Last week, the Romanian Police and Europol obtained access to the GandCrab Ransomware’s C&C servers. This access allowed to recover some of the victim’s decryption keys and also approved the release of a cybersecurity solution tool that can decrypt some victim’s files.
Soon after, the GandCrab cybercriminals stated that they would release a second version of GandCrab that will have a more secure C&C server, meaning there will be a new cybersecurity threat available very soon on the Dark Web for selling.
Two days ago, researchers discovered that GandCrab version 2 was released, after running a malware analysis it was discovered the changes that make it more secured.
Unfortunately, victims of GandCrab v2 cannot decrypt their files for free. But you can protect against this threat:
If you are an individual: please install a robust cybersecurity solution, keep your device protected with an antivirus for Windows or antivirus for Mac depending on which OS you have running in them.
If you are a company: choose a robust cybersecurity solution that can be implemented by cybersecurity specialists only after their run some advance cybersecurity tests to your company network, like penetration tests, and ethical hacking tests. This kind of checks must be made every year because cyber security threats evolve.
Changes in GandCrab v2
The most significant difference is made to the hostnames used by the ransomware’s C&C servers. The new hostnames are politiaromana.bit, in honor of the Romanian Police who assisted in recovering decryption keys from the original version, and gdcb.bit. These C&C servers need to be accessed before the ransomware will encrypt a computer.
Changes can be observed in the extension used for encrypted files and the ransom note names. The encrypted files will now have them .CRAB extension.
CRAB Encrypted Files
The new ransom note name is CRAB-Decrypt.txt and now includes instructions on contacting the devs through the Tox instant messaging service.
GandCrab V2 Ransom Note
The TOR Payment Page for GandCrab v2 has a different layout and different instructions for the victim.
Because there is no way to decrypt files encrypted with this new version of GandCrab v2, please follow this rules:
– Backup your data every day
– Update OS and Apps as soon as updates are available
– Depending on which OS you are using, please install an antivirus for Windows or install an antivirus for Mac
– If you are a company opt for a strong cybersecurity solution that can only be implemented by cybersecurity specialists only after their run some advance cybersecurity tests to your company network, like penetration tests, and ethical hacking tests.
– Use a cyber-secured web hosting service
Additional details about GandCrab v2
966a0852c8adbea0b7b7aada7c2c851ee642c7bca7da3b29ee143f47ddeb90a5 – Thx to MalwareHunterTeam for finding it.
Ransom Note Contents:
—= GANDCRAB =—
All your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB
The only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
1. Download Tor browser – https://www.torproject.org/
2. Install Tor browser
3. Open Tor Browser
4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/[id]
5. Follow the instructions on this page
On our page, you will see instructions on payment and get the opportunity to decrypt 1 file for free.
If you can’t download TOR and use it, or in your country TOR blocked, read it:
1. Visit https://tox.chat/download.html
2. Download and install qTOX on your PC.
3. Open it, click “New Profile” and create a profile.
4. Search our contact – 6C5AD4057E594E090E0C987B3089F74335DA75F04B7403E0575663C26134956917D193B195A5
5. In message please write your ID and wait for our answer: 6361f798c4ba3647
Do not try to modify files or use your own private key – this will result in the loss of your data forever!