Miscreants have developed the first strain of ransomware worm capable of infecting legacy systems, such as Windows XP and 2003.
The infamous WannaCry outbreak, which severely affected the UK’s NHS, showed just how much damage ransomware can do.
Subsequent tests showed that in most cases WannaCry could only crash – rather than infect – Windows XP systems, which remained in use by the health service connected to MRI scanners and the like, despite being retired by Microsoft years ago. Extended support for Windows XP ended in April 2014.
A new version of the GandCrab (v4.1) ransomware has an SMB exploit spreader that works against XP and 2003, as well as later versions of Windows. It’s the first ransomware to actually “support” legacy systems, according to UK infosec practitioner Kevin Beaumont.
Though previous versions of Gandcrab haven’t had much of an impact, the latest promises to be more problematic. One of its modules is called “network fucker”, which speaks to the intent of the hackers behind its creation. The nasty no longer needs a command-and-control server, meaning it can operate in air-gapped environments – bad news for industrial plants, where Window XP remains rife.
GandCrab v4.1 spreads via an SMB exploit. Previous versions of the malware were detected by antivirus scanners and this will probably be the case with the latest, which is sold as a kit and spread by script kiddies looking to make a dishonest buck.
This isn’t the work of an intel agency, military unit or even a well-resourced and agile cybercrime group, nonetheless it still poses a threat.
“Being able to spread without internet access and impacting legacy XP and 2003 systems suggests some older environments may end up at risk where there is poor security practice – e.g. no working antivirus software,” Beaumont warned.
The threat has been seen spreading in the wild, making it a real and present danger, fortunately, mitigation and defence are both relatively straightforward.
Systems should be updated to run MS17-010, a patch for Windows XP and Windows Server 2003 brought out by Microsoft in the wake of WannaCry. Windows 2000 systems are among the few not protected by this safety net. Running antivirus and segmenting systems will also help.
Admins of networks running newer versions of Windows should consider taking the option of disabling SMB1, an option not available in legacy versions of Windows.
Beaumont’s write-up of the threat and suggested mitigations can be found here.