Infamous ransomware GandCrab could finally be on the way out, after white hats released yet another updated decryptor tool designed to help victims to get their data back.
In partnership with various law enforcement agencies including Europol, the Metropolitan Police, the FBI and NCA, Bitdefender has released the latest in a string of tools which it claimed has saved tens of thousands of organizations $50m in unpaid ransom money.
This effectively neutralizes every version of the ransomware-as-a-service offering up to and including the latest, v5.2. It can be downloaded from the No More Ransom project.
Although the ransomware rose to claim a 50% market share in August 2018, these efforts have done much to limit its appeal on the cybercrime underground.
“The three decryptors released in collaboration with partner law enforcement agencies – and particularly the GandCrab decryptor for version 5.1 – compelled GandCrab affiliates to shrink their business to avoid unnecessary costs,” claimed Bitdefender senior threat analyst, Bogdan Botezatu.
“For instance, in February 2019, after the release of the decryptor for version 5.1, affiliates kept pushing decryptable versions of the malware for more than a week, allowing fresh victims to decrypt their data for free. As of March 2019, GandCrab’s market share has shrunk back to 30%, with almost one in three infections tied to the group.”
GandCrab differs from many of its counterparts in that it’s offered via an affiliate model: distributors effectively purchase a license to spread the malware, keeping most of the profits themselves but sharing 40% with the original developers.
It’s a model that has served those ransomware authors well: a few weeks ago they published a statement claiming to have generated $2bn from their endeavors over the past year, personally netting $150m.
In the same note they claimed to be retiring, and stopped distribution partners from accessing the latest version of the ransomware.
This could spell the end for GandCrab, but it won’t be the end of the ransomware threat for businesses.
Botezatu claimed his firm sees 12 new ransomware strains each month, of which only around 10% are decryptable.