After being decrypted by security researchers, the GrandCrab ransomware now returns with version 2 which has currently impenetrable C&C servers and has more decent ransomware capabilities.
GrandCrab ransomware is a new ransomware-as-a-service which emerged in the Dark web during early 2018. The GandCrab was advertised in Russian hacking community. Security researchers noticed that the developers leveraged the RIG and GrandSoft exploit kits to distribute the malware.
Some of the advertising points of the GrandCrab ransomware-as-a-service include high percentage of proceeds, technical support, updates, and prohibition to use it against countries in the Commonwealth of Independent States.
This February 2018, security firm Bitdefender, the Romanian Police, and Europol allegedly gained access to the GandCrab Ransomware’s Command & Control servers, which allowed them to recover some of the victim’s decryption keys.
In GrandCrab V2, the hostnames for the ransomware C&C servers are changed to politiaromana.bit, malwarehunterteam.bit, and gdcb.bit, in mockery of the team that led to the breaching of the threat actors’ initial C&C servers.
Apart from the change of hostnames, the GrandCrab ransomware now appends a .CRAB extension to the file name of encrypted files. A ransom note is also included in a notepad file CRAB-Decrypt.txt along with payment instructions.
The following image shows a screenshot of the ransom note:
The payment site at TOR for GrandCrab V2 also had a considerable change in layout and payment procedure.
The security researches who took down the first version of GrandCrab ransomware must not stop at their initial success. They should not let the GrandCrab V2 team be successful with the redesign of the ransomware for it will greatly affect their reputation in terms of global cyber security. The security researchers should again take down the V2 to prove their global competence, and to demonstrate that the malicious attackers cannot prosper against a team of white-hat hackers.