Nomoreransom launches fourth decryption tool to counter GrandCrab

A new and improved update counters versions one and four and versions five to 5.2 of the ransomware

A new decryption tool for the latest version of ransomware GandCrab has been released by nomoreransom, the free cross-border anti cyber-crime initiative.

"The decryption tool counters versions one and four and versions five to 5.2, which are the latest to be used by cyber-criminals," said the Europol announcement. Nomoreransom, a joint effort by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cyber-crime Centre and McAfee, helps victims of ransomware retrieve their encrypted data without having to pay the criminals.

"Immediately after we published the earlier decryptors, the criminals would update by changing a few keys," a Bitdefender executive told SC Media UK. The one that we launched today can decrypt all versions of GrandCrab encryptors."  

More than 100 successful decryptions happened within the first five hours of the launch, said the executive. The number is expected to grow as the news about the solutions spreads in tech circles, the executive added.

This could be the final nail on the coffin of this ransomware chain. The GandCrab developers announced earlier this month that they are retiring after collecting US$ 2 billion (£0.5 billion) in ransomware payments and personally earning more than US$ 150 million (£133 million).

"That’s what they have stated," said the Bitdefender executive. " We cannot confirm what their intentions are."

Previous decryptors for the GandCrab ransomware have helped more than 30, 000 victims recover their data and save close to £40 million in unpaid ransoms, said the international policing agency.

"Most importantly, the joint efforts have weakened the operators’ position on the market and have led to the demise and shutdown of the operation by law enforcement. This shutdown was a global law enforcement effort supported by Bitdefender and McAfee," said the Europol announcement.

"The previous tool has already been downloaded over 400,000 times, helping nearly 10,000 victims save more than US$ 5 million (£43.9 million) in decryption fees," said Bitdefender in its announcement about the earlier version in February 2019.

"Set as a ransomware-as-a-service licensing model, distributors could buy the ransomware on dark web markets and spread it among their victims. In exchange, they would pay 40 percent of their profit to the GandCrab developers and keep 60 percent for themselves," said the Europol announcement.

Tech bloggers and security experts have pointed out that they have managed to extort the money by hacking laptops and computers holding important documents and files to ransom. The file-locking malware is believed to have infected more than half a million victims by December 2018 since it was first detected in January last year, according to a Europol announcement.

"Though ransomware has steadily declined from its 2017 heyday, Gandcrab was the most broadly disseminated ransomware family in 2018-2019, taking up 64 percent of such attacks," said cyber-security company Cofense in its report, 2019 Phishing Threats and Malware Review.

"GandCrab is distributed via multiple spreading vectors, which include spam emails, exploit kits and other affiliated malware campaigns. GrandSoft and RIG are the two most commonly used exploit kits for distributing GandCrab along with the high number of malicious spam emails," said cyber-security company Acronis in its report.

Not all victims are treated equally, said Bogdan Botezatu, senior e-threat analyst at Bitdefender, in his blog post announcing the launch of the latest version. "GandCrab prioritises ransomed information and sets individual pricing by type of victim. An average computer costs from US$ 600 to US$ 2,000 (£500 to £1,50) to decrypt, and a server decryption costs US$ 10,000 (£8,000) and more. While helping victims with decryption, we’ve seen ransom notes asking for as much as US$ 700,000, (£5505,00510) which is quite a price for one wrong click," he said.

"The GandCrab operators recently claimed that they have extorted more than US$ 2 billion (£1.5 billion) from victims. It is likely that they subjected over 1.5 million victims all over the world to this ransomware," the latest Europol announcement said.

American software company Symantec prescribes strict segregation of networks as a countermeasure, in its assessment report for GandCrab. "If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied."

"When dealing with ransomware, prevention is key," said Botezatu. "Once your system gets encrypted, chances of decryption are thin, despite the industry’s efforts to bring your data back."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop