GandCrab Ransomware Finds a New Shell

Written by

Ransomware actors are increasing their development agility week by week, as evidenced by the GandCrab ransomware. According to Check Point, this well-known malware has gotten around a free decryption tool meant to dull its claws.

GandCrab is distributed on the dark web, is probably Russian in origin and targets mainly English-speaking countries, according to Check Point researchers. It’s relatively virulent, having infected over 50,000 victims and extorted an estimated $300,000 to $600,000 in ransom payments. More than 70% of victims are in the US and UK.

GandCrab spreads via the RIG and GrandSoft exploit kits, as well as via email spam. However, the secret to its propagation success lies in its "franchise" model: The GandCrab Affiliate Program pays participants that commit to a set of OPSEC rules 60% to 70% of the ransom revenue in return for full technical support. GandCrab has 80 active affiliates, the largest of which has distributed over 700 different samples of the malware during the past month, according to Check Point.

That said, GandCrab’s reign of terror looked to be at an end after a joint operation by Romanian police, Bitdefender and Europol was able to hack into the malware’s infrastructure, gathering analysis that ultimately produced a tool allowing victims to decrypt their files for free. 

“The decryption tool exploited a basic flaw in the ransomware code that gave access to the master server, enabling recovery of all of the encryption keys used in the malware,” Check Point researchers noted. “It’s the equivalent of someone locking you out of your house but leaving a spare key for you under the doormat.  With this, it looked like ‘game over’ for GandCrab.”

But it wasn’t to be: Developers behind GandCrab quickly hit back with GandCrab 2, which fixes the critical encryption flaw that would have trivially allowed a universal decryptor.

Check Point pointed out that the GandCrab developer team could have fired the web developer and started afresh on a better-protected server; but instead they decided to restart, showcasing unprecedented agility.

“It seems that the GandCrab developers used an agile development process: They started by publishing the least well-built malware that could possibly work, and then have diligently improved it as they went along over a period of days – something that Check Point researchers have never seen in the wild,” the researchers noted.

What’s hot on Infosecurity Magazine?