The author of the GandCrab ransomware is a little bit bitter at South Korean security vendor AhnLab after the security firm released a vaccine for the GandCrab ransomware.
This bitterness boiled over earlier this week when the GandCrab author contacted Bleeping Computer with the news that the upcoming version of the GandCrab ransomware would contain an alleged zero-day for the AhnLab v3 Lite antivirus.
Retaliation for GandCrab vaccine app
The GandCrab author, who used the pseudonym of “Crabs” in conversations with this reporter, claimed this was payback for AhnLab releasing a vaccine app for the GandCrab ransomware v4.1.2, on July 19.
That vaccine app created a file on users’ computers that in the case of an actual GandCrab ransomware infection would trick the ransomware into thinking it already infected a victim.
“Their killswitch has became useless in only few hours,” Crabs told Bleeping Computer in Jabber IM conversation and via email, referring to the fact that he created and released a new ransomware version within hours after AhnLab released the vaccine (killswitch) app.
“My exploit will be an reputation hole for ahnlab for years,” Crabs stated, while also sharing a link to a file storage service that hosted the alleged exploit.
After receiving the alleged exploit, Bleeping Computer shared the exploit with the AhnLab team.
New GandCrab versions 4.2.1 and 4.3 include AhnLab exploit
We initially did not plan on releasing this article until AhnLab had patched their software, but things changed yesterday when Malwarebytes security researcher Marcelo Rivero, and then others, spotted GandCrab v4.2.1 and GandCrab v4.3.
— Marcelo Rivero (@MarceloRivero) August 1, 2018
These two new GandCrab versions contained the alleged exploit code targeting AhnLab antivirus versions, according to Rivero, but also comments in the ransomware code.
“hey ahnlab, score – 1:1,” one of the comments read, claiming to have returned the favor for releasing the vaccine app.
Exploit works… but doesn’t
But things didn’t go as Crabs had hoped, according to several security researchers who shared their analysis about the alleged exploit.
All of them identified the issue as a denial-of-service (DOS) bug that can crash one of the components of the AhnLab’s antivirus, and in some cases, even crashing the OS with a BSOD (Blue Screen of Death).
But the AhnLab team didn’t appear to be worried.
“The attack code is inserted in GandCrab 4.21 and 4.3 version, and it is executed after infecting normal files,” AhnLab Director Changkyu Han told Bleeping Computer via email today.
“Our product is detecting the GandCrab ransomware before reaching the BSOD attack code,” Han said. “So, the BSOD attack code has very low chances on being executed.”
“Strictly speaking, that code is not exploit or zero-day code, It’s only a denial of service code,” he added. “It cause BSOD to our product, but we analyze it and it’s not easy to execute any extra payload by attack code.”
Worry about the ransomware first!
The AhnLab exec said his company plans to patch their product in several weeks.
“Actually, It’s not difficult to patch just for the attack code released by GandCrab author,” the AhnLab Director said. “But considering the attack, we decided to take a little more time to block the fundamental issue from these kind of attacks.”
The AhnLab exec hopes that users don’t worry about the ransomware crashing their antivirus or their OS. That’s like putting the cart before the horse.
By the time the exploit code crashes the AhnLab antivirus, their files are already encrypted. Users should be focused on preventing the ransomware infection, in the first place.
“We hope that our customer pay more attention to security patches, and we think that is the best way to prevent the damage by ransomware,” Han said.
Respect for Bitdefender
Earlier this year, Bitdefender also released a decrypter for some GandCrab ransomware versions, while Romanian police arrested suspects for their role in distributing to ransomware via spam.
But the GandCrab author never took any retaliatory action against Bitdefender.
In regards to this, Crabs only said only “good work,” admitting that the Romanian antivirus firm had gained access to one of the GandCrab C&C servers from where they took the encryption/decryption keys fair and square.