Last week, security firm Bitdefender, the Romanian Police, and Europol allegedly gained access to the GandCrab Ransomware’s Command & Control servers, which allowed them to recover some of the victim’s decryption keys. This allowed Bitdefender to release a tool that could decrypt some victim’s files.
After this breach, the GandCrab developers stated that they would release a second version of GandCrab that included a more secure command & control server in order to prevent a similar compromise in the future.
Yesterday, MalwareHunterTeam discovered that GandCrab version 2 was released, which contains changes that supposedly make it more secure and allow us to differentiate it from the original version. In this article we will provide a quick overview as to what has changed and how you can identify that you are are infected with the GandCrab Ransomware.
Unfortunately, at this time, victims of GandCrab v2 cannot decrypt their files for free. As always if you wish to discuss this ransomware or receive help with it, you can use our GandCrab Help & Support topic.
So what has changed in GandCrab v2?
In the backend, the biggest change are the hostnames for the ransomware’s Command & Control servers. The new hostnames are politiaromana.bit, in honor of the Romanian Police who assisted in recovering decryption keys from the original version, malwarehunterteam.bit, in honor of security researcher MalwareHunterTeam, and finally gdcb.bit. These Command & Control servers need to be accessed before the ransomware will encrypt a computer. For information on how GandCrab resolves these hostnames, please see our original article.
Other noticeable changes are the extension used for encrypted files and the ransom note names. With this version of GandCrab, encrypted files will now have the .CRAB extension appended to the file’s name. For example, test.jpg will be encrypted and renamed to test.jpg.CRAB.
Another change is the ransom note name and it’s contents. The new note name is CRAB-Decrypt.txtand now includes instructions on contacting the devs through the Tox instant messaging service.
Finally, the TOR Payment Page for GandCrab v2 has had an overhaul. The new site has a different layout and different instructions for the victim. Personally, I feel the original layout was more aesthetically designed.
As previously stated, unfortunately this decryption is currently secure and there is no way for victim’s to decrypt their files for free. If anything changes, we will be sure to let everyone know.
To read the original article: