The ransomware GandCrab has been found in Sweden – Increasing the number of infections on its massive campaign to over 50 000 victims. A decryption tool has been released, but due to the Agile development strategy of the ransomware creators a new version was released just a few days later.

GandCrab stealing the ransomware spotlight

GandCrab is the first ransomware to truly take the spotlight this year, having infected over 50 000 victims mainly in the US and UK. Over 160 infections have also been detected in Sweden.

The developers of GandCrab do not rely on deploying the ransomware themselves. Instead they rent it out, allowing them to focus on development full-time. A similar approach was taken by developers of the Cerber ransomware, most likely being a reason for their success.

Identifying GandCrab and its development method

GandCrab can easily be identified by the “.GDCB” and “.CRAB” extensions used for encrypted files. Furthermore, what sets it apart from other types of ransomware is the way it’s developed: Using an Agile approach. Security company Check Point has analyzed earlier and later versions of the malware, stating the following in a report.

“Comparing the two versions of GandCrab gives us a glimpse into the process by which a strain of ransomware evolves. The authors started by publishing the least well-built malware that could possibly work, and improved it as they went along. Given this, and given that this newest version was released within the week, the bottom line seems to be: It’s the year 2018, even ransomware is agile”

Decryption tool available – For a few days

Another case for GandCrab being developed in an Agile fashion is the quickness of which bugs and flaws are fixed. Security firm Bitdefender, together with Europol and Romanian police developed a free tool to unlock files encrypted by version 1 of the malware. However, only a few days later a new version (2) of GandCrab was available, patching the holes used by the decryption tool.