The cat-and-mouse game between BitDefender and the GandCrab ransomware developers continues. On Tuesday (Feb. 19) BitDefender released a new version of its GandCrab decryptor able to decrypt versions of GandCrab 1, 4 and 5 up to the latest version 5.1. The decryptor is available from BitDefender and from the NoMoreRansom project.
BitDefender is being realistic. In an associated announcement, director of threat research and reporting, Bogdan Botezatu, commented, “While this is the third time we have defeated GandCrab encryption in the past year, our celebration will be short-lived. We’ll be back to work tomorrow, as GandCrab operators will no doubt change tactics and techniques.”
GandCrab was the single most successful and dominant ransomware of 2018. It has infected more than 500,000 victims since it first appeared in January 2018, and last week Recorded Future’s threat intelligence analyst Allan Liska told SecurityWeek that he would not be surprised if it had garnered $100 million in ransoms.
The reasons for GandCrab’s success are twofold. Firstly, it is provided to any criminal under a 60/40 profit sharing scheme. If Liska is correct, that would suggest the GandCrab developers have ‘earned’ $600,000 during 2018. Secondly, it has a very responsive and professional development team (or developer). When BitDefender released its previous decryptor (for versions 1, 4 and 5.0), a new version with a new encryption regime appeared within 12 hours. Realistically, we can expect a new version of GandCrab very soon.
There will be new victims; but in the meantime, current victims will be able to recover their files free of any cost to the criminals.
The NoMoreRansom project was launched in July 2016 as a joint initiative by the Dutch National Police, Europol, McAfee (then part of Intel Security) and Kaspersky Lab. Since then, it has attracted dozens of public and private entity and law enforcement partners, and is now home to almost 100 decryptors for different ransoms. Europol claims that the BitDefender GandCrab decryptors alone have been downloaded 400,000, helping “close to 10 000 victims retrieve their encrypted files, saving them some USD 5 million in ransomware payment.”
Throughout 2018, GandCrab dominated consumer ransomware. Most other ‘successful’ ransomware shifted to corporate targets (exemplified by the City of Atlanta SamSam attack) and largely exploited through RDP. Since GandCrab is ‘ransomware for hire’, it was always be a matter of time before it too started targeting companies rather than just consumers.
“Recently, GandCrab operators have also started delivering ransomware to companies via vulnerabilities in remote IT support software used by managed service providers to manage customer workstations,” notes Botezatu. GandCrab affiliates have begun “attacking organizations via exposed Remote Desktop Protocol instances, or by directly logging in with stolen domain credentials. After authenticating on a compromised PC, attackers manually run the ransomware and instruct it to spread across the entire network. Once the network is infected, the attackers wipe their traces clean and contact the victim with a decryption offer.”
Whether GandCrab proves as successful against corporate targets in 2019 as it was against consumer targets in 2018 remains to be seen. What we can be certain about is that whenever a new version is released, BitDefender will seek to defeat its encryption; and whenever it does, the GandCrab developers will rapidly release a new version. It’s become personal.