We have followed the exploits of the GandCrab operators with keen interest on this platform. We covered how Bitdefender and Europol worked together to develop and release a decryptor for GandCrab versions 1 (GDCB extension), 4 (KRAB extension), and 5 (random 10-character extension), however, none existed for version 5.2. We also covered how the operators of GandCrab were offering their ransomware as a service which resulted in the ransomware seen to be distributed via a sextortion scam. Well, we have seen a mix of good news and bad news in combatting the ransomware, today's latest news is will definitely be considered good by the general public. On June 17, Bogdan Botezatu, a security researcher with Bitdefender announced via Twitter that a decryptor for v5.2 had been released as a free tool to the public and could be used by any victim suffering from such an infection.
In a subsequent report published by Bitdefender and Botezatu, more information has been provided about the ransomware. Importantly the report also includes a link to download the encryption tool. It is hard to think that the initial detections of GandCrab were detected on January 28, 2018, by the security firm. Since then the operators have grabbed numerous headlines as a result of their exploits. The operators, known to try and provoke responses from researchers, claim to have made over 2 billion USD infecting victims and selling their services over hacker forums.
This is more than likely, almost certainly, an over exaggeration. Despite the over exaggeration, the ransomware had been detected by Bitdefender over several million times with an estimation of the ransomware creating over 1.5 million victims across the globe. Further, the ransomware variant was estimated to have gained 50 percent of the ransomware market share.
The report included other interesting but shocking stats of the group behind the ransomware’s distribution and subsequent business. While it is believed that the operators began operations from inside one of the old Soviet Block era countries, they reached a truly global audience. When the decision was made to begin selling the ransomware as a service on underground markets to affiliates, those affiliates subsequently gave 40% of their profit to the original GandCrab developers. This helped contribute to the diverse infection vectors seen distributing GandCrab. From sextortion scams to hackers looking to infect as many computers as possible, to even a more subtle approach where the ransomware was deployed after access to a system was gained using the Fallout exploit kit. In offering their ransomware as a service the developers looked to not only provide updated malware but also “help” the victims as much as possible. These “helpful” services included a chat service for victims to contact the affiliates to negotiate discounts, extend the payment deadline or ask for help exchanging fiat money into digital currency. Further, payments were also scaled according to the perceived means of the target. According to Bitdefender,
“Not all victims are treated equally: GandCrab prioritizes ransomed information and sets individual pricing by type of victim. An average computer costs from $600 and $2,000 to decrypt and a server decryption costs $10,000 and more. While helping victims with decryption, we’ve seen ransom notes asking for as much as $700,000, which is quite a price for one wrong click.”
Enough to retire, really?
Before the decryptor for v5.2 was released, the operators of GandCrab made headlines once more stating their intention to retire GandCrab. As was previously mentioned, the operators claimed the ransomware had made over 2 billion USD, with the operators themselves each netting of a 150 million USD, certainly more than enough to retire rather lavishly. This was all announced on hacking forums they chose to sell their services on. One of the operators stated that,
“We are leaving for a well-deserved retirement... we proved that in a year you can earn money for a lifetime. We have proved that it is possible to become number one not in our own words, but in recognition of other people,”
in a perhaps less than humble notice to retire. Lawrence Abrams of BleepingComputer, who specializes in ransomware stated,
“These lofty claims are not surprising, as the developers of GrandCrab have always been jokesters and have engaged security researchers in ways most malware developers do not…Using taunts, jokes, and references to organizations and researchers in their code, it was obvious that the GandCrab developers were monitoring us as much as we were monitoring them and got a big kick out of it.”
While it can be argued as to perhaps the total amounted netted by the operators, it is hard to argue with how successful the malware variant has been in its short tenure. It was hard to combat given that the ransomware went through multiple versions, all an attempt to improve on the last one. Its ability to infect computers and encrypt files was further bolstered by been used with exploit kits. The emergence of GandCrab placed ransomware once again on the malware threat map at a time when cryptominers had become the weapon of choice. Further, the ransomware prompted Europol, Bitdefender, and other law enforcement agencies to work together to help prevent further infections. In total it was estimated that the decryptor tools developed in partnership help prevent a further 18 million USD in losses suffered by victims. With all things considered the operators behind GandCrab have left an undeniable mark on the malware threat landscape. Even if they retire the tactics employed by themselves will be copied by other hackers and cyber-criminal organizations for years to come. An infamous legacy but a legacy non the less.