Shulou(Shulou.com)06/01 Report--

On January 28, 2018, our observation analysts saw a small dot on the Bitdefender threat map. This is the millions of dots we see on Bitdefender every day, but it highlights the birth of a new family of ransomware that will cause great suffering to innocent victims around the world. The same emotion will occur at least 50000 times next month and millions next year. It was later called "GandCrab".

The ransomware series is likely to operate in the former Soviet Union and accounted for more than 50% of the market share of ransomware by August 2018. GandCrab's acquisition of ransomware is sold to agents in the underground market, which are responsible for infecting victims and extorting money from them. they. In exchange, the agency handed over 40% of its profits to the original GandCrab developer. This promotes a diversified distribution system. Some branches send out their Payload, while other agents infect victims through exploit toolkits or remote access to corporate computers.

At Bitdefender, we carefully calculated these dots and spared no effort to provide cryptographic tools for those unfortunate people who cross paths with the GandCrab team. We have worked with partner law enforcement agencies, including Europol, Romanian Police, DIICOT,FBI,NCA and Metropolitan Police, as well as the French Bulgarian Police, to provide several decryption tools to help GandCrab victims decrypt their data free of charge.

The decryption tool released by Bitdefender has been successfully decrypted more than 30000 times and saved victims about $50 million in unpaid ransoms. Most importantly, it helps us weaken blackmail software operators by cutting off their monetization mechanisms and building a positive mindset among new victims, who would rather wait for new decryptors than succumb to ransom demands.

In more than a year of operation, GandCrab claims to have more than 1.5 million victims worldwide, both home users and companies. GandCrab operators and affiliates recently boldly claimed on private underground forums that the team behind the malware had extorted more than $2 billion from victims.

Although this figure is clearly exaggerated, GandCrab operates well enough to earn enough income for its owners to retire. According to the same claim, the GandCrab team has blocked affiliates from accessing the new version of malware and urged them to prepare for imminent downtime. After the shutdown, all keys are deleted, making it impossible for the victim to retrieve the redemption data, even if they do pay the ransom.

GandCrab shutdown announcement-Photo courtesy of bleepingcomputer.com

Fortunately, we released an update to the tool to neutralize the latest version of GandCrab, including version 5.2. The tool is immediately available and can be downloaded for free below or from the No More Ransom project.

Facts and data about GandCrab

Since its establishment in January 2018, GandCrab has quickly become the tool of choice for alliance-based blackmail software. It is possible that the former Soviet Union was based and its operators and affiliates targeted victims around the world, with the exception of Russian-speaking countries and several other countries where victims were unable to pay (such as Syria). In less than a year, GandCrab has become the most widely spread ransomware in the world, accounting for half of all ransomware infections.

One of GandCrab's main advantages over other ransomware series is its ransomware-as-a-service licensing model, in which distributors purchase and distribute malware and separate decryption fees from the original developers. The subsidiary retains 60%, and the rest goes to the developer. This separation of responsibilities allows developers to improve the code and add new features (such as anti-virus avoidance techniques) and allows distributors to focus on the delivery and utilization of victims.

The GandCrab business has also brought new features, such as providing chat services for victims to contact affiliated companies to negotiate discounts, extend payment terms or seek help converting legal tender into digital currency.

In addition to establishing communication bridges with victims, chat also has a "secret" area that provides discounts for victims on behalf of victims to cover up the payment of ransoms as customers'"data recovery fees".

Not all victims are treated equally: GandCrab gives priority to redemption information and sets individual pricing based on the type of victim. The average cost of computer decryption ranges from $600 to $2000, while server decryption costs $10000 or more. While helping the victim decrypt, we see that the ransom note requires as much as $700000, which is a considerable price for a wrong click.

Three decryptors released in cooperation with partner law enforcement agencies-particularly the version 5.1 GandCrab decryptor-forced GandCrab affiliates to scale back their operations to avoid unnecessary costs. For example, in February 2019, after the release of version 5.1 decryptor, alliance members continued to push decryptable versions of malware for more than a week, allowing new victims to decrypt their data for free. As of March 2019, GandCrab's market share had shrunk to 30 per cent, with almost 1/3 of infections linked to the group.

How to keep it safe

Blackmail software decryption is a delicate thing because malware writers use the same technology to help people protect their bank transactions, communications and online interactions. Encryption is easy, but decryption without a key is almost impossible. Every month, Bitdefender sees 12 new ransomware, which means that cyber criminals launch more than 140 new families each year. Among them, nearly 10% of the vulnerabilities can be decrypted by exploiting vulnerabilities in the code of the * * or through cooperation with law enforcement agencies.

When dealing with blackmail software, prevention is the key. Once your system is encrypted, despite the industry's efforts to recover your data, there is little chance of decryption. Here are some tips to help you prevent blackmail software and minimize the amount of money flowing to cybercrime operators:

1. Run Bitdefender's powerful security solution. If you have installed a security solution, be sure to use a variety of technologies to defend against extortion software. Behavior-based detection, heuristic detection based on machine learning and blackmail software repair is the key technology to detect and prevent blackmail software. If you do not have it installed, please download Bitdefender.

Make frequent backups on offline media. In the event of a disaster, backup is an extremely effective solution to prevent data loss. Get a portable hard drive and piously back up important data at creation time. Do not connect drives longer than it takes to back up, as most blackmail software encrypts information on connected removable drives and network shares. If everything fails, don't pay the ransom. Ransom payments allow people to thrive and develop more sexual malware. If your system is infected, please back up the affected data and notify the police immediately. Although they may not be able to help you decrypt immediately, they will log events and start working with partner private cyber security companies to solve the problem.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.