Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New GandCrab Ransomware Decryptor Released

The cat-and-mouse game between BitDefender and the GandCrab ransomware developers continues. On Tuesday (Feb. 19) BitDefender released a new version of its GandCrab decryptor able to decrypt versions of GandCrab 1, 4 and 5 up to the latest version 5.1. The decryptor is available from BitDefender and from the NoMoreRansom project.

The cat-and-mouse game between BitDefender and the GandCrab ransomware developers continues. On Tuesday (Feb. 19) BitDefender released a new version of its GandCrab decryptor able to decrypt versions of GandCrab 1, 4 and 5 up to the latest version 5.1. The decryptor is available from BitDefender and from the NoMoreRansom project.

BitDefender is being realistic. In an associated announcement, director of threat research and reporting, Bogdan Botezatu, commented, “While this is the third time we have defeated GandCrab encryption in the past year, our celebration will be short-lived. We’ll be back to work tomorrow, as GandCrab operators will no doubt change tactics and techniques.”

GandCrab was the single most successful and dominant ransomware of 2018. It has infected more than 500,000 victims since it first appeared in January 2018, and last week Recorded Future’s threat intelligence analyst Allan Liska told SecurityWeek that he would not be surprised if it had garnered $100 million in ransoms.

The reasons for GandCrab’s success are twofold. Firstly, it is provided to any criminal under a 60/40 profit sharing scheme. If Liska is correct, that would suggest the GandCrab developers have ‘earned’ $600,000 during 2018. Secondly, it has a very responsive and professional development team (or developer). When BitDefender released its previous decryptor (for versions 1, 4 and 5.0), a new version with a new encryption regime appeared within 12 hours. Realistically, we can expect a new version of GandCrab very soon.

There will be new victims; but in the meantime, current victims will be able to recover their files free of any cost to the criminals. 

The NoMoreRansom project was launched in July 2016 as a joint initiative by the Dutch National Police, Europol, McAfee (then part of Intel Security) and Kaspersky Lab. Since then, it has attracted dozens of public and private entity and law enforcement partners, and is now home to almost 100 decryptors for different ransoms. Europol claims that the BitDefender GandCrab decryptors alone have been downloaded 400,000, helping “close to 10 000 victims retrieve their encrypted files, saving them some USD 5 million in ransomware payment.”

Throughout 2018, GandCrab dominated consumer ransomware. Most other ‘successful’ ransomware shifted to corporate targets (exemplified by the City of Atlanta SamSam attack) and largely exploited through RDP. Since GandCrab is ‘ransomware for hire’, it was always be a matter of time before it too started targeting companies rather than just consumers. 

“Recently, GandCrab operators have also started delivering ransomware to companies via vulnerabilities in remote IT support software used by managed service providers to manage customer workstations,” notes Botezatu. GandCrab affiliates have begun “attacking organizations via exposed Remote Desktop Protocol instances, or by directly logging in with stolen domain credentials. After authenticating on a compromised PC, attackers manually run the ransomware and instruct it to spread across the entire network. Once the network is infected, the attackers wipe their traces clean and contact the victim with a decryption offer.”

Advertisement. Scroll to continue reading.

Whether GandCrab proves as successful against corporate targets in 2019 as it was against consumer targets in 2018 remains to be seen. What we can be certain about is that whenever a new version is released, BitDefender will seek to defeat its encryption; and whenever it does, the GandCrab developers will rapidly release a new version. It’s become personal. 

Related: SamSam and GandCrab Illustrate Evolution of Ransomware 

Related: GandCrab: The New King of Ransomware? 

Related: GandCrab Ransomware Spreads Via NSA Exploit 

Related: GandCrab 1,4 and 5 Decryptor Available 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.