GandCrab Ransomware Vaccine Developed by AhnLab

GandCrab ransomware is now the most commonly used ransomware variant, and while there is currently no free decryptor for GandCrab ransomware, there is now a vaccine that can prevent GandCrab ransomware attacks from being successful.

While this is certainly good news, the vaccine only works for version 4.1.2 of the ransomware – the variant currently being used in widespread attacks. Version 4.1.2 was released just two days after version 4 of the ransomware was released. The latest version incorporates the NSA’s EternalBlue Exploit, which was believed to allow the ransomware to spread laterally and infect other networked devices, although according to Fortinet, that function does not appear to be present.

At this stage the vaccine will not prevent encryption by earlier versions of the ransomware. It is also likely that the authors of the ransomware will respond and release a new variant with changes made to ensure the vaccine is not effective.

The vaccine was developed by the South Korean cybersecurity firm AhnLab. To prevent file encryption, a file is created on a computer that prevents the encryption process from running. The latest version of the ransomware checks for the presence of this file before starting the encryption routine. If the file is present, the ransomware exits.

The file is created using a hexadecimal string with the extension .lock, which is saved in the C:\Program Data directory on Windows 7, 8, and 10 and in the C:\Documents and Settlings\Al Users\Application Data folder on Windows XP. The hexadecimal string is generated based on the volume information of the root directory along with a unique custom Salsa20 algorithm.

Prior to encrypting files, Version 4.1.2 of GandCrab ransomware checks to determine whether a computer has already been infected. Without this check, the encrypted files could be re-encrypted, preventing the victim from recovering their files even if the ransom is paid.

If the file is present in the appropriate location, GandCrab ransomware is tricked into terminating as it believes the computer is already infected.

The vaccine can be downloaded from AhLabs on this link.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news