The GandCrab family is updating at a rapid pace. Since its V5 was released in September this year, a number of variants have appeared, including V5.0, V5.0.2, V5.0.3, V5.0.4, and V5.0.5. This virus family has targeted customers in various sectors in China. Users should take precautions to remove it as soon as possible.
Instead of spreading like worms, GandCrab propagates through RDP brute-force attacks, phishing emails, botnets, and vulnerability exploits as well as by being bundled with malware. This virus encrypts files with the Salsa and RSA-2048 algorithms, replaces file name extensions with .GDCB, .GRAB, .KRAB, or five to ten random letters. Besides, GandCrab can also change the desktop background to show a ransomware message.
The following figure shows the contents included in a GandCrab ransom file.
After encrypting the files, the virus will change their file name extensions to a random one.
- Security Recommendations
- Protection Recommendations
- Try not to expose the RDP port to the Internet and protect it using IPS, firewalls, or the like.
- Enable the Windows firewall and secure the access to RDP and SMB services through controls such as ACL.
- Configure Windows group policy settings to form an account lockout policy so that accounts with a certain consecutive number of failed login attempts in a short period will be locked.
- Increase the complexity of host account passwords and set the password change cycle to a shorter period. Besides, avoid common passwords or passwords with logical meanings.
- Change the default user name of system administrator to avoid the use of common ones such as admin, administrator, and test.
- Install antivirus (AV) software with self-protection and keep the virus database or AV software up to date.
- Enhance employee security awareness training. Do not open emails from strangers or run programs from unidentifiable sources.
- Apply security patches to the operating system and other applications as soon as they are available to fix high-risk vulnerabilities.
- Back up mission-critical business data regularly to prevent data corruption and loss.
- Protection with Local Security Policies
Users can configure account policies amid local security policies for effective protection against RDP brute-force attacks.
- Press the Windows and R keys simultaneously on the keyboard and type msc in the Run dialog box that appears. Then the Local Security Policy dialog box appears.
- Choose Security Settings > Account Policies > Account Lockout Policy and set account lockout conditions.
The following table describes account lockout parameters.
|Account lockout duration||This security setting determines the number of minutes a locked account remains locked out before automatically becoming unlocked.|
|Account lockout threshold||This security setting determines the number of failed login attempts that will cause a local account to be locked.|
|Reset account lockout counter after||This security setting determines the number of minutes that must elapse after a failed login attempt before the failed login attempt counter is reset to 0 failed login attempts.|
- Protection with Security Products
To prevent attackers from implanting the ransomware virus through RDP brute-force attacks, users can configure IPS for effective protection. The following uses NSFOCUS NIPS as an example to illustrate how to implement protection with help of an IPS:
- Update the intrusion prevention rule database online or offline. Users with offline update can download the latest rule update package from the following link:
- Configure an intrusion prevention policy. Choose Policy > IPS > IPS Policy and click New in the upper-right corner of the page. Create a RDP brute-force attack detection rule named  Microsoft Windows Remote Desktop Brute-Force Attack. This rule, by default, has been included in the Default rule template.
In the New dialog box, configure parameters as indicated in the following figure and click OK.
Choose Policy > Application Management > App Mgmt Policy and click New on the page that appears.
In the New dialog box, configure parameters as indicated in the following figure:
Note: If users have no interest in application management logs or a great number of such logs result in difficulties in operation and maintenance (O&M), you can disable the application management logging function, which has no impact on the detection of RDP brute-force attacks.
- Users can also adjust the RDP brute-force attack detection frequency by choosing System > System Configuration > Parameter.
|merger_time||It specifies the RDP brute-force attack event merger cycle. The default value is 3600 seconds, indicating that events that share the same source and destination and occur at the same time are merged.|
|violence_guess_check_level||It controls whether to enable or disable brute-force attack detection.|
|violence_guess_check_level||It specifies the number of RDP brute-force attacks occurring in a detection cycle.|
|violence_guess_limit_time||It specifies the RDP brute-force attack detection cycle (in seconds).|
Click Apply Settings in the upper-right corner of the IPS Policy page or restart the engine to make the settings take effect.
- Decryption Tool
The GandCrab author has released to the public some decryption keys of GandCrab V5.0.4 and earlier versions. These decryption keys are mainly intended for victims in Syria. Bitdefender has released a tool specially made to decrypt GandCrab. This tool can only recover files that are infected with GandCrab 5.0.4 and earlier. Users affected by this ransomware can try to recover data by downloading this tool from the following link:
After files are decrypted, the following page appears:
- This tool only has certain decryption keys embedded. Therefore, keys which are not incorporated into the tool may fail to be decrypted.
- The tool author strongly advises that Backup files be selected prior to decryption. That is to say, back up encrypted files before decryption and delete them only when users make sure that the decrypted files can be opened in a secure way and remain intact.