Yet another free decryptor is available for GandCrab ransomware victims. The tool, released Tuesday, is the third decryptor update in the past year that thwarts the prolific and fast-evolving GandCrab ransomware.
Europol police announced availability of the update, which now unlocks data encrypted by GandCrab V1, V4 and V5 up to V5.1 versions. The decryptor is available for download via the No More Ransom project, an industry cooperative created to fight ransomware that has the cross-industry support of Bitdefender, Kaspersky Lab, McAfee and others.
“Back in October, a decryption tool was made available covering all but two versions of the then-existing versions of the [GandCrab] malware,” wrote Europol. “[This] new tool resolves infections with version 5.0.4 through 5.1 – the latest version developed by the cybercriminals.”
Files are encrypted using the .CRAB extension; the attackers then ask for ransom payments in DASH cryptocurrency, equal to $300 to $600 for each infection. Collectively, police said the GandCrab decrypters have been downloaded over 400,000 times and helped nearly 10,000 victims – saving them a total $5 million in ransomware payments.
First identified in January 2018, GandCrab quickly became one of the most prolific ransomware strains. The malware targets Windows-based systems with popular infection vectors such as phishing emails with .ZIP archive attachments that unpack malicious JavaScript, or PowerShell code that target unpatched Flash or Adobe Reader vulnerabilities.
Over the past year, the ransomware’s code has evolved, along with its infection vectors. Additional means of infection include leveraging the RIG exploit kit and piggybacking on other malware attacks. In one recent campaign, GrandCrab hitched a ride with malvertising trojan Vidar. Researchers observed Vidar being delivered with the Fallout exploit kit in advance of the secondary GandCrab ransomware attack.
GandCrab operators are also believed to be partnering with botnet operators that are helping spread the malware via phishing campaigns in hopes of earning a small percentage of any ransoms paid.
“GandCrab is marketed as ransomware-as-a-service (RaaS) and distributed by a large number of affiliate cybercriminals,” Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, told Threatpost. “We have observed multiple ways of propagation of this malware, including spam campaigns, exploit kits and a more targeted approach where the criminal operators manually execute the trojan over a remote session with a victim’s machine. This ransomware family seems to be quite popular among criminals, which results in a widespread propagation, and as a result, a high number of infection attempts.”
Much like the operators of Cerber, the hackers behind the GandCrab malware simply rent their ransomware software, and are never engaged in the actual campaigns. This allows them to focus on malware development, and not the day-to-day infecting and collecting of ransomware.
“GandCrab is the most prominent ransomware of 2018. By the numbers this ransomware is huge,” said Yaniv Balmas, group manager, security research at Check Point, in an 2018 interview with Threatpost.
The secret to GandCrab’s success, he said, is the fact that those behind the malware have adopted a never-before-seen agile malware development approach. “They have been diligent about fixing issues as they pop up. They are clearly doing their own code review and fixing bugs reported in real-time, but also fixing unreported bugs in a very efficient manner,” researchers said.