AhnLab, a South Korea-based cyber-security firm, has released today a vaccine app that blocks the GandCrab ransomware from taking root and encrypting users’ files.
This vaccine app works by creating a special file on users’ computers that the GandCrab ransomware checks before encrypting user data.
This file is named [hexadecimal-string].lock and is saved at the following locations.
Win 7, 8, 10: C:\ProgramData
Vaccine app tricks GandCrab ransomware
The hexadecimal ID is generated based on the computer’s volume information of the root drive and a custom Salsa20 algorithm and is unique per user.
GandCrab creates this file to know if a computer has already been infected and prevent users from running the ransomware executable twice and double-encrypting and permanently destroying their data.
The AhnLab vaccine app can create this file in advance, before a user might get infected, hence tricking the ransomware into thinking it has already locked the victim’s data.
Only works with GandCrab v4.1.2
Unfortunately, this vaccine app works only with the latest version of the GandCrab ransomware, version 4.1.2, the version that’s currently distributed in the wild since this week, July 17.
The addition of this .lock file mechanism appears to have been added with the release of GandCrab v4, at the start of July, as detailed in this Fortinet analysis.
While the current vaccine app blocks GandCrab v4.1.2, it may also be possible to backport the app and prevent older GandCrab v4 versions from infecting users as well.
This is because older GandCrab versions used even a simpler method of creating the .lock file. “Before it was just plain shifted-right volume serial number,” the Fortinet team said on Twitter.
No SMB spreader
The GandCrab ransomware has slowly become the most widespread ransomware strain in use today. Version 4.1.x, in particular, has recently grabbed some headlines.
Back at the start of the month, a security researchers spotted that GandCrab added support for the EternalBlue NSA exploit, suggesting the ransomware could use it to spread to other nearby computers on the same network via the SMB protocol. But in a later report, Fortinet said this self-propagation routine doesn’t seem to be used by the ransomware at all.
The GandCrab authors have also continued their habit of mentioning the names of security researchers in the ransomware’s source code. While Emsisoft’s Fabian Wosar was named in v3 and independent security researcher Daniel J. Bernstein in v4, they are now referencing Fortinet and AhnLab in v4.1.2.
#Gandcrab new internal version 4.1.2, with a new msg mixed in the code:
[+] #fortinet & #ahnlab, mutex is also kill-switch not only lockfile 😉
MD5: 0301296543c91492d49847ae636857a4 (unpacked) pic.twitter.com/T8KRtSrgd6
— Marcelo Rivero (@MarceloRivero) July 17, 2018