Protecting Your Organization From the Latest GandCrab and Ursnif Campaigns

February 6, 2020

Protecting your organization against cyber-crime means being ready for the unknown at all times. Researchers have uncovered two malware campaigns that attack your infrastructure through something as innocent as a Microsoft Word file. These two campaigns are known as GandCrab and Ursnif, and it’s important that your organization stays aware of both. Let’s take a look at what the GandCrab and Ursnif campaigns are capable of, and how Votiro can help keep you safe.

What Are the GandCrab and Ursnif Campaigns? 

Both the GandCrab and Ursnif attacks use the Ursnif trojan that is known for stealing data, collecting keystrokes, and deploying additional backdoors to burrow into an IT network. This ultimately leads to fingerprinting your system and sending sensitive information back to the attackers. Once distributed, Ursnif can harvest personal credentials including financial data. The GandCrab campaign has an additional layer, the GandCrab ransomware tool that restricts user access, and demands a digital currency to unencrypt files on any infected network.

Launched by two separate attack groups, both attacks leverage phishing emails to breach their initial target machine, starting with a Microsoft Word document that has malicious macros embedded within it, and then using Powershell to inject fileless malware.

Arming Your Business Against These Kinds GandCrab and Ursnif Campaigns with Votiro

The GandCrab and Ursnif threats are not as easy to look out for as you might imagine. Security researchers at Carbon Black found 180 variants of this kind of MS Word document, embedded with malicious VBS macros. While researchers have published a list of payload file names that have been used up until now, this cannot be considered an exhaustive list of indicators of compromise. New variations are being found all the time through successful breaches.

Votiro uses a different approach through file sanitization. When these campaigns first came onto the scene, we were able to protect our customers and prevent these attacks from making it past the first hurdle, all without even knowing about these new threats.  

With our Positive Selection technology, every file is deconstructed, disarmed, and put back together in a safe version of itself. As part of this process, we analyze macros and remove any that are abnormal, without needing existing knowledge of whether they are suspicious. Our Secure File Gateway simply removes anything unnecessary, keeping the enduser safe at all times, and treating the macros as per the user’s policy creation. The whole process takes less than one second, so the user would never know that the file has been checked in the first place.

This is just one example of the importance of choosing a cybersecurity solution that focuses on prevention rather than detection, ensuring you are ready for any threat, at any time. Here at Votiro, we are always ready to help our customers build a strategy that helps them stay proactive, rather than reactive. Want to see us in action? Get in touch to schedule a demo today.