Cybercrime , Endpoint Security , Fraud Management & Cybercrime

Fresh GandCrab Decryptor Frees Data for Free

Crypto-Locking Ransomware Cracked Thanks to Gang's Shoddy Code Quality
Fresh GandCrab Decryptor Frees Data for Free
A Gandcrab ransom-payment page, reachable only via a hidden TOR site (Source: Malwarebytes)

Good news for anyone whose data has been crypto-locked by attackers wielding GandCrab ransomware: You may be able to get your data back, thanks to a free decryptor.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Sine January, GandCrab has logged at least 500,000 victims, making it one of the most aggressive - and damaging - strains of ransomware now in circulation, according to Europol, the EU's law enforcement intelligence agency.

Police say that anyone whose system gets crypto-locked by GandCrab is then faced with a ransom demand that can range from $300 to $6,000. "The ransom must be paid through virtual currencies known to make online transactions less traceable, such as Dash and bitcoin," Europol says.

The new decryption program is available for free via the No More Ransom project. It comes courtesy of the Romanian Police, who worked with their counterparts in Bulgaria, France, Hungary, Italy, Poland, the Netherlands, United Kingdom and United States, together with Romanian security firm Bitdefender and Europol.

"It is the most comprehensive decryption tool available to date for this particular ransomware family: It works for all but two existing versions of the malware (v.1,4 and 5), regardless of the victim's geographical location," Europol says.

Just hours after the free decryptor debuted on Thursday, Europol reported that more than 100 victims had already been able to use it to successfully decrypt their data.

To use the tool, victims must have at least one ransom note. "The ransom note is required to recover the decryption key," Bogdan Botezatu, a senior e-threat analyst at Bitdefender, says in a blog post.

"Please make sure that you do not run a clean-up utility which detects and removes these ransom notes prior to execution of this tool," he says. "The information inside the ransom notes is essential in the decryption process as it allows us to compute the unique decryption key for your files."

Identify Your GandCrab Version

Source: Bitdefender

Follows Free Keys for Syrian Victims

Last week, the GandCrab gang said in a post to a hacking forum that it had released public decryption keys to allow victims in Syria to recover their files for free, saying Syria had never been on the list of intended targets, Bleeping Computer reported. The key release followed a Syrian victim tweeting to say that the ransomware had encrypted photographs of his children, who had been killed during the country's war.

Poor Code Quality

Historically, security researchers have only been able to build free decryption tools for ransomware victims thanks to one of three things being true: The ransomware gang publishes copies of its encryption keys, law enforcement busts the operation or infiltrates their infrastructure and recovers copies of the encryption keys, or the developers' work is so shoddy that there are flaws that researchers can exploit to crack the crypto.

In the case of the GandCrab ransomware gang, researchers say shoddy code quality has continued to allow them to keep cracking its crypto and release free decoders.

Indeed, a representative of the Romanian Police Central Cybercrime Unit tells ZDNet that developers were able to build the latest decryption tool thanks to "a cryptographic issue rather than an infrastructure issue."

"The group behind GandCrab has achieved cult status in underground forums; the authors are undoubtedly confident and have strong marketing skills, but flawless programming is not one of their strengths," researchers at McAfee, which is part of No More Ransom, say in a blog post.

Cat-and-Mouse Games

This isn't the first time that security researchers have been able to publish a free decryption tool for GandCrab victims.

"In February, a first decryption tool was made available on No More Ransom by the Romanian Police, with the support of the internet security company Bitdefender and Europol," Europol says. "A second version of the GandCrab ransomware was subsequently released by the criminals, this time with an improved coding which included comments to provoke law enforcement, security companies and No More Ransom. A third version followed a day later."

GandCrab version 5 is now in the wild, with new updates appearing at "an aggressive pace," Europol says. "Its developers are constantly releasing new versions of it, with new, more sophisticated samples being made available to bypass cybersecurity vendors' countermeasures."

The pace of development is a reminder that the developers behind the ransomware - as well as their users - regard this as a money-making endeavor. Thus, it's a sure bet that the GandCrab gang will soon update their malware to make it immune to the latest free decryption software.

Beyond the Bitdefender-developed decryptor, victims can also potentially avail themselves of "vaccines" for many versions of GandCrab that have been developed by an independent malware researcher known as Valthek. McAfee says it's tested these vaccines and found they're effective.

Ransomware vs. Cryptojacking

Warnings over the ongoing GandCrab campaign come as security researchers this year have been tracking the rapid rise of cryptojacking attacks, which surreptitiously use CPUs to mine for cryptocurrency (see: Cryptojacking Displaces Ransomware as Top Malware Threat).

Last month, McAfee reported that comparing the first quarter of this year to the second, the amount of coin-mining malware seen in the wild nearly doubled, accompanied by a steady stream of new types of malware.

Source: McAfee Labs

In the same time period, the number of new ransomware strains seen in the wild declined, although the number of ransomware samples increased, as it has done for more than two years.

Source: McAfee Labs

Aggressive GandCrab Campaigns Continue

Despite the increase in cryptojacking attacks, ransomware still poses a major risk. And GandCrab remains one of the most commonly seen strains of ransomware, helped by the gang's partnership and distribution agreements (see: GandCrab Ransomware Partners With Crypter Service).

"GandCrab has been particularly aggressive throughout 2018," says Raj Samani, chief scientist at McAfee.

"The rapid spread of GandCrab has been helped along by a ransomware-as-a-service scheme, which offers on the dark web to wannabee criminals with little to no technical expertise a toolkit for launching quick and easy malware attacks, in exchange for a 30 percent cut from each ransom payment," Europol says (see: Ransomware: No Longer Sexy, But Still Devastating).

5 Essential Defenses

To help avoid becoming a victim of any type of ransomware, Europol offers these recommendations:

  • Always keep a copy of your most important files somewhere else: in the cloud, on another drive, on a memory stick or on another computer.
  • Use reliable and up-to-date anti-virus software.
  • Never download programs from suspicious sources.
  • Never open attachments in emails from unknown senders, even if they look important and credible.
  • If you are a victim, don't pay the ransom.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.