back to article Smash GandCrab: Free tools released to decrypt files scrambled by notorious ransomware

Victims of the latest incarnations of the GandCrab ransomware now have a way to reclaim their files without paying a penny to extortionists, thanks to the release of a decryption tool. Infosec shop BitDefender said this week it has teamed up with eight crime-fighting government agencies – including the FBI, London's met Police …

  1. Pascal Monett Silver badge

    Well then, one down, a hundred thousand to go

    They say (in the linked article) they have proven that crime can be without retribution. So it's a lot easier to do crime with the Internet, well duh. Did they actually think that needed to be demonstrated ?

    With the Internet, you are all over the world, but there is no world police. You can create and launch processes from your computer but they can execute anywhere in the world. If that process is malicious, it will hurt someone who does not have any other possibility to track you down except call the police - who cannot do anything because the perpetrator can likely not be found.

    It would take quite a few experts to track the origin of a malware, and it would require local law enforcement cooperation to get the details that would allow an actual arrest. That is not something that is going to happen for issues that are less than a few thousand dollars, because it would probably cost more than that to bring the criminals to justice.

    1. FrogsAndChips Silver badge
      Unhappy

      Re: Well then, one down, a hundred thousand to go

      “We are leaving for a well-deserved retirement. We have proven that by doing evil deeds, retribution does not come. We proved that in a year, you can earn money for a lifetime.”

      Thanks, that's all I needed to brighten my day on a rainy June afternoon.

  2. STOP_FORTH
    Unhappy

    Why is this still a thing?

    The Reg had an article on anti-ransomware techniques years ago. For individual PCs (not on a Windows domain) they (or possibly a commentard) pointed to FoolishIT and their free CryptoPrevent software. FoolishIT is now called d7xTech and their free version of the software is now on an obscure corner of the website (or was last time I looked.)

    Or you can, umm, just not use Windows.

    Anyone in a corporate environment should not have a problem. (Again, details on how to protect corporate machines was in original article.)

    This whole ransomware scourge saddens me.

    1. Muscleguy Silver badge

      Re: Why is this still a thing?

      I hear what you're saying but Windows boxes are targetted because they are the most common type. If Linux/Mac boxes became the most common type then *nix malware would be more common.

      Since most ransomware relies on phishing emails and hence human stupidity which results in executibles on the host system they are hard to legislate against. Even with 'this application was downloaded from the internet. Are you sure you want to run it' dialogues most people are just going to tick okay even if they haven't deliberately invoked something. I wouldn't, but then I read the Reg so am more aware than 90% of people.

      But I found myself putting data into a dodgy facsimile of a website the other day. I realised and closed the window. I tried to change my password on the site in question but the relevant sections were 'down for maintenance at the moment' for some time and I've only just achieved that. Pity, I've had that login since dialup, it isn't dictionary discoverable and it's seared into my mind.

      1. STOP_FORTH
        Alert

        Re: Why is this still a thing?

        I know that anyone can have an off-day and respond to a phishing mail or enter data on a convincing look-alike website. Even security professionals probably fall for this stuff sometimes.

        My point, though, is that for this particular problem (ransomware) there is a solution. You either implement policies that prevent the stuff from running, buy anti-ransomware software (free, slightly hobbled version still available) or use anything other than Windows. This is all detailed in the original Reg article from years ago.

        I realise that home-users might not know about this stuff but there is no excuse for anyone running a business IT function to fail to fix this other than incompetence or laziness.

        Buck up IT guys and gals, there are plenty of nasties you can't protect against, but this isn't one of them. Oh, and back up.

      2. Dr Dan Holdsworth Silver badge
        Pirate

        Re: Why is this still a thing?

        The basic problem is that Windows still has not got the appropriate balance between security and usability, and still doesn't have things like selinux set up as default on systems. Tricks such as nosuid and other switches and not letting email clients run things by default (or at all) can also go a very long way to making the life of the malware author really difficult.

        The other way to stop ransomeware working is to chase the money. There are two sides to any extortion scam; the first and easiest part is actually setting up the scam and stinging the mark for their money. The hard part then is providing a plausible explanation for how you, Baldrick the unemployed nobody from nowheresville has suddenly become fabulously and incredibly rich. To this end I would personally be getting VERY interested in various dubious lotteries across the world, since a lottery is one of the better ways of laundering money.

        1. DropBear Silver badge

          Re: Why is this still a thing?

          Regarding that last part, I'm a bit puzzled here - I assume it's not actual dollaroos being asked for by the extortionists, those should be much too traceable, but maybe bitcoin. Which raises the question what exactly can they do with the two billion's worth of bitcoin they're sitting on - because if anyone tried to cash out any significant fraction of that, I'm fairly sure we'd have heard about it...

          1. DuncanLarge Silver badge

            Re: Why is this still a thing?

            You can send your ill-gotten bitcoins into a service that chops the up randomly with many other coins from other sources, returning to you bits of those other coins. Thus your ransom coins just end up being sent to non-criminals doing the same thing, anyone watching the coins will lose track of all the bits.

            Then again maybe you can just directly exchange the coins for some monero coins in a private sale.

    2. GruntyMcPugh Silver badge

      Re: Why is this still a thing?

      @STOP_FORTH: "Anyone in a corporate environment should not have a problem."

      Pray tell why? Various places did get slapped by Crypto attacks, Lincs County Council was one, and I'm sure they'll have had AV and security policies in place.

      And not using Windows is not an option, not unless you are personally offering to support the user base when they transition. I've done that sketch at the behest of an anti-Microsoft Dean of Faculty, and his Personal Assistant was crying and threatening to quit within hours of having her Linux machine delivered.

      1. STOP_FORTH
        Angel

        Re: Why is this still a thing?

        Being slapped by a Crypto attack is not actually proof that the correct group policies are in place, surely?

        If an organisation has a mish-mash of old hardware running a variety of OS at different patch levels things will go wrong. Old medical equipment may require ancient versions of MS products to drive it simply because the drivers have never been written for newer versions of OS.

        The current computing eco-system is a horrible mess. Bad actors will take advantage of this.

        I seem to be out of step with reality here. I'm not sure that this is my problem.

        1. J. Cook Silver badge

          Re: Why is this still a thing?

          There's also manglement trying to insert their grubby paws as well; I implemented the group policies one fine weekend at [RedactedCo] after killing several hours performing file restore for victim #3, and said 'fuck it, I am DONE with this.'

          Boss at the time wanted me to roll it back that monday because I didn't go through all the processes, vetting, and other paperwork bullshit. HIS boss overruled him after I had a talk with him about it.

          1. STOP_FORTH
            Facepalm

            Exhibit A

            And there we have it. Solutions exist but corporate inertia and processes prevent their use. Managers are like inductors - they hate change.

            Hey I think I worked at [RedactedCo], have we met?

        2. katrinab Silver badge

          Re: Why is this still a thing?

          Surely old medical equipment is the kind of thing you can reimage from a known good source without having to worry too much about data loss?

          1. STOP_FORTH
            Happy

            Re: Why is this still a thing?

            If the XP laptop stops working the pump/monitor/leech-prod during my (obviously major) operation, that's a calamity.

            If it causes someone else's iron lung to catch fire that's obviously not so important.

            (N.B. I am not a medic, medical advances may have rendered some of these devices redundant, unlike, say, Windows 95/ME/NT.)

            1. katrinab Silver badge

              Re: Why is this still a thing?

              Does that sort of thing run on Windows? I thought it was more along the lines of MRI scanners, where, if it stops working in the middle of a scan and you have to call the technician out to fix it, then it is a nuisance and people will have their tests delayed, but it is not immediately life-threatening.

      2. Loyal Commenter Silver badge

        Re: Why is this still a thing?

        Lincs County Council was one, and I'm sure they'll have had AV and security policies in place.

        With the swingeing budget cuts inflicted on councils in the last decade, what makes you think they have the budget for anyone to manage AV and security policies?

  3. J. R. Hartley Silver badge

    FBI?!

    No thanks. They can fucking stay encrypted.

  4. Anonymous South African Coward Silver badge

    Why GandCrab and not GrandCrab?

    Blue Unction* should work on it.

    *Spike Milligan fans will understand.

  5. katrinab Silver badge
    Flame

    "so much that some pundits have wondered if companies might not be better off just paying the ransom demands in certain cases."

    Absolutely no, and also, it should be illegal to trade in bitcoins that have ever passed through the relevant wallet, regardless of how the current owner came into possession of them.

    1. Loyal Commenter Silver badge

      it should be illegal to trade in bitcoins that have ever passed through the relevant wallet

      Whilst the bitcoin ledger is distributed, and therefore a matter of public record, 'bitcoins' as such don't exist as discrete entities, and are theoretically infinitely divisible (although technically the 'atomic' size is currently 0.00000001 BTC). It's not a case of bitcoins moving around, but of balances in wallets going up and down. All 'bitcoins' are perfectly fungible - if a wallet holds a balance, and part of it is paid out to another wallet, you cannot identify which part of it that is - i.e. what origin that part of the balance had previously.

      What you suggest is impractical for two important reasons:

      1) There is no global regulation, so someone in a country not respecting your rules can cash out their bitcoins.

      2) If a wallet has a balance of, say, 1.45874354 BTC, and 0.0004323 BTC of that has come at some point from an "illegal" source, do you then say that any transaction in the future from that wallet is suspect, and, by extension, any transaction from a wallet that has had a transaction from it, etc.? What happens if someone transfers 0.00000001 BTC from a suspect wallet into a mining pool? Are you going to say that suddenly a large fraction of the network is suspect because those wallets receive payments from the pool's wallet?

      Your suggestion is a bit like saying that all bank-notes that have ever been involved in the drugs trade should be removed from their current owners and burned. We can start by burning everything you have in your wallet. Let's include the bank cards as well for good measure.

      1. katrinab Silver badge
        Mushroom

        "If a wallet has a balance of, say, 1.45874354 BTC, and 0.0004323 BTC of that has come at some point from an "illegal" source, do you then say that any transaction in the future from that wallet is suspect, and, by extension, any transaction from a wallet that has had a transaction from it, etc.?"

        Yes

        "What happens if someone transfers 0.00000001 BTC from a suspect wallet into a mining pool? Are you going to say that suddenly a large fraction of the network is suspect because those wallets receive payments from the pool's wallet?"

        Yes

        In both cases, people would make damn sure not to accept Bitcoins from tainted wallets.

        By the way, it doesn't matter if all countries adopt this law as long as a few big ones do. The tainted Bitcoins would still have a value, but it would be a lot lower.

        1. Loyal Commenter Silver badge

          In both cases, people would make damn sure not to accept Bitcoins from tainted wallets.

          If you have a bitcoin wallet, and I make a tranfer to it, how do you propose to prevent that? If you are a mamber of a mining pool, because you own some minng hardware, as a large number of people are, how do you prevent a payout from that pool if you don't approve of a payment made into it from someone else? Such an action, by your rules, could "poison" the entire network pretty quickly. Most bitcoins originate from mining pools, rather than individuals.

          Your proposal signifies a fundamental misunderstanding of what the bitcoin network is, and how it works. The merits or otherwise of bitcoin aside, you are effectively saying that you would not allow transactions between 99.99+% of the network, which is clearly not workable.

          1. katrinab Silver badge
            Flame

            Or a clear understanding of how to make it unworkable. Take your pick.

            The transactions I would ban are the ones where you convert it into real money at exchanges. They should already be checking that they are not receiving proceeds of crime, so I don't think you actually require any change in the law, just for the authorities to publish a list of tainted wallets.

            I don't think that a system that was designed to facilitate money laundering by criminals should be allowed to operate because the design of it is such that money laundering by criminals is facilitated.

            1. Loyal Commenter Silver badge

              The transactions I would ban are the ones where you convert it into real money at exchanges.

              I think you're missing the point. Bitcoins are a 'pool', by your rules, any part of that pool that touches another that is tainted becomes tainted. The entire network would likely be 'tainted' within days.

              Apart from the simplest case, where the entire balance of a wallet is traceable back to criminal activity, and is then immediately 'cashed out', it is unworkable, because you are effectively saying that there should be a ban on trading all bitcoin for cash. I doubt your rules would have any effect in the countries where these criminals will be 'cashing out' in any case - it would be a clear case of judicial overreach, for example, for US law enforcement to try to stop transactions in Ukraine, or Azerbaijan. Not to mention that there is absolutely nothing whatsoever to stop one person paying another for bitcoin in real money outside of an 'exchange' - the only thing that buys you is the 'trust' that the money is held in escrow until the transaction has cleared the network, which typically is after the processing of several blocks, so takes an hour or more (depending on how many blocks you consider necessary to guarantee a transaction is confirmed).

              Lets also not forget that any transaction on the bitcoin network has a 'fee' which goes to whoever 'mines' the next block. That fee would be coming from the ransom money, so would, by your rules, be tainted. You are essentially arguing that the fundamental mechanism for processing transactions on the blockchain should be made illegal, because you can't guarantee the origin of the fees. This might be your intention, but I doubt it, and it isn't realistically going to stop people using bitcoin, so is entirely moot.

              1. katrinab Silver badge

                It would be effective enough to have the desired result.

                People who want to use Bitcoin for non-criminal purposes, which is most people, would get behind a redesign that addresses the problems you outline. Criminals would then have no way of transacting with the non-criminal economy using the current version of Bitcoins.

                An intervention can be worth doing even if it isn't 100% effective.

                1. Loyal Commenter Silver badge

                  a redesign that addresses the problems you outline

                  I guess you've not been keeping up with "the bitcoin show".

                  The amount of consternation involved in making a relatively small change to fix a known issue almost caused a 'hard fork' (where one part of the network becomes incompatible with another, effectively splitting the network in two), for example:

                  https://en.bitcoin.it/wiki/Block_size_limit_controversy

                  What you are proposing would require a major redesign, and then it would require approval and acceptance from more than 50% of the network to implement. You can't just impose a change in a top-down manner, because unless you are >50% of the network, everyone else can, and will, tell you to just fuck off. In practice, it would require much more than 50% to avoid uproar from the remainder (which it wouldn't get). That's the nature of a distributed system with no central control - you can't impose central control on it.

                  And then, imagine if it did happen, the crims would just move to using another cyrptocurrency instead, you know like Iran deciding to trade in Euros rather than dollars...

                  1. katrinab Silver badge
                    Facepalm

                    That's the whole point.

                    People who want to continue using it for legal purposes, which is most people, will use something that doesn't have this problem, whether an updated version of bitcoin, a hard fork, or something completely different. A currency that can only be used by criminals isn't much use to anyone, not even criminals.

                    There are thousands of cryptocurrencies to choose from. Bitcoin is currently by far the most popular, but there is no particular reason why it needs to continue being the most popular in future if something better comes along.

                    1. Loyal Commenter Silver badge

                      If you say to everyone using bitcoin, "hey, there are criminals using bitcoin, you should use something else", the response you will get will be an overwhelming 'meh'. Unless you have some way of forcing people to use something else, you literally have no influence over people's decision to use it.

                      Bitcoin has a value because the people using it decide that it does, and this is by consensus. You aren't going to be able to influence enough people to switch to something else overnight that they will think, "my investment is better off there instead". It's like trying to catch a freight train from a standing start.

                      Bitcoin has plenty of things to detract from it; it'll never be useful as an actual currency, and it's pretty crap as an investment, because the value is so unstable. It's only real value is the scarcity that is designed into the system, and the energy cost required to 'mine' it that very loosely ties it to a real value. To me, the only real value is as a curiosity. Others do, however, have significant amoutns of money invested in it, and are going to pay exactly 0 attention to attempts to force a hard fork for law enforcement purposes. The whole point of it is that it is verifiable by the blockchain and operates according to exactly the rules built into it when it was designed, and no others.

        2. Loyal Commenter Silver badge

          In both cases, people would make damn sure not to accept Bitcoins from tainted wallets.

          It's also worth noting that there is no mechanism to accept or reject a transaction from a wallet. It gets entered into the blockchain, cryptographically signed by the owner of he wallet it came from, and it's there. There is no 'accept', so this statement is meaningless.

          This cuold be considered a weakness in the design of the whole system, and let's face it, it's not the only one, but there it is.

  6. ColonelDare
    Windows

    What's the problem??

    G&pnabbu{aVa>9?j8O;{kVnsaq!p/ZLZ7\igmEPS

    UEn:7uub}bZ55Ti&0w"&75avS05.=0^_%wn0j+5

    \wmdZ$vHm_ffo7m!@ht}[Ofb46q`6x.]Nvgy4/l4

    %~P%hjCRk3yr^(%vaZwpA\L/~Ens+Nt2RX~H,4jA

    b+H fj/Sg%Q~UOr1g?d=5#^ T6D-j}gn7$vH%F]u

    Z|Mjk;&qoC[M7bE,`"nMbz(k"JVh{%5:@<,,L9?j

    Pt'jJp_!'yu&@[1lep& 13zz_eXr+6;kP~nAN/_5

    aV|((".#NoxwBv9,WSQx<-BC%4.%Y}+{l@vC~NMu

    kaZmxghHy5)]d>kPmpbYI0aE]W'6ps /p@8(6|tt

    u+\#xq@.$~!iHmT'1YO?6;L(IFP_}NCb$IJ =@vG

    "nMbz(k"

    1. Aussie Doc
      Coat

      Re: What's the problem??

      Easy for you to say.

      I had to grab a dictionary.

    2. Anonymous South African Coward Silver badge

      Re: What's the problem??

      It broke the online Klingon to Standard translator.

      Expect the Klingon Inquisition to arrive soon.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019