GandCrab Ransomware Version 2 Released With New .Crab Extension & Other Changes

cyber

Last week, security firm Bitdefender, the Romanian Police, and Europol allegedly gained access to the GandCrab Ransomware’s Command & Control servers, which allowed them to recover some of the victim’s decryption keys. This allowed Bitdefender to release a tool that could decrypt some victim’s files.

After this breach, the GandCrab developers stated that they would release a second version of GandCrab that included a more secure command & control server in order to prevent a similar compromise in the future.

Yesterday, MalwareHunterTeam discovered that GandCrab version 2 was released, which contains changes that supposedly make it more secure and allow us to differentiate it from the original version. In this article we will provide a quick overview as to what has changed and how you can identify that you are are infected with the GandCrab Ransomware.

Unfortunately, at this time, victims of GandCrab v2 cannot decrypt their files for free. As always if you wish to discuss this ransomware or receive help with it, you can use our GandCrab Help & Support topic.

So what has changed in GandCrab v2?

In the backend, the biggest change are the hostnames for the ransomware’s Command & Control servers. The new hostnames are politiaromana.bit, in honor of the Romanian Police who assisted in recovering decryption keys from the original version, malwarehunterteam.bit, in honor of security researcher MalwareHunterTeam, and finally gdcb.bit. These Command & Control servers need to be accessed before the ransomware will encrypt a computer. For information on how GandCrab resolves these hostnames, please see our original article.

Other noticeable changes are the extension used for encrypted files and the ransom note names.  With this version of GandCrab, encrypted files will now have the .CRAB extension appended to the file’s name. For example, test.jpg will be encrypted and renamed to test.jpg.CRAB.

CRAB Encrypted Files
CRAB Encrypted Files

Another change is the ransom note name and it’s contents.  The new note name is CRAB-Decrypt.txtand now includes instructions on contacting the devs through the Tox instant messaging service.

GandCrab V2 Ransom Note
GandCrab V2 Ransom Note

Finally, the TOR Payment Page for GandCrab v2 has had an overhaul. The new site has a different layout and different instructions for the victim. Personally, I feel the original layout was more aesthetically designed.

Tor Payment Site Part 1
Tor Payment Site Part 1
Tor Payment Site Part 2
Tor Payment Site Part 2
Tor Payment Site Part 3
Tor Payment Site Part 3
Tor Payment Site Part 4
Tor Payment Site Part 4

As previously stated, unfortunately this decryption is currently secure and there is no way for victim’s to decrypt their files for free. If anything changes, we will be sure to let everyone know.

To read the original article:

https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-version-2-released-with-new-crab-extension-and-other-changes/ 

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Next Post

Microsoft Releases KB4090913 Update to Fix Critical USB Driver Issue

Microsoft released yesterday a Windows update to fix driver issues with USB devices introduced in the February 2018 Patch Tuesday security updates. More precisely, Microsoft has released KB4090913 to address bugs introduced by KB4074588. The update is for Windows 10 Fall Creators Update users only —Windows 10 version 1709. The update is available […]