GandCrab Ransomware V2 Released With New .Crab Extension [source: bleepingcomputer]

26 Apr 2018

No Comments

1584

Last week, security firm Bitdefender, the Romanian Police, and Europol allegedly gained access to the GandCrab Ransomware’s Command & Control servers, which allowed them to recover some of the victim’s decryption keys. This allowed Bitdefender to release a tool that could decrypt some victim’s files.

After this breach, the GandCrab developers stated that they would release a second version of GandCrab that included a more secure command & control server in order to prevent a similar compromise in the future.

Yesterday, MalwareHunterTeam discovered that GandCrab version 2 was released, which contains changes that supposedly make it more secure and allow us to differentiate it from the original version. In this article we will provide a quick overview as to what has changed and how you can identify that you are are infected with the GandCrab Ransomware.

Unfortunately, at this time, victims of GandCrab v2 cannot decrypt their files for free. As always if you wish to discuss this ransomware or receive help with it, you can use our GandCrab Help & Support topic.

So what has changed in GandCrab v2?

In the backend, the biggest change are the hostnames for the ransomware’s Command & Control servers. The new hostnames are politiaromana.bit, in honor of the Romanian Police who assisted in recovering decryption keys from the original version, malwarehunterteam.bit, in honor of security researcher MalwareHunterTeam, and finally gdcb.bit. These Command & Control servers need to be accessed before the ransomware will encrypt a computer. For information on how GandCrab resolves these hostnames, please see our original article.

Other noticeable changes are the extension used for encrypted files and the ransom note names. With this version of GandCrab, encrypted files will now have the .CRAB extension appended to the file’s name. For example, test.jpg will be encrypted and renamed to test.jpg.CRAB.

For more, click here.