correlation engine. The Cybereason suite of products provides unmatched visibility, increases analyst efficiency and effectiveness, and reduces security risk. Cybereason is privately held, has raised $189 million from top-tier VCs, and is headquartered in Boston, with offices in London, Tel Aviv, and Tokyo.                                                                      Learn more: https://www.cybereason.com/

Media Contact:
Bill Keeler
Senior Director, Global Public Relations
Cybereason
bill.keeler@cybereason.com
(929) 259-3261