The "unkillable" Bitcoin ransomware virus is making a comeback. Be vigilant about the security of your blockchain assets

In 2017, the "Bitcoin ransomware" WannaCry attacked more than 150 countries including China, causing losses of more than $8 billion. Since then, various ransomware viruses (NotPetya, Bad Rabbit, etc.) have emerged one after another, but their impact has always been limited.

A cryptocurrency ransomware virus called "GandCrab V5.2" that appeared recently seems to be showing signs of reappearing the "former glory" of WannaCry. It has now attacked thousands of government and corporate computers in China.

The so-called cryptocurrency ransomware virus tries to infect your computer, lock internal files, and require users to pay a ransom in cryptocurrency before unlocking them.

Many security teams, including SlowMist and DVP, have stated that GandCrab V5.2 is currently uncrackable and that they can only do a good job of defense.

The GandCrab team is not only highly skilled, but also "a thief with a code of conduct": they not only keep their promise to "detoxify" the virus after paying the ransom, but also "humanely" exclude war-torn areas such as Syria from the infected areas, which is why they were once called the "grand thief" virus. However, they regard China and South Korea as important attack targets, and the team behind GandCrab has also earned about $2.85 million by selling the virus.

In recent years, attacks on cryptocurrencies have increased, and blockchain security incidents have occurred frequently. In 2017, the main attack was "ransomware", and in 2018, it was mainly "malicious mining". Now, will ransomware make a comeback?

01Thousands of government and institutional computers infected

According to the National Cyberspace and Information Security Information Reporting Center, GandCrab V5.2 has been wreaking havoc in China since March 11, 2019, attacking thousands of computers in government, enterprises and related scientific research institutions.

As of press time, the Yiling District Government of Yichang City, Hubei Province, the Institute of Metal Research, Chinese Academy of Sciences, Yunnan Normal University, Dalian Public Security Bureau and other governments, enterprises and universities have all issued announcements on their official websites to prevent virus attacks.

▲ Screenshot of Yiling District Government’s official website

According to David Montenegro, a cybersecurity analyst, the GandCrab V5.2 ransomware has infected thousands of domestic computers and will affect more computers through remote attacks.

02Method : Spam attack

How does GandCrab V5.2 infect the victim's computer? It is understood that the ransomware virus currently mainly attacks through emails.

The attacker will send an email to the victim's mailbox with the subject "You must report to the police station at 3 pm on a certain day of a certain month!", the sender's name is "Min, Gap Ryong", and there is an attachment.

▲ From Tencent Security

Once the victim downloads and opens the attachment, GandCrab V5.2 will run and encrypt the entire hard disk data on the user's host. The victim will be asked to visit a specific URL to download an encrypted browser, and the victim will be asked to pay a ransom through the encrypted browser.

The DVP blockchain security team believes that in addition to spam attacks, GandCrab V5.2 may also use " web page Trojan attacks ", that is, in addition to placing Trojan viruses on some illegal websites, attackers may also attack some regular websites with relatively weak protection capabilities, and after gaining control of the website, attack users who log in to the website.

"The attacker will irreversibly encrypt the files on the victim's computer. To decrypt them, you can only rely on the attacker to give you a specific decryption key." The SlowMist security team explained that victims can currently only obtain specific keys by paying.

However, sometimes the victim pays the ransom but the attacker does not give the key to unlock the computer. Due to the anonymity of cryptocurrency, it is difficult for the attacker to determine whether the victim has paid the ransom. If there is no communication channel, it means that the attacker has no intention of unlocking the victim's computer.

03Unbreakable : The most powerful ransomware virus on earth?

"Currently, there is no way to crack it directly. Once the attack is successful, if there is important information in the computer, you can only pay the money and get the private key to crack it." Many security teams, including SlowMist and DVP, said that the virus is currently uncrackable.

However, companies claiming to be able to crack GandCrab V5.2 have appeared on some forums, with the condition that payment is made first and then the cracking is done. " They are basically all scammers, some shell companies, and they have no ability at all. " An anonymous blockchain security company said, "Tencent, 360 and other companies can't crack it, how can they crack it?"

"Some teams or individuals claim that they can crack GandCrab V5.2, but in fact, they are cracking it by 'agents'." The SlowMist Security Team explained, "They take your money and help you pay the cryptocurrency to the blackmailer to get the decryption key (crack)."

The attackers are coming in force, and it is impossible to crack the Trojan virus in a short time, so we can only do a good job of defense. The Yiling District Government of Yichang City has also given some countermeasures, including:

1. Do not open email attachments from unknown sources; 2. Install mainstream anti-virus software in a timely manner, update the virus database, and conduct a comprehensive scan of related systems; 3. Disable the automatic run function of USB flash drives in Windows; 4. Update operating system security patches in a timely manner, and update Web, database and other service programs to prevent viruses from spreading by exploiting vulnerabilities; 5. Take measures to disconnect the infected host or server from the Internet to prevent the spread of the virus.

The "powerful" virus also made the team "famous" in the security circle.

The GandCrab ransomware was born in January 2018 and became a "rising star" in the following months. One of the labels of the team is its strong "technical strength".

On February 19 this year, experts from Bitdefender Security Lab developed an "antidote" for all versions of the virus before GandCrab V5.1 based on the key provided by GandCrab (the reason will be explained later).

However, the devil is always stronger than the good. According to ZDNet, on February 18 this year, just one day before Bitdefender released the latest version of the cracker, GrandCrab released V5.2, which has not been cracked so far.

Currently, the team behind GrandCrab uses the "ransomware as a service" approach to sell the V5.2 version of the virus to hackers. That is, the GrandCrab team provides the virus, and hackers select targets around the world to attack and extort. After the attack is successful, the GrandCrab team takes 30%-40% of the profit.

According to data released by the GandCrab team in December 2018, the total cryptocurrency earned by the virus team was approximately US$2.85 million.

04 A team of chivalrous thieves who “even have their own code of conduct”?

The team behind this virus also has the tag "Grand Theft". This tag comes from the "Syrian Key" incident in 2018.

On October 16, 2018, a Syrian father named Jameel posted a message on Twitter asking for help. Jameel said that his computer was infected with GandCrab V5.0.3 and encrypted. As he was unable to pay the "ransom" of up to $600, he could no longer see the photos of his young son who died in the war.

After seeing this, the creator of the GandCrab ransomware virus immediately issued an apology statement, saying that it had no intention of infecting Syrian users, and released the decryption keys for some of the infected Syrians.

GandCrab also updated to V5.0.5 and added Syria and other war-torn areas to the "white list" of infected areas. In addition, if GandCrab detects that the computer system is using a Russian language, it will stop invading. Security experts speculate that the author of the virus is suspected to be Russian.

For a while, many people developed a favorable impression of GandCrab and called it "the thief".

"GandCrab is somewhat like the chivalrous thief in martial arts novels, and thieves also have their own code of conduct," said an anonymous security personnel. "But even so, it cannot be said that GandCrab's behavior is justified. After all, it has no mercy on people from other countries."

According to statistics from Tencent Security Team, most of GandCrab's victims are concentrated in Brazil, the United States, India, Indonesia, Pakistan, etc. In addition, the languages ​​used by GrandCrab V 5.2 are mainly Chinese, English and Korean, indicating that China has become its important attack target.

"If a hacker has no feelings for the people in a certain region, then he will not consider the feelings of the people in that region when doing evil." The SlowMist security team explained, "In the eyes of hackers, China's cyberspace is full of money, so it is not surprising that they would target China."

How do you view and evaluate this ransomware virus that "thieves have their own code of conduct" but shows no mercy to other countries?