On June 17th, 2019 the FBI, working alongside eight European law enforcement agencies, released the master decryption keys for GandCrab malware versions 4.5-5.2. GandCrab is a ransomware-as-a-service (RaaS) product sold to clients wishing to infect and encrypt a victim’s files until a ransom is paid. First seen in January 2018, the service has become a resounding success. It was the most popular ransomware in 2018 and had cornered 50% of the market share within the ransomware industry. Claiming to have netted over 1 billion dollars in payments, the authors behind GandCrab are thought to have infected over 500,000 victims world-wide.

The release of the master decryption keys came weeks after authors of GandCrab issued a notice stating that the service was being shut down. Victims were warned that any outstanding ransoms must be paid within 20 days, otherwise decryption keys would be deleted and all encrypted files could not be recovered. In response the FBI released the decryption keys so that institutions plagued by the malware could create decryption tools to recover infected data. In addition, Bitdefender released a free decryptor tool used for recovering affected files. Despite the retirement notice, sources suggest the criminals behind GandCrab are continuing their ransomware development.

Is GandCrab Still Active?

Much of the success enjoyed by the authors of GandCrab is due to the relentless innovation of code used to evade anti-virus programs, as well as provide new features for continued product development. A day after Bitdefender released their decryption tool, GandCrab authors provided an update that would render the tool ineffective. Recent posts on well-known hacker forums have issued requests for professionals to start a new RaaS program. Although the details of the program were not divulged, organizers of the new program issued a prohibition of using the tool within the Commonwealth of Independent States (CIS). Countries within CIS include Armenia, Belarus, Kazakhstan, Turkmenistan, Uzebistan, Molodova, Tajikistan, Ukraine, and Russia.

In April of this year, new ransomware named Sodinokibi utilized GandCrab as an attack vector. Attackers used a weakness in an Oracle application to break into the device, install the GandCrab malware, and proceed to encrypt all files on the system. Researchers noticed the code base has changed significantly between Sodinokibi and GandCrab, but many similarities between the two remain. The ability for criminals to modify code and utilize GandCrab in numerous ways allows for the mutation of ransomware strains.

How Can My Company Respond?

Attackers routinely respond to the efforts made by security researchers, whose job is to thwart malware propagation, by modifying their code and attack methods. In doing so hackers will communicate online to recruit members and share the results of their attack campaigns. Companies must take every measure to ensure that vulnerabilities are patched, and that open source techniques are used to understand the threat landscape. In the event of a data breach an incidence response plan must be in place, helping to contain the propagation of malware and make certain backups of critical data are in place to resume business activity. For more information on how to perform a thorough evaluation why your organization needs more than a VA scan, please contact us.