Barkly vs Malware
Jonathan Crowe
Nov 2018

GandCrab Version 5.0.5 Scuttles Past Bitdefender Decryption Tool


Photo by Josef Wells

The adoption of agile development practices has enabled the crooks behind GandCrab ransomware to shake off setbacks and issue new payload versions at an increasingly rapid pace.

On October 25, Romanian antivirus vendor Bitdefender made the welcome announcement that they had developed a decryption tool allowing victims of GandCrab ransomware to recover their files for free.

Just 24 hours later, the authors of GandCrab issued a new version of the ransomware that rendered the tool ineffective.

Such is the nature of the high-speed cat-and-mouse game criminals and security vendors are currently engaged in. 

As a result, security measures tailored to address specific versions of malware (think decryption tools and "vaccines" or kill switches), or particular malware samples (think signature matching used by traditional antivirus vendors) have been having shorter and shorter shelf lives. 

That's not to say decryption tools don't have value, or that they go unappreciated. According to Bitdefender, more than 1,700 victims have been able to utilize their free decryption tool to recover files encrypted by GandCrab, and avoid paying an estimated $1 million in ransom. 

That's a big achievement, and it underscores the importance of ransomware victims holding onto copies of their encrypted files, should a decryption tool ever be released.

Bitdefender's tool is actively helping previous GandCrab victims, and in turn that's helping to divert ransoms that might otherwise be flowing into the attackers' accounts. The upside here is significant and undeniable. The downside is it was trivial for GandCrab authors to issue a new version of the ransomware that rendered the tool ineffective. And now new victims are unfortunately in the same boat previous victims were in before the tool was released. 

GandCrab and Bitdefender have been down this road before


Timeline of major GandCrab updates since its discovery in January 2018. Click to expand.

This isn't the first time a decryption tool has been released for GandCrab. In February, Bitdefender provided a free tool in collaboration with the Romanian Police, DIICOT, and Europol after those law enforcement agencies were able to seize command-and-control servers used in early GandCrab operations. 

It took GandCrab authors a week to issue v2 of the ransomware, which rendered the decryption tool ineffective.

In July, South Korean security vendor AhnLab issued a "vaccine app" that took advantage of a check GandCrab v4.1.2 performed to avoid double-encrypting victim machines. Such checks are relatively common and typically involve looking for a file that indicates the machine the malware has landed on has already been infected. The AhnLab app added this file in advance, tricking GandCrab v4.1.2 and preventing it from running. 

Not only did GandCrab authors respond by releasing within hours of the vaccine being shared, they also retaliated by including what they referred to as zero-day exploit code for AhnLab's security prodcut in GandCrab versions 4.2.1 and 4.3. 

AhnLab later confirmed the code did cause a BSOD in their product, but it had very low chances of being executed. 

Rapid iteration beats static defenses — what businesses should focus on, instead

It's not enough to block malicious .exe's, modern endpoint protection needs to prevent payload delivery and block malicious behaviors in realtime, too.

Tweet this

GandCrab's authors have been refining their ability to turn on a dime all year. Their take on agile development is one reason their ransomware has become one of the most popular and prevalent threats in 2018

As other attackers follow their lead, it's increasingly important for organizations to look beyond the traditional security cat-and-mouse game. It's no longer practical to rely on solutions that have to chase down and react to each new malware variant. That's a losing game that plays to the strength of today's malware developers. 

Instead, organizations need to prioritize investing in security that does three things:

  1. Utilize machine learning-powered protection models to more accurately detect and block malware without relying on signature matching. And because protection models are only as good as the data they're trained on, they need to be updated and retrained frequently. It's why Barkly trains its protection models against the latest malware samples on a nightly basis. As a result, Barkly's protection doesn't have to play catch up. It's able to evolve at the pace of new threats. 

  2. Detect and block malicious activity on endpoints in realtime. Designing protection to block specific malware variants is ineffective because it's reactive. By the time protection is updated, attackers have already moved on to newer versions. But while making those new versions look different to security products is trivial, making them behave differently is not. Looks can be deceiving. Actions tell the truth. And the truth is the vast majority of malware relies on the same fundamental malicious behaviors. By developing rules that block those core behaviors in realtime, security products can tip the scales back in their favor and reframe protection as a winnable battle. 
  3. Keep malware off machines to begin with by blocking exploit attempts and feature abuse. What's better than blocking malware execution? Preventing attackers from gaining code execution and the ability to download payloads onto systems in the first place. The way they typically do that is by exploiting vulnerabilities or abusing otherwise legitimate features and functionality (think Office macros). By blocking those attempts, security solutions can prevent infections at the outset, reducing the number of security incidents IT teams have to respond to and removing the threat of future infections on compromised machines.  

Barkly combines each of these approaches to provide more comprehensive protection against GandCrab, blocking the following:

  • GandCrab delivery vectors: nipping infection attempts in the bud

  • GandCrab executables: so even if GandCrab does land on a machine, it won't be allowed to run 

  • GandCrab behavior: so even if a newly updated version of the ransomware does bypass detection, it still gets blocked before any damage is done  


Barkly blocks GandCrab delivery vectors as well as GandCrab payloads, themselves. Click to expand.


As a result, Barkly customers can rest easier knowing they're protected from one of 2018's most active — and rapidly iterating — threats

Next steps

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.