A new version of GandCrab ransomware is evolving and gaining momentum with underground cyber criminal alliances, according to a recent McAfee report.
The latest version 5.0 of GandCrab now partners with a crypter service NTCrypt that provides malware obfuscation to evade anti-malware security products.
An excerpt of the underground alliance:
“On September 27, the GandCrab crew announced Version 5 with the same showmanship as its earlier versions. GandCrab ransomware has gained a lot of attention from security researchers as well as the underground. The developers market the affiliate program like a ‘members-only club’ and new affiliates are lining up to join, in the hope of making easy money through the large-scale ransomware extortion scheme.”
The ultimate objective of GandCrab is to encrypt most files on a victim’s computer in order to extract ransom payment to unlock the files.
McAfee says one of the GandCrab version 5.0 releases exploits CVE-2018-8440 in order to elevate privileges, that affects Windows 7 through Windows 10 Server OS versions. This vulnerability was patched last month as part of September patch updates.
The second exploit used by GandCrab targets CVE-2018-8120, that impacts Windows 7, Windows Server 2008 R2 and Windows Server 2008 versions. This vulnerability, patched in May 2018, could allow an elevation of privileges from the kernel.
“Thanks to a faulty object in the token of the System process, changing this token in the malware results in executing the malware with System privileges,” McAfee said.