GandCrab: The Most Popular Multi-Million Dollar Ransomware of the Year
Update February 2019: Our collaboration with the Romanian Police, Europol and other law enforcement agencies has yielded another new decryptor for all GandCrab ransomware versions released since October. If you need to decrypt versions 1, 4, 5.0.1 through 5.1, then download and run our new tool linked below.
Ransomware has been around for years and has inflicted financial losses estimated in the billions of dollars. As one of the most lucrative types of malware, from a financial perspective, ransomware developers have invested considerable time, effort, and knowledge into perfecting both its delivery mechanisms and its capabilities.
Traditional ransomware families such as CryptoWall and CryptoLocker mostly focused on the average user and demanded payments ranging from $200 to $500 in the past, but ransomware developers figured they could significantly increase their profit if they targeted organizations and companies, which have significantly more valuable data, such as databases and intellectual property.
In late January 2018, GandCrab was potentially born from the need to further monetize encrypted data from organizations, by customizing ransom notes based on the victim’s profile and the type of encrypted data. Consequently, a GandCrab ransom demand could range from $600 to $700,000 per victim. This change in behavior likely led to a significant leap in revenue for cybercriminals, particularly since they started delivering it as-a-service.
GandCrab: The most Popular Ransomware of 2018
The GandCrab ransomware family emerged in late February 2018 and was quickly adopted by cybercriminals because it offered something no other ransomware family had offered before: custom ransom notes. While the average user would be reluctant to spend as much as $500 to get their data back, organizations and companies that manage client databases or have intellectual property on their servers would be far more interested in paying larger amounts of money.
Currently, the most prolific versions of GandCrab are versions 4 and 5, which are estimated to have infected around 500,000 victims worldwide, since July 2018. Considering the lowest ransom note is $600 and almost half of infected victims give in to ransomware, the developers might have made at least $300 million in the past couple of months alone. And actual financial losses could be significantly higher, considering that some victims have reported a ransom notes of $700,000.
With traditional ransomware, the victim – whether it be a hospital or a company – would have to contact the ransomware developer and negotiate a smaller fee to pay if they had a large number of endpoints infected. This process usually takes time.
Improvements brought on by GandCrab make the entire process more seamless, by adjusting the ransom note for each victim, based on the type of encrypted files. For example, if the infected server holds a large database, the ransom note will probably range in the thousands of dollars, but if the server holds less valuable information the ransom note could be as low as $600.
Another interesting aspect of GandCrab is the adoption of DASH as well as Bitcoin payments. DASH is basically a forked Bitcoin protocol that enables faster transactions that are untraceable. This made moving virtual currency around more secure and completely anonymous.
Interestingly, one of the most interesting features of the ransomware is that, when performing reconnaissance on the victim’s system, before actually starting to encrypt files, it will identify whether the keyboard layout is in Russian and will abort the entire process, effectively choosing not to infect Russian-speaking victims.
Also, before actually starting the encryption process, it will check whether there are processes that have locked handles for specific file types that GandCrab may want to encrypt. Basically, it will close all document viewers and editors, email clients, web browsers, database applications, and even game engines, before actually starting the encryption process. This process makes sure no files are missed and that every file of importance is encrypted.
While Bitdefender has successfully offered GandCrab victims that were infected with the first version of the ransomware (GandCrab V1) a free decryption tool to recover the lost data, ransomware developers quickly came up with new versions that fixed the encryption vulnerability exploited by Bitdefender security researchers to recover files.
Since the most prolific GandCrab ransomware versions are v4 and v5, Bitdefender has been actively working on and collaborating with law enforcement agencies including the Romanian Police, the Directorate for Investigating Organized Crime and Terrorism (DIICOT) and Europol, the FBI, and others, to create a decryption tool that can help victims recover their data. The new Bitdefender GandCrab Ransomware Recovery Tool can successfully decrypt files infected with v4 all the way to v5.0.3 of GandCrab.
After the release of the free Bitdefender GandCrab Ransomware Recovery Tool, more than 1,700 successful decryptions were registered within hours, essentially saving victims from paying a cumulative amount of over $1 million.
Victims that have fallen victim to GandCrab version 1, 4, and 5, and have managed to save an image of the affected system, can now download the free Bitdefender GandCrab Ransomware Recovery Tool and start recovering their data, immediately. Also, it’s vital for the original ransom note to be present for the decryption process to work.
Bitdefender Releases Free GandCrab Decryption Tool
Bitdefender released a decryption tool for recent versions of GandCrab, the world’s most prolific ransomware. Developed in a collaboration between Bitdefender, Europol, and Romanian Police, with support from the FBI and other law enforcement agencies, the tool lets victims around the world retrieve encrypted information without paying the hackers. Based on the number of decryptions registered by our tools, tens of millions of dollars’ worth of ransom may have been saved.
In the past 5 days the tool has successfully decrypted data belonging to over 1,700 unique users.
Popular GandCrab Infection Vectors
Interestingly, ransomware developers have also teamed up with botnet operators to either start planting ransomware on infected systems or use the botnet to spread emails with infected attachments. Using a shared revenue model, botnet operators could receive a percentage off the ransom paid by each victim, because they facilitated the service. This new monetization process of botnets and ransomware is not new, but it does show that cybercriminal groups can gang together for financial gain.
There have also been confirmed cases of GandCrab infections within organizations, where threat actors managed to bruteforce the domain password or a machine serving remote desktop protocol (RDP) within the organization, and manually executed the ransomware on specific machines. This practically allowed the threat actors to first perform reconnaissance on the machine to ascertain the value of the stored information and data, then customize the ransom note based on how critical the information was and the company’s profile.
While ransomware itself can generate substantial revenue for cybercriminals, ransomware developers started offering ransomware kits on demand, either to the highest bidder or to whomever was interested. Ransomware-as-a-service enables anyone, even those with no technical knowledge, to use ransomware and customize it based on their own specifications. Everything from the language in which the ransom note is written to the amount of money requested from each victim, can easily be customized by non-tech savvy users using a simple web-based interface provided by attackers.
Traditionally, ransomware developers would ask for an upfront payment when requesting a customized ransomware kit. Now, they’ve embraced a shared-revenue model that enables them to get 30% of the ransom note paid by each victim. This new affiliation-based business model makes the initial cost of purchasing “clients” low, and at the same time stimulates adoption.
Besides getting access to a highly user-friendly interface that allows for customized ransomware dissemination and “features”, ransomware developers also offer 24-hour support, call center assistance, documentation, and even tutorials on how to configure, deploy, and use the ransomware and the management console hosted on the command and control (C&C) server.
Sometimes, for a small price, they even rent access to botnets that can help disseminate the email messages with infected attachments. These aggregated services are usually part of the same ransomware-as-a-service offering, enabling affiliates to launch global ransomware campaigns with just a couple of clicks — no technical skills — and immediate distribution.
Steering Clear of Ransomware, Including GandCrab
To stay clear of ransomware, users are strongly encouraged to have all software, including operating systems, updated with the latest security patches, perform regular backups or critical data, and make sure they’re using a security solution that can fend off ransomware.
It’s also important to not give in to ransomware, as paying the ransom note will only serve to continue fueling cybercriminal activities, and there’s no guarantee the cybercriminal will actually give you the decryption key. Basically, you’ll be trusting a cybercriminal to keep his end of the bargain.
If you get infected, perform an image of the affected system and either treat the incident as a hardware failure or recover your data from a previous backup. Having an image of the encrypted files can prove beneficial, especially since ransomware decryption tools, such as the free Bitdefender GandCrab Ransomware Recovery Tool, are constantly updated by security researchers to help recover any lost files.
If you are infected by versions 2 or 3 of the ransomware, we kindly ask you to hang on and not pay the ransom! We’re still investigating ways to help recover the data and we will come back with an update once we have one.
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
July 21, 2021
How We Tracked a Threat Group Running an Active Cryptojacking Campaign
July 14, 2021
A Note from the Bitdefender Labs Team on Ransomware and Decryptors
May 26, 2021
New Nebulae Backdoor Linked with the NAIKON Group
April 28, 2021
Good riddance, GandCrab! We’re still fixing the mess you left behind.
June 17, 2019