GandCrab Ransomware Vaccine Formed by AhnLab

July 21, 2018


GandCrab ransomware is now the most frequently used ransomware variation, and though there is presently no free decryptor for GandCrab ransomware, there is now an injection that can avoid GandCrab ransomware attacks from being fruitful.

Although this is definitely good news, the injection only works for version 4.1.2 of the ransomware – the variation presently being used in common attacks. Version 4.1.2 was out only two days after type 4 of the ransomware was out. The latest type includes the NSA’s EternalBlue Exploit, which was supposed to let the ransomware disperse laterally as well as infect other networked appliances, even though as per Fortinet, that function doesn’t seem to be existing.

At this phase, the injection will not avoid encryption by earlier types of the ransomware. It is also probable that the authors of the ransomware will react and circulate a new variation with alterations made to make sure the injection is not effective.

The injection was created by the South Korean cybersecurity company AhnLab. To avoid file encryption, a file is generated on a computer that avoids the encryption procedure from operating. The latest type of the ransomware tests for the existence of this file before beginning the encryption routine. If the file is present, the ransomware departs.

The file is generated using a hexadecimal string with the extension .lock, which is saved in the C:\Program Data directory on Windows 7, 8, and 10 and in the C:\Documents and Settlings\Al Users\Application Data folder on Windows XP. The hexadecimal string is created based on the volume information of the root directory together with an exclusive custom Salsa20 algorithm.

Before encrypting files, Version 4.1.2 of GandCrab ransomware tests to decide whether a computer has already been infested. Without this test, the encrypted files might be re-encrypted, avoiding the sufferer from recovering their files even though the ransom is paid.

If the file is existing in the proper place, GandCrab ransomware is deceived into terminating as it thinks the computer is already infested.