Crypto-Locking Ransomware Cracked Thanks to Gang’s Shoddy Code Quality
Good news for anyone whose data has been crypto-locked by attackers wielding GandCrab ransomware: You may be able to get your data back, thanks to a free decryptor.
Sine January, GandCrab has logged at least 500,000 victims, making it one of the most aggressive – and damaging – strains of ransomware now in circulation, according to Europol, the EU’s law enforcement intelligence agencyl.
Police say that anyone whose system gets crypto-locked by GandCrab is then faced with a ransom demand that can range from $300 to $6,000. “The ransom must be paid through virtual currencies known to make online transactions less traceable, such as Dash and bitcoin,” Europol says.
The new decryption program is available for free via the No More Ransom project. It comes courtesy of the Romanian Police, who worked with their counterparts in Bulgaria, France, Hungary, Italy, Poland, the Netherlands, United Kingdom and United States, together with Romanian security firm Bitdefender and Europol.
“It is the most comprehensive decryption tool available to date for this particular ransomware family: It works for all but two existing versions of the malware (v.1,4 and 5), regardless of the victim’s geographical location,” Europol says.
Just hours after the free decryptor debuted on Thursday, Europol reported that more than 100 victims had already been able to use it to successfully decrypt their data.
I can confirm that the decryptor works against #GandCrab 5.0.3… Mostly.
When scanning a single folder it fails. When running it on the entire filesystem it throws a warning that some files could not be decrypted, but I think everything was decrypted successfully in that case. pic.twitter.com/mTWJqthm9s
— Tamas Boczan (@tamas_boczan) October 25, 2018
To use the tool, victims must have at least one ransom note. “The ransom note is required to recover the decryption key,” Bogdan Botezatu, a senior e-threat analyst at BitDefender, says in a blog post.
“Please make sure that you do not run a clean-up utility which detects and removes these ransom notes prior to execution of this tool,” he says. “The information inside the ransom notes is essential in the decryption process as it allows us to compute the unique decryption key for your files.”
Identify Your GandCrab Version
Follows Free Keys for Syrian Victims
Last week, the GandCrab gang said in a post to a hacking forum that it had released public decryption keys to allow victims in Syria to recover their files for free, saying Syria had never been on the list of intended targets, Bleeping Computer reported. The key release followed a Syrian victim tweeting to say that the ransomware had encrypted photographs of his children, who had been killed during the country’s war.
They want 600 dollars to give me back my children, that’s what they’ve done, they’ve taken my boys away from me for a some filthy money. How can I pay them 600 dollars if I barely have enough money to put food on the table for me and my wife?
— (@kvbNDtxL0kmIqRU) October 16, 2018
Poor Code Quality
Historically, security researchers have only been able to build free decryption tools for ransomware victims thanks to one of three things being true: The ransomware gang publishes copies of its encryption keys, law enforcement busts the operation or infiltrates their infrastructure and recovers copies of the encryption keys, or the developers’ work is so shoddy that there are flaws that researchers can exploit to crack the crypto.
In the case of the GandCrab ransomware gang, researchers say shoddy code quality has continued to allow them to crack its crypto and release free decoders.
“The group behind GandCrab has achieved cult status in underground forums; the authors are undoubtedly confident and have strong marketing skills, but flawless programming is not one of their strengths,” researchers at McAfee, which is part of No More Ransom, say in a blog post.
This isn’t the first time that security researchers have been able to publish a free decryption tool for GandCrab victims.
“In February, a first decryption tool was made available on No More Ransom by the Romanian Police, with the support of the internet security company Bitdefender and Europol,” Europol says. “A second version of the GandCrab ransomware was subsequently released by the criminals, this time with an improved coding which included comments to provoke law enforcement, security companies and No More Ransom. A third version followed a day later.”
GandCrab version 5 is now in the wild, with new updates appearing at “an aggressive pace,” Europol says. “Its developers are constantly releasing new versions of it, with new, more sophisticated samples being made available to bypass cybersecurity vendors’ countermeasures.”
The pace of development is a reminder that the developers behind the ransomware – as well as their users – regard this as a money-making endeavor. Thus, it’s a sure bet that the GandCrab gang will soon update their malware to make it immune to the latest free decryption software.
Beyond the Bitdefender-developed decryptor, victims can also potentially avail themselves of “vaccines” for many versions of GandCrab that have been developed by an independent malware researcher known as Valthek. McAfee says it’s tested these vaccines and found they’re effective.
Ransomware vs. Cryptojacking
Warnings over the ongoing GandCrab campaign come as security researchers this year have been tracking the rapid rise of cryptojacking attacks, which surreptitiously use CPUs to mine for cryptocurrency (see: Cryptojacking Displaces Ransomware as Top Malware Threat).
Last month, McAfee reported that comparing the first quarter of this year to the second, the amount of coin-mining malware seen in the wild nearly doubled, accompanied by a steady stream of new types of malware.
In the same time period, the number of new ransomware strains seen in the wild declined, although the number of ransomware samples increased, as it has done for more than two years.
Aggressive GandCrab Campaigns Continue
Despite the increase in cryptojacking attacks, ransomware still poses a major risk. And GandCrab remains one of the most commonly seen strains of ransomware, helped by the gang’s partnership and distribution agreements (see: GandCrab Ransomware Partners With Crypter Service).
“GandCrab has been particularly aggressive throughout 2018,” says Raj Samani, chief scientist at McAfee.
“The rapid spread of GandCrab has been helped along by a ransomware-as-a-service scheme, which offers on the dark web to wannabee criminals with little to no technical expertise a toolkit for launching quick and easy malware attacks, in exchange for a 30 percent cut from each ransom payment,” Europol says (see: Ransomware: No Longer Sexy, But Still Devastating).
5 Essential Defenses
To help avoid becoming a victim of any type of ransomware, Europol offers these recommendations:
- Always keep a copy of your most important files somewhere else: in the cloud, on another drive, on a memory stick or on another computer.
- Use reliable and up-to-date anti-virus software.
- Never download programs from suspicious sources.
- Never open attachments in emails from unknown senders, even if they look important and credible.
- If you are a victim, don’t pay the ransom.
Based Blockchain Network