GranCrab v2.0

[khairulaizat92 9]

Hi, 

First of all, this customer did not use ESET solution and only using free malwarebyte solution (with no real time protection), and its just a personal computer. And it has been infected with GranCrab v2.0.

So now, 2.0 didnt have decryptor yet, but if possible, i want an expert to assist me to search for this ransomware on his computer.

And i did not know how ransomware works (maybe after activating it deleted it hide it self) but im willing to give access using TeamViewer for anyone who are expert only, that are able to help to determine either it still there or not, and are the sample can be extract.

Just find the so called v2.0 GranCrab and extract it, is enough.

I scan using ESET online Scanner and it detect a few trojan a few worm but for grandcrab it only detect the ransome demand  ".txt" file.

the txt file as per attach
 

CRAB-DECRYPT.txt

[Marcos 5,259]

Unfortunately, it is impossible to decrypt files encrypted by GandCrab.

[khairulaizat92 9]

Just now, Marcos said:

Unfortunately, it is impossible to decrypt files encrypted by GandCrab.

Hi Macros, as per said, i didnt care about decrypting, just need a verification either it still there on the client pc or not, and did this "V2.0" detected by eset?

Would you like an access to the infected pc?

[Marcos 5,259]

It is typical for ransomware that it removes automatically after encryption is completed so it's pretty normal that you can't find it on the machine any more.

[khairulaizat92 9]

1 minute ago, Marcos said:

It is typical for ransomware that it removes automatically after encryption is completed so it's pretty normal that you can't find it on the machine any more.

I see, do you know how this 2.0 spread? 

[itman 1,746]

1 hour ago, khairulaizat92 said:

I see, do you know how this 2.0 spread? 

I assume the same way the original ver. was via exploit kits as noted in this Malwarebytes article: https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/

It is distributed as a RaaS, ransomware as a service, which means it is sold on the blackweb and the buyer modifies it to his choosing in regards to payload delivery, etc..

Your customer in all likelihood didn't apply all available and current OS and software patches and this is how he got nailed. Or, he was running Win XP that is no longer supported, etc.. It is somewhat unbelievable he had no realtime AV protection installed unless perhaps he was running on XP.

[khairulaizat92 9]

1 hour ago, itman said:

I assume the same way the original ver. was via exploit kits as noted in this Malwarebytes article: https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/

It is distributed as a RaaS, ransomware as a service, which means it is sold on the blackweb and the buyer modifies it to his choosing in regards to payload delivery, etc..

Your customer in all likelihood didn't apply all available and current OS and software patches and this is how he got nailed. Or, he was running Win XP that is no longer supported, etc.. It is somewhat unbelievable he had no realtime AV protection installed unless perhaps he was running on XP.

Well @itman the "Unbelievable" just happened. In this client case, he uses windows 7. And i assured you, its like a common situation in Malaysia. this is personal PC, there are some cases, a library with about a dozen of PCs, does not even have any AV install and using windows xp. However i do think on enterprises level most of them uses antivirus. 

[itman 1,746]

36 minutes ago, khairulaizat92 said:

In this client case, he uses windows 7.

He can use MSE on Win 7 although its realtime protection is substandard: https://support.microsoft.com/en-us/help/14210/security-essentials-download . Or, any of the free solutions offered by the major AV vendors. Kaspersky for example has a free version.

[itman 1,746]

Attackers are finding rather inventive ways to deploy GrandCrab ransomware as noted in this bleepingcomputer.com article: https://www.bleepingcomputer.com/news/security/eitest-hoeflertext-scam-distributing-gandcrab-and-netsupport-manager/

[OBAMSI 0]

I've got the same virus on the last two weeks and I found a tool by bitdefender which can decrypts the GDCB extension. however the grandcrab now is on v2.0 and the extension is CRAB !!

so our neighbors on bitdefender couldn't do it and I got the msg "Initialization FAILED!"

anyway I'm looking forward for a new tool maybe our godfather eset will do it in the next few weeks. I don't know how I got infected, I live in Syria and the internet is not that super fast.

I can wait anyway, the entire hard disk is infected, (recordings, family photos, all excel accounting files and logs .. every single important file) lucky me..

I've been using eset since 2008 and my computer is clean, but when I gave my old laptop to my parents there wasn't eset on it so you know the story ..