FacebookTwitterLinkedIn

GandCrab Hackers show some Heart

GandCrab Hackers show some Heart

Syria was at one stage known for being one of the birthplaces of human civilization. Recently the beleaguered nation is more known for the terrible civil war. As of April 2018, more than 465,000 Syrians have been killed in the fighting, over a million injured, and over 12 million, that being half the country's pre-war population, have been displaced. Many would feel that Syrians been targeted in hacking campaigns would be worse than a kick to the teeth, given the struggle for survival faced by many. Fortunately, some hackers feel the same. In a post to an underground hacking and cybercrime forum, the GandCrab developers have released the decryption keys for Syrian victims.

The developers of GandCrab seem to have responded to a tweet in which a Syrian victim asked for help after photos of his deceased children were encrypted. After seeing the tweet, the hackers announced via a forum that they have released the keys for all Syrian victims. They also mentioned that it was a mistake not to exclude Syria for the list of targeted countries.

In the post, the developers attached a .zip file that contains the released decryption keys for Syrian victims. This zip file contains the readme.txt and SY_keys.txt files. Added to this the readme.txt file contains information on how the keys are organized as well as a reasoning as to why the keys have been released. The contents of the readme.txt file are in Russian, however, Lawrence Abrams of Bleeping Computer included a translation in his article on the matter. The translation reads as follows:

GandCrab for help SY people.

For antiviruses:
Decryptor to develop independently for each version.
We believe in the "power" of Bitdefender, since they all promise the decryptor constantly, and it is not yet ready, but now it is being developed and will soon be ready. Without keys, true. We would very much like the decryptor to be written by Kaspersky or Eset.
The most important thing is not to indicate that he will help everyone. He will help only a citizen of Syria. Because of their political situation, economic and relations with the CIS countries.
We regret that we did not initially add this country to the exceptions. But at least that way we can help them now.
Whose keys are not (only for citizens of Syria and the CIS, Ukraine including) - you need to come to us and take a picture of yourself with a passport and payment page. After that, we will issue a decryptor for free.
This is indicated just in case any clever people patch the file so that it works everywhere. Hi, Polish kurvy.
As for other countries - we will not share the keys, even if we are closed someday. We will remove them. It is necessary to resume the punitive process in respect of some countries.
Let me remind you that you can only decrypt using our keys that are stored on our server. We issue them only after payment. There are no other miracle ways.

With love from crabs, representatives of different countries, religions, beliefs, and beliefs.
With the support of the forum xss.is (ex. Damagelab)

Interestingly for Syrian victims not on the released list, they are to provide the developers with a picture of themselves, their passport, and the ransom note as it appears on their PC. Despite this gesture of goodwill to the Syrian victims providing pictures of your passport to unknown entities online is an unwise move. While the developers do not wish to further make the lives of Syrians more of a misery, victims of other countries will not receive the decryption keys. The hackers in their forum post showed no sympathy for other victims and stated categorically that they will never release those keys and will delete them when they shut down GandCrab.

gandcrab unlock syria victims files

Goodwill appears to go only so far these days as despite the keys been released a decrypter needs to be developed to utilize the keys. So until a security firm or researcher gets round to developing such a decryptor, the Syrian victims will not be able to access their encrypted files till such a tool is developed. For those victims, the display of “goodwill” by the developers of GandCrab is all but useless.

Hackers with a heart are still Hackers

While some will take solace in the fact that hackers are still humans capable of some compassion, it is important to remember that what many do is commit crimes for a quick payday. In this instance, the hackers behind GandCrab are no different. GandCrab is a rapidly evolving piece of malware and is constantly been updated in an effort to plug security holes and make reverse engineering the malware to make it easier to detect and neutralize more difficult.

In a blog post security researchers at McAfee revealed that the latest version of GandCrab incorporates a crypter. A crypter is a tool which greatly increases the malware’s ability to remain undetected. Rather than change the signature of malware itself, crypters rely on code obfuscation which aims to use different delivery methods to circumvent antivirus protections. A crypter will encrypt elements of malware, or the whole package, to bar access to signatures which help security products detect the malware.

GandCrab now employs the crypter services of NTCrypt. The crypter is advertised online as “a fully NT-based crypter with a unique injection method that will guarantee a high execution rate, unlike other crypters that rely on traditional and overused methods to achieve payload execution.” This all for the low price of between 950 and 1600 USD. The developers of GandCrab seem to have fallen for the sales pitch and now NTCrypt counts GandCrab as one of its high profile clients and using this to drum up more business amongst other cybercriminals.

While the developers of GandCrab showed some compassion in releasing keys, useless till a decrypter is developed, it is more than apparent that swindling users is still their modus operandi.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal