On July 15th the FBI, in partnership with global contributors, released a decryptor for the Gandcrab ransomware. The decryptor for Gandcrab and can be downloaded at nomoreransom.org (we should also note that other more obscure ransomware have decryptors available on that site). The FBI Flash adds, “The collaborative efforts further identified the master decryption keys for all new versions of GandCrab introduced since July 2018. The FBI is releasing the master keys in order to facilitate the development of additional decryption tools.”
The FBI provided the following description of GandCrab:
“GandCrab operates using a ransomware-as-a-service (RaaS) business model, selling the right to distribute the malware to affiliates in exchange for 40% of the ransoms. GandCrab was first observed in January 2018 infecting South Korean companies, but GandCrab campaigns quickly expanded globally to include US victims in early 2018, impacting at least 8 critical infrastructure sectors. As a result, GandCrab rapidly rose to become the most prominent affiliate-based ransomware, and was estimated to hold 50% of the ransomware market share by mid-2018. Experts estimate GandCrab infected over 500,000 victims worldwide, causing losses in excess of $300 million.”
We send this as a FLASH alert due to the value it provides our customers in a pre-threat context. The release of this decryptor enables organizations to be proactive in their security and to get ahead of the threat.
Due to the “as-a-service” nature of this ransomware, no organization is exempt from being targeted or impacted. We recommend that organizations either obtain the decryptor and store it in a secure location – such as a thumb drive – or document the website where it is available and ensure it is available in the event of a ransomware attack.
IMPACT AND REMEDIATION
Should you be infected by Gandcrab Ransomware, applying the decryptor key will enable you to decrypt your files without having to pay the ransom, restore from backups, or lose your data altogether.
SECURITY ON-DEMAND ACTIONS
We are actively monitoring for any indications of an attack against or infection of our customers by this ransomware and many others.
Sources
FBI Flash MC-000105-MW
NoMoreRansom.org
About Security On-Demand’s Threat Reconnaissance Unit
This Threat Assessment Report is being provided to you as a service of Security On-Demand’s Threat Reconnaissance Unit or “TRU”. The mission of SOD’s Threat Recon Unit is to provide market education, “pre-threat” posture recommendations, intelligence gathering/correlation, and analysis of attack trends that impact businesses worldwide.
About the Author
Steven Bay spent 12 years at the National Security Agency as a cyber-intelligence analyst. After the NSA he has worked across the private sector providing cybersecurity services as a consultant, CISO, and designing and building security programs and conducting incident response on some of the nation’s largest data breaches. He is currently the Director of the Threat Reconnaissance Unit at Security On-Demand.
