Maksim Kabakou - Fotolia
A fourth version of the GandCrab ransomware was discovered in July 2018, but researchers are just starting to understand the extent of the changes. How does this version of GandCrab ransomware differ from previous versions and who is at risk?
For many complex reasons, legacy systems may be present in an environment, and the options to secure them can be very limited. This makes them a particularly high-risk vector for attacks and, consequently, incident response costs could be significant. Likewise, there is an emerging trend of ransomware targeting those legacy systems.
An update to the GandCrab ransomware was identified in July 2018. Some of the changes included the use of the EternalBlue exploit in an attack against vulnerable Windows systems via the server message block and over the network into a ransomware worm. This update enabled hackers to target Windows XP and Windows Server 2003 systems.
Likewise, the new GandCrab attack includes functionality so that it doesn't need a command-and-control mechanism to operate, making it easier to attack an air-gapped environment. According to Fortinet, the update also changed the attack's encryption functionality to potentially make it faster.
With this updated malware, legacy systems are at the highest risk since many antimalware tools reasonably stopped supporting Windows Server 2003 and Windows XP. These same systems may not have been patched, making them vulnerable to the EternalBlue exploit. Likewise, the system may use an administrative account by default, creating additional risk.
Enterprises using good security hygiene will have the security controls in place to stop the GandCrab ransomware, but they may still have vulnerable legacy systems on their networks. These legacy systems may require network access, making them vulnerable to attack without the necessary controls to prevent vulnerable systems from being infected with the GandCrab ransomware.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Monitoring process memory is one way to combat fileless malware attacks. Here's what you can do to protect your network against these campaigns. Continue Reading
A screaming channel attack is a new wireless threat making networks -- particularly those with IoT components -- vulnerable. Are there any safeguards... Continue Reading
DDoS attack patterns indicate a sharp escalation in the fall. Why does that occur and what can be done to guard against these attacks? Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.