Security

GrandCrab Ransomware v4.1.2 Theft Prevented With Salsa20 Algorithm

GrandCrab Ransomware installs itself into host computer systems through disguised online downloads, most reportedly in the form of PDF receipts, and encrypts the user’s local data by executing its .gdcb and .crab files. This ransomware is the most widespread malware of its kind and it uses the Magnitude Exploit Kit to spread to its prey. The latest version of the GrandCrab Ransomware, version 4.1.2, has recently been discovered, and before its attacks gain momentum, a South Korean cyber security company, AhnLab, has replicated the hexadecimal string that is executed on compromised systems by the GrandCrab ransomware 4.1.2, and the company has formulated it to exist on unaffected systems harmlessly so that when the ransomware enters a system and executes its string to encrypt it, it is tricked into thinking that the computer is already encrypted and compromised (already infected, supposedly) and so the ransomware doesn’t re-execute the same encryption which would double encrypt and destroy the files entirely.

The hexadecimal string formulated by AhnLab creates unique hexadecimal IDs for its host systems based upon the details of the host itself and a Salsa20 algorithm that is used in conjunction. The Salsa20 is a structured stream symmetric cipher of 32 bytes key length. This algorithm has been observed to be successful against a multitude of attacks and has rarely compromised its host devices when exposed to malicious hackers. The cipher was developed by Daniel J. Bernstein and submitted to eStream for developmental purposes. It is now in use in AhnLab’s GrandCrab Ransomware v4.1.2 fighting mechanism.

The formulated application for the warding off of GC v4.1.2 saves its [hexadecimal-string].lock file in different locations based upon the Windows operating system of the host. In Windows XP, the application is saved in C:\Documents and Settings\All Users\Application Data. In newer versions of Windows, Windows 7, 8, and 10, the application is stored in C:\ProgramData. At this stage, the application is only expected to successfully trick GrandCrab Ransomware v4.1.2. It has not been put to the test against older versions of the ransomware yet, but many suspect that if files from the newer application are matched with older ransomware fighting codes, they could be brought upto par through backporting and be rendered efficient in throwing off attacked from older versions of the ransomware as well. To asses the threat that this ransomware poses, Fortinet has published thorough research on the matter, and to safeguard from the threat, AhnLab has made their application available for free download through the following links: Link 1 & Link 2.


Leave a Reply

Your email address will not be published.

Close