Delaware, USA – September 27, 2018 — GandCrab ransomware was discovered at the beginning of this year, malware authors promoted it on underground forums as Ransomware-as-a-Service and soon GandCrab became one of the most widespread ransomware strain. This week, researchers found the next version of this malware distributing in the malvertising campaign that redirected users to Fallout exploit kit landing pages. The new version of GandCrab encrypts files not only on the infected system but on all detected network shares. After encryption, ransomware adds a random 5 character extension to the encrypted file. For recovering data, attackers demand $800 in the DSH cryptocurrency.
Further examination of new samples showed that the ransomware exploits recently patched zero-day vulnerability in ALPC Task Scheduler to perform system level commands. It seems that the attackers took ready-made PoC exploit from GitHub and added it to the new strain to delete the shadow volume copies. Earlier this month, the PowerPool group used the same exploit in the cyber espionage campaign. Despite the fact that the patch for this vulnerability was released on September 11, it has not been installed on many systems, so more and more cybercriminals are starting to use the published exploit. To uncover exploitation of the vulnerability in task scheduler, you can export rules for your security solutions or create your own threat detection content in TDM: https://tdm.socprime.com/tdm/info/1315/