Gandcrab V5.2

[Olivie Inoue]

Theinteresting conflict between AhnLab and the GandCrab ransomware was widely discussed in the IT security industry. However, the details that were revealed at the time were only the tip of the iceberg, with more details being kept private for reasons of confidentiality.

Based on the information shared by Fortinet, we were able to confirm that the new method was valid for the latest version of the malware, v4.1.1, as well. On 13 July we released an executable file tool to the public [5].

In August 2018, the creator of GandCrab officially began to strike back. The creator contacted tech site Bleeping Computer [6] and declared that the upcoming version of the GandCrab ransomware would contain a zero-day for AhnLab V3 Lite, also sharing a link to the exploit code. The creator claimed that this was in retaliation for the kill switch having been released by AhnLab and went on to explain that the kill switch would no longer be effective in future versions of GandCrab.

Figure 5: GandCrab creator announces alleged exploit attack of V3 Lite via Bleeping Computer [6].

Then, the internal version of v4.2.1 revealed the attack pattern code for V3 Lite products, stating that it was a 1:1 score between AhnLab and GandCrab.

The alleged attack code that was revealed could trigger a BSOD if V3 Lite was installed in the system, and was executed after encryption. AhnLab released an emergency patch immediately following the exploit.

The first method used by GandCrab to uninstall V3 was by encouraging the user to click. As shown in Figure 7, a piece of code was included within the distributed script specifically to drop and run a JS file which deletes the V3 service upon detection.

As AhnLab made continuous updates to its anti-malware program so GandCrab also introduced updates. GandCrab v5.0.2 was distributed, which incorporated uninstallation using the existing Uninst.exe -Uninstall in addition to the AhnUn000.tmp -UC method. As shown in Figure 10, this version copied the Uninst.exe file to %temp%\AhnUn000.tmp, used WMIC.exe to run the file as the -UC switch, and changed the V3 product deletion processor to runas.exe.

Before moving onto the next step, GandCrab checks whether the V3 service is running and uses the sleep function to wait 15 minutes if it is running. In the first step, an execution file (help22.exe) is dropped to stop the service. The dropped file locates V3 Lite and then duplicates Uninst.exe, the V3 uninstall program, to %UserProfile%help.exe. The duplicated file then executes ASDCli.exe and uses the stop command to stop V3 Lite.

AhnLab responded immediately with critical security patches, deleting ASDCli.exe and preventing the stop command from being executed. In addition, the product was upgraded, requiring an additional string (other than /Uninstall) to remove the product. The long tussle between GandCrab and AhnLab seemed to have settled down.

A modified version of GandCrab v5.2, distributed in March 2019, no longer contained the above-mentioned text. Instead, a text insulting Bitdefender was used as the mutex. However, it was too soon to assume that the battle between AhnLab and GandCrab had ended.

The battle between the GandCrab threat group and AhnLab lasted for 478 days and highlights the importance of collaboration between security vendors and organizations in the fight against advanced threats such as this. It is also vital for security vendors to continuously monitor threats and be resilient. It may seem as though the adversaries always have a head start, but advanced attacks cannot prevail if vulnerabilities are promptly addressed and appropriate updates are made.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.

Previously, 360 Total Security intercepted all aspects of the attack and fully supported the powerful killing of the entire series of GandCrab ransomware. Nowadays, 360 Total Security launch the decryption tool for GandCrab v5.2, which means that 360 Total Security have supported GandCrab ransomware 4.0/5.0/5.0.2/5.0.3/ 5.0.4/5.1/5.2 full range of decryption, users who have been infected can successfully decrypt the file without paying for the ransom!

In March of this year, 360 Security Center issued a security report saying that we have received many feedback on ransomware, and some government department mailboxes have also been attacked by ransomware in this round of virus threats. According to 360 Security center analysis, the ransomware version number is GandCrab v5.2, which is the latest upgraded ransomware version on February 19, 2019.

In fact, more than 1.5 million victims worldwide have been attacked by the GandCrab ransomware since 2018. At the same time, there are reports show that the team behind the GandCrab malware has been extorting more than $2 billion from the victim, with an average weekly benefit of $2.5 million, which has seriously threatened personal and company data and property security.

Following GandCrab 4.0/5.0/5.0.2/5.0.3/5.0.4/5.1, the ransomware updated to GandCrab v5.2 is still unable to escape the public execution of 360 Total Security. On the same day that the world-renowned security software Bitdefender released the GandCrab v5.2 decryption tool, 360 Total Security immediately followed up the decryption work, and release of the GandCrab v5.2 decryption tool for the majority of users, became the first one in China.

What is GandCrab v5.2 ransomware? How to remove GandCrab v5.2? How to decrypt files, encrypted by GandCrab v5.2 ransomware virus from your computer effectively?

User ExperienceJoin Our Forum to Discuss GANDCRAB v5.2.Decryption StepsDecryption Instructions for GandCrab v 5.2 ransomware.How to Remove GandCrab v5.2 and Decrypt FilesThis part contains step-by-step guide on removing and decrypting files, encrypted by GandCrab v5.2 ransomware virus.

The encryption process of the first versions of GandCrab (v1, v2 and v3) used AES-256 encryption with a Cipher Block Chaining. The newer versions (v4 and v5, including v5.2) now use Salsa20 algorithm. The virus used to encrypt a larger portion of the files, risking to damage them, but now it encrypts only a small portion of the files via Salsa20, enough to render them no longer able to be opened. This is how the researchers have managed to reach a breakthrough and the result of that is the BitDefender GandCrab Decryptor. Below, you can find instructions on how you can restore files, encrypted by this version of GandCrab (v5.2) for free.

Important! Before decrypting your encrypted files by GandCrab 5.2, you will need to have at least one ransom note from your infection, which is required to recover the decryption key. So, before removing the virus files, make a copy of the ransom note on a flash drive or other external drive. Make sure to do this before scanning your PC.

SpyHunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunterDecryption StepsPreparation Phase

Step 6: The software will begin looking for the decryption keys for files, encoded by GandCrab v5.2. Be advised that this will definitely take some significant time so arm yourself with patience.

Keep in mind that this decryption tool will first try to decrypt 5 files and if this test does not pass, it will not continue, although the probability for that is very low. Also note that BitDefender researchers find it important to receive any feedback, so if you fail to decrypt your files, you should contact them on fore...@bitdefender.com and send them the log file of the decryption process, which is usually located in %Temp%\BDRemovalTool directory.

Ventsislav is a cybersecurity expert at SensorsTechForum since 2015. He has been researching, covering, helping victims with the latest malware infections plus testing and reviewing software and the newest tech developments. Having graduated Marketing as well, Ventsislav also has passion for learning new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management, Network Administration and Computer Administration of System Applications, he found his true calling within the cybersecrurity industry and is a strong believer in the education of every user towards online safety and security.

It is recommended to run a scan before purchasing the full version of the software to make sure that the current version of the malware can be detected by SpyHunter. Click on the corresponding links to check SpyHunter's EULA, Privacy Policy and Threat Assessment Criteria.

Here is a method in few easy steps that should be able to uninstall most programs. No matter if you are using Windows 10, 8, 7, Vista or XP, those steps will get the job done. Dragging the program or its folder to the recycle bin can be a very bad decision. If you do that, bits and pieces of the program are left behind, and that can lead to unstable work of your PC, errors with the file type associations and other unpleasant activities. The proper way to get a program off your computer is to Uninstall it. To do that:

3. This will open a window with all the programs installed on the PC. Select the program that you want to remove, and press "Uninstall"Follow the instructions above and you will successfully delete most unwanted and malicious programs.

3. You can remove the value of the virus by right-clicking on it and removing it. Tip: To find a virus-created value, you can right-click on it and click "Modify" to see which file it is set to run. If this is the virus file location, remove the value.

3a8082e126