Last week, security firm Bitdefender, the Romanian Police, and Europol allegedly gained access to the GandCrab Ransomware's Command & Control servers, which allowed them to recover some of the victim's decryption keys. This allowed Bitdefender to release a tool that could decrypt some victim's files.

After this breach, the GandCrab developers stated that they would release a second version of GandCrab that included a more secure command & control server in order to prevent a similar compromise in the future.

Yesterday, MalwareHunterTeam discovered that GandCrab version 2 was released, which contains changes that supposedly make it more secure and allow us to differentiate it from the original version. In this article we will provide a quick overview as to what has changed and how you can identify that you are are infected with the GandCrab Ransomware.

Unfortunately, at this time, victims of GandCrab v2 cannot decrypt their files for free. As always if you wish to discuss this ransomware or receive help with it, you can use our GandCrab Help & Support topic.

So what has changed in GandCrab v2?

In the backend, the biggest change are the hostnames for the ransomware's Command & Control servers. The new hostnames are politiaromana.bit, in honor of the Romanian Police who assisted in recovering decryption keys from the original version, malwarehunterteam.bit, in honor of security researcher MalwareHunterTeam, and finally gdcb.bit. These Command & Control servers need to be accessed before the ransomware will encrypt a computer. For information on how GandCrab resolves these hostnames, please see our original article.

Other noticeable changes are the extension used for encrypted files and the ransom note names.  With this version of GandCrab, encrypted files will now have the .CRAB extension appended to the file's name. For example, test.jpg will be encrypted and renamed to test.jpg.CRAB.

CRAB Encrypted Files
CRAB Encrypted Files

Another change is the ransom note name and it's contents.  The new note name is CRAB-Decrypt.txt and now includes instructions on contacting the devs through the Tox instant messaging service. 

GandCrab V2 Ransom Note
GandCrab V2 Ransom Note

Finally, the TOR Payment Page for GandCrab v2 has had an overhaul. The new site has a different layout and different instructions for the victim. Personally, I feel the original layout was more aesthetically designed.

Tor Payment Site Part 1
Tor Payment Site Part 1
Tor Payment Site Part 2
Tor Payment Site Part 2
Tor Payment Site Part 3
Tor Payment Site Part 3
Tor Payment Site Part 4
Tor Payment Site Part 4

As previously stated, unfortunately this decryption is currently secure and there is no way for victim's to decrypt their files for free. If anything changes, we will be sure to let everyone know.

Related Articles:

The Week in Ransomware - May 11th 2018 - GandCrab, SynAck, and More

GandCrab Version 3 Released With Autorun Feature and Desktop Background

The Week in Ransomware - April 27th 2018 - iLO, KCW, and VevoLocker

New SamSam Variant Requires Special Password Before Infection

DBGer Ransomware Uses EternalBlue and Mimikatz to Spread Across Networks

IOCs

Hashes:

966a0852c8adbea0b7b7aada7c2c851ee642c7bca7da3b29ee143f47ddeb90a5 - Thx to MalwareHunterTeam for finding it.

Associated Files:

CRAB-DECRYPT.txt

Ransom Note Contents:

---= GANDCRAB V2.0 =--- 
Attention! 
All your files documents, photos, databases and other important files are encrypted and have the extension: .CRAB 
The only method of recovering files is to purchase a private key. It is on our server and only we can recover your files. 
The server with your key is in a closed network TOR. You can get there by the following ways: 
1. Download Tor browser - https://www.torproject.org/ 
2. Install Tor browser 
3. Open Tor Browser 
4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/[redacted]                        
5. Follow the instructions on this page 
If Tor/Tor browser is locked in your country or you can not install it, open one of the following links in your regular browser:
1. https://gdcbmuveqjsli57x.hiddenservice.net/[redacted]                        
2. https://gdcbmuveqjsli57x.onion.guide/[redacted]                        
3. https://gdcbmuveqjsli57x.onion.rip/[redacted]                        
4. https://gdcbmuveqjsli57x.onion.plus/[redacted]                        
5. https://gdcbmuveqjsli57x.onion.to/[redacted]                        
                         
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. 
The alternative way to contact us is to use Tox messanger. Read how to:
1. Visit https://tox.chat/download.html
2. Download and install qTOX on your PC.
3. Open it, click "New Profile" and create profile.
4. Search our contact - 6C5AD4057E594E090E0C987B3089F74335DA75F04B7403E0575663C26134956917D193B195A5
5. In message please write your ID and wait our answer: [redacted]                           
DANGEROUS! 
Do not try to modify files or use your own private key - this will result in the loss of your data forever!