Iran’s Computer Emergency Response Team Coordination Center (Iran CERTCC), the country’s cybersecurity authority, has issued a warning to the public, government bodies and companies about the rising tide of a dangerous ransomware attack, GandCrab v4.
Affiliated to the ICT Ministry, Iran CERTCC published a post on Wednesday urging users to take necessary measures against infection by GandCrab ransomware, having noticed a hike in the number of attacks employing the malicious software around the globe.
Damages caused by cybercriminals across the globe are estimated to reach trillions of dollars annually by 2021. Given the dire consequences of vulnerability to hackers, cybersecurity providers in Iran are on the lookout for possible exploitations.
The cybercrime gang behind the GandCrab launched the fourth version of the malware in July. GandCrab is ransomware which is a piece of software that asks users to pay a certain ransom.
The GandCrab encrypts documents and files within an infected system. Afterwards, the hackers post a clear message on the victim’s computer about the files which have been encrypted demanding a ransom in return for the encryption key.
The crypto-malware usually infiltrates machines via contaminated file attachments in spam e-mails, breaks in through a poorly protected Remote Desktop Protocol, using software vulnerabilities or via executables found on malicious websites (such as file-sharing or torrent sites).
As soon as GandCrab v4 virus penetrates a system, it performs full system scans, looking for files to encrypt. After that, it appends the KRAB extension to all video, audio, photo, database, image files. Therefore, a picture.jpg is modified to picture.jpg.KRAB and becomes inaccessible.
Iran CERTCC calls on all computer users, companies and state bodies to take preemptive action to avoid being ransomed by hackers.
Another Attack
On the same day, after identifying another imminent and serious threat to user security, Iran CERTCC issued a further warning.
According to the center, cyber attacks on port 5431 have been on the rise, a port most commonly used by the UPnP (Universal Plug and Play) protocol.
UPnP is a feature that allows the devices on home networks to discover each other and access certain services. Often, this is used for streaming media between devices on a network.
The networking protocols have always been a security concern to experts who find the protocol open to remote access.
Moreover, lack of an authentication mechanism and the existence of UPnP-specific remote code execution vulnerabilities make security providers scratch their heads over the insecure protocol.
Attackers use the protocol to mask the source of DDoS (Distributed Denial of Service) attack.
In a DDoS attack, the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.
Iran CERTCC has probed into the IP of attackers, finding that a huge number of hackers are targeting the country’s systems.
The majority of the attacks are coming from six countries, namely India, China, the United States, Colombia, Iran and Brazil. However, using proxies and Virtual Private Network services hackers can easily conceal the source of such attacks.
The center says this shows that equipment with UPnP services around Iran are vulnerable to such attacks and precautionary measures must be taken promptly.
Precautions
Simply put, it is impossible to prevent hackers from launching an attack. However, some precautions can reduce the risk of infection.
For instance, attackers need to download the malware onto a computer or smart device and then install it. They do this by using compromised emails and websites.
Experts warn people to always be wary of unknown emails and never click on links whose source they do not recognize. It is also recommended to install an antivirus and keep it updated.
Computer users in Iran can email cert@certcc.ir or call the following numbers in case their operating system gets infected by a malware 021-22115950 or 021-4265000.
