As part of a complex investigation activity in which the Postal and Communications Police Service has collaborated with Europol and homologous European foreign police forces, a new decryption tool has been developed and released, published free of charge on www.nomoreransom.org ( portal of Europol dedicated to the subject and the cyber support), which allows to recover files subject to infection of the GandCrab ransonware.
The data recovery kit was developed by the Romanian police in collaboration with its counterparts in Bulgaria, France, Poland, the Netherlands, the United Kingdom and the United States and by the CNAIPIC of the Postal Communications Service, with the contribution of the Bitdefender security companies and Europol.
The GandCrab campaign is one of the most aggressive malware attacks in recent months, which has infected almost half a million victims since it was first detected in January 2018.
Once the ransomware detects a victim's computer and encrypts its files, it requires a ransom ranging from 300 to 6000 dollars. The redemption must be paid via virtual currencies known to make online transactions difficult to track, such as DASH and Bitcoin.
What we have developed is the most complete decryption tool available so far for this particular family of ransomware: it works for all but two existing versions of the malware (v.1, 4 and 5), regardless of the victim's geographical position.
Already in February a first decryption tool was released on "No More Ransom", a second version of the GandCrab ransomware was subsequently released by criminals, this time with an improved coding that also included comments to provoke law enforcement and cyber security companies. A further third version followed the day after.
In its current fifth version, malware continues to be updated at an aggressive pace. Its developers are constantly releasing new versions of it, with new and more sophisticated samples made available to bypass the countermeasures of cybersecurity service providers.
The rapid spread of GandCrab is due to a ransomware-as-a-service scheme, which offers on the darkweb, even to the aspiring cybercriminals with little or no technical experience, a toolkit to launch quick and easy malware attacks, in exchange for the 30 % of each redemption payment.
Victims of this ransomware campaign can visit www.nomoreransom.org where this new decryption tool is available for free.
The best strategy against ransomware campaigns, however, remains to activate correct preventive procedures.
Useful tips:
- Always keep a backup copy of your most important files on media outside your machine: in a cloud, on another memory unit, on a memory stick or on another computer.
- Use reliable and up-to-date antivirus software.
- Do not download programs from suspicious sources.
- Do not open attachments in e-mails from unknown senders, even if they seem important and credible.
- Do not pay the ransom requested, as, in addition to financing forms of cyber crime, no one can guarantee the effective decryption of encrypted files.