Good riddance, GandCrab! We’re still fixing the mess you left behind.

Posted Leave a commentPosted in Our Services

This family of ransomware, likely operated out of the former Soviet space, grabbed more than 50 percent of the ransomware market share by August 2018. Access to GandCrab ransomware was sold on underground markets to affiliates, who were responsible for infecting victims and extorting money from them. In exchange, the affiliates gave 40% of their profit to the original GandCrab developers. This fostered a diverse distribution system. Some affiliates would spam out their payloads, while others would infect victims through, for instance, exploit kits or remote access to enterprise computers.

At Bitdefender, we’ve carefully counted these blips and spared no effort in bringing relief to the unlucky ones who crossed paths with the GandCrab team. In collaboration with partner law enforcement agencies including Europol, Romanian Police, DIICOT, FBI, NCA and Metropolitan Police, as well as Police Offices in France, Bulgaria, we have managed to offer several decryptors to help GandCrab victims get their data back for free.

These tools totaled more than 30,000 successful decryptions and have saved victims roughly $US 50 MILLION in unpaid ransom. Most importantly, it helped us weaken the ransomware operators by cutting off their monetization mechanisms and establishing a positive mindset among new victims, who would rather wait for a new decryptor than give in to hackers’ ransom demands.

In more than a year of operation, we estimate GandCrab has claimed more than 1.5 million victims around the world, both home users and corporations. GandCrab operators and affiliates boldly claimed on private underground forums recently that the team behind the malware has extorted more than $2 billion from victims.

While the number is clearly exaggerated, the GandCrab operation was prolific enough to score enough revenue to allow its masters to retire. According to the same claim, the GandCrab team has stopped affiliates from accessing new versions of the malware and has urged them to prepare for an imminent shutdown. The shutdown will be followed by deletion of all keys, leaving the victims unable to retrieve the ransomed data even if they do pay ransom.

Facts and figures about GandCrab

From its inception in January of 2018, GandCrab quickly became hackers’ go-to tool for affiliate-based ransomware. Likely based in the former Soviet space, its operators and affiliates target victims all around the world, with the exception of Russian-speaking countries and several others where market economics make it impossible for victims to pay up (such as Syria). In less than a year, GandCrab became the world’s widest-spread ransomware, accounting for half of all ransomware infections.

A key advantage of GandCrab over other ransomware families is its ransomware-as-a-service licensing model, where distributors purchase and spread the malware and split the decryption fees with the original developer. Affiliates keep 60%, while the rest goes to the developers. This segregation of duties allow developers to improve on the code and add new features (such as antivirus circumvention techniques) and let the distributors focus on delivery and exploitation of victims.

The GandCrab business also brings new features, such as a chat service for victims to contact the affiliates to negotiate discounts, extend the payment deadline or ask for help exchanging fiat money into digital currency.

n addition to bridging communications with the victim, the chat also has a “secret” area that gives shady data recovery companies a discount on behalf of victims to mask a ransom payment as a “data recovery fee” for customers.

Not all victims are treated equally: GandCrab prioritizes ransomed information and sets individual pricing by type of victim. An average computer costs from $600 and $2,000 to decrypt, and a server decryption costs $10,000 and more. While helping victims with decryption, we’ve seen ransom notes asking for as much as $700,000, which is quite a price for one wrong click.

The three decryptors released in collaboration with partner law enforcement agencies – and particularly the GandCrab decryptor for version 5.1 – compelled GandCrab affiliates shrink their business to avoid unnecessary costs. For instance, in February 2019, after the release of the decryptor for version 5.1, affiliates kept pushing decryptable versions of the malware for more than a week, allowing fresh victims to decrypt their data for free. As of March 2019, GandCrab’s market share has shrunk back to 30 percent, with almost one in three infections tied to the group.

How to stay safe

Ransomware decryption is a delicate matter, as the malware writers use the same technology that helps people protect their banking transactions, communications and online interactions. Encryption is easy, but decryption without a key is nearly impossible. Every month, Bitdefender sees 12 new strains of ransomware, which means cyber-criminals push out a total of more than 140 new families a year. Out of these, almost 10 percent are decryptable by leveraging loopholes in the attackers’ code or through partnerships with law enforcement organizations.

When dealing with ransomware, prevention is key. Once your system gets encrypted, chances of decryption are thin, despite the industry’s efforts to bring your data back. Here are some tips to help you prevent ransomware attacks and minimize the amount of money that flows to cyber-crime operators:

  1. Run a security solution. If you have a security solution installed, make sure that you are using the full range of technologies to fend off a ransomware attack. Behavioral-based detection, heuristics based on machine learning and ransomware remediation are key technologies to detect and block ransomware attacks. If you don’t have one installed, Bitdefender offers a highly effective security solution for free.
  2. Make frequent backups on offline media. Backups are an extremely effective solution against loss of data if disaster strikes. Get a portable hard-drive and religiously back important data up as you create it. DO NOT keep the drive connected for longer than needed for backup purposes, as most ransomware encrypts information on connected removable drives and network shares.
  3. If all else fails, do not pay the ransom. Ransom payments allow the attackers to thrive, and let them develop more aggressive strains of malware. If your system becomes infected, back the affected data up and immediately notify the Police. While they might not be able to immediately help you out with decryption, they will log the incident and start working with partner private cybersecurity companies on a solution.

Ready to take your data back? Download the tool below.


Posted Leave a commentPosted in Our Services


Real-time breach detection and complete visibility

Cloud threat intelligence, machine learning and behavior analytics applied to network traffic to detect advanced attacks early and enable effective threat hunting

Bitdefender Network Traffic Security Analytics is an enterprise security solution that accurately detects breaches and provides insights into advanced attacks by analyzing network traffic. It lets organizations quickly detect and fight sophisticated threats by complementing pre-existing security architecture – network and endpoint – with specialized network-based defense.

It uses AI (Artificial Intelligence) / ML (Machine Learning) and heuristics to analyse network meta-data in real-time and to accurately reveal threat activity and suspicious traffic patterns. With flexible deployment options, Bitdefender Network Traffic Security Analytics is a plug-and-play, out-of-band solution, that focuses on outbound traffic and enables analysis over longer periods of time to accurately detect the most sophisticated malware and APTs with high fidelity.


Read Mode at


Contact us at for inquiry on how to obtain copy of this protection,

Cryptojacking : How Hackers Are Mining Cryptocurrencies Without Your Knowledge

Posted Leave a commentPosted in Our Services

Attention! This is important for all those experiencing a system slowdown after browsing for a while! You might be Cryptojacked!

Even if you are not, you should read this article to understand what Cryptojacking is and how you can protect yourself against it.

As the cyberspace is becoming more entangled, new ways of attacking cyber entities are emerging.

Sometimes these are open attacks like exit scams or Bitcoin ransomware attacks while some are attacks like DDOS and specter meltdowns

These attacks will only increase with time as everything is going digital and we have to learn and evolve from them.

On similar lines, attacks in the cryptocurrency space will also keep rising and will take a while before we become mature enough to handle them. It is so because this space is new and in its nascent stages.

One such attack very few may have heard about is happening every now and then on our personal computers and laptops. This attack is too quiet for an average joe to know. This attack is called Cryptojacking. Had you heard about it?

If your answer is a resounding no, you should know about it because you might be a victim of this new form of attack which usually happens on personal computers and laptops.

What Is Cryptojacking?

Cryptojacking simply means someone has secretly hijacked your personal device to mine cryptocurrencies that can be mined with CPU power.

It is basically stealing the computing power of devices without seeking prior permission from the owner of the device.

This computing power in the cryptocurrency realm is called ‘Hash power‘ which is used to make complicated and educated mathematical guesses to solve equations so that one can get the block reward of cryptocurrency mining. Read more about hashes in our detailed guide here.
This form of hijacking happens only when you are browsing the internet and have landed on a website that is cryptojacking noob internet users. And the funny thing is, it even doesn’t require the user being attacked to download or click on anything. Instead, it just requires the user to browse the malicious website.
Here is a research from Malwarebytes on Cryptojacking and in the below image you can see how popular torrent website “PirateBay” is hacking innocent users to mine Monero (XMR) without their knowledge:

Unless the users are smart and protected, they will never know that they are being cryptojacked.

Bitdefender & Law Enforcement Solve for Multiple Versions of GandCrab with New Decryptor

Posted Leave a commentPosted in Our Services

The wait is over. For victims of GandCrab versions 1, 4 or 5, there is a new decryption tool available from Bitdefender Labs to help you get your life and your data back – for free. Download link and updated information below.

GandCrab is on the move. According to a recent article on ZDnet, following the release of GandCrab v5, businesses are getting increasingly targeted by this ransomware via delivery by botnet and a malware worm.  In September, CSO reported on a school system in Florida hit by it. And then there are the legions of individuals already impacted.  It’s a plague that needs eradicating.

Earlier this year in February, Bitdefender released the world’s first decryption tool to help GandCrab ransomware victims get their data back for free. But since then, victims of subsequent versions of GandCrab and its ‘ransomware-as-a-service’ affiliate approach have been reaching out to us for help.

In the spirit of our Draco, we at Bitdefender Labs have spared no effort to find a solution to save the infected, in spite of the challenges we’ve faced.

Now the wait is over. Bitdefender to the rescue!  We’re proud to announce and release the Bitdefender ransomware decryption tool for GandCrab versions 1, 4 and 5.

Yes it’s real.  It’s free.  And it is not a ‘vaccination’ tool.

Developed in close partnership with Europol and the Romanian Police, and with support from the FBI and other law enforcement agencies, the new tool allows GandCrab victims around the world to retrieve their encrypted information without collectively paying tens of millions of dollars in ransom to hackers.

So, if you were infected by version 1 *(GDCB extension), 4 (KRAB extension) or the new 5 (random 10-character extension) of GandCrab, the fix is simple:  Download the tool. Run it on your infected computer.  Get access to your data back immediately.

However, if you are infected by versions 2 or 3 of the ransomware (CRAB file extension), then we kindly ask you to hang on and not pay the ransom!  We’re still on it.  Follow us if you haven’t already to keep posted.

The ABC of Cybersecurity – Android Threats: R is for Ransomware

Posted 3 CommentsPosted in ECBS Blog

Ransomware is a type of malware that restricts access to files then demands ransom to unlock access to them. While it has been a plague for PCs during the past couple of years, cybercriminals have ported the threat to Google’s mobile OS as well because of increased adoption of the Android mobile operating system.

Android ransomware alone has been estimated to have increased by almost 300% in Q1 2017, compared to 2016, indicating it’s becoming sufficiently mature to be actively used by cybercriminals to infect victims.

How Does Android Ransomware Work?

Because of the limited access an application has within the Android operating system, most ransomware is limited to simply displaying a difficult-to-remove nag screen that constantly reminds the victim to pay an amount ranging from a couple of dollars to a few hundred to restore access to the device. While traditional PC-based malware can actually encrypt data on the device, Android ransomware mostly restricts access to the device’s functions.

Because removing this ransomware variant could have been performed with a relatively simple factory reset, cybercriminals have actually incorporated more advanced persistency mechanisms as well as the ability to actually encrypt data on removable SD cards. Pictures, documents and any other type of file stored on the removable memory card would become unreadable unless victims would agree to give in to the ransom note.

Some Android ransomware variants can even gain administrative privileges to the device and, although they don’t encrypt the stored data, they can change the device’s PIN code. Without paying the ransom, victims would practically be locked out of their devices indefinitely.

Some Bitdefender studies have actually concluded that 50 percent of ransomware victims would be willing to pay up to a couple of hundreds of dollars to regain access to their data, which is why cybercriminals are constantly trying to come up with new methods of making the threat difficult to remove.

Distribution and How to Stay Safe

Like most Android malware, ransomware is usually bundled with applications that at first glance seem legitimate. Mostly disseminated via third-party marketplaces within applications promising full features to otherwise paid apps, Android ransomware is – ironically – easy to spot, as you’ll receive a ransom note on screen.

Avoid shady apps and ads that make it seem imperative that you install a particular application, as they’re usually either ransomware or other types of malware.

The best way of securing your Android device against ransomware and other threats remains the use of a mobile security solution that can scan apps, regardless of where they’ve been downloaded from, and determining whether they’re malicious.

How to Keep Your Passwords Private

Posted Leave a commentPosted in Our Services

Ever wondered what types of online threats you can run into simply by browsing the web? How a seemingly legitimate website could affect your privacy or your data? Bitdefender 2019 Network Threat Prevention technology protects you against all that.

Passwords are usually the first line of defense against threat actors trying to grab photos, documents, and all the private information and data that’s supposed to be safely locked away from prying eyes.

Hackers are interested in passwords and authentication credentials, as they provide a means for accessing information without triggering alarms usually generated by the use of vulnerabilities, or malware. This allows them to freely impersonate the victim and log into their accounts. Consequently, choosing a strong password that’s unique to each account is mandatory.

However, the authentication process requires that, whenever you log into your account, the sent password is no intercepted by hackers. This means that both the communication channel – the connection between you and the website you’re trying to log into – and the password itself need to be encrypted when sent across the internet. Otherwise, it’s like shouting out your password to a friend across a crowded room. Pretty much everyone can hear it, defeating attempts to keep your privacy private.

Bitdefender keeps users privacy private by letting them know whenever their passwords are about to be sent in a manner that can be overheard by everyone. If you use a Bitdefender product and ever read the message “Privacy Threat Blocked”,  avoid logging in or sending any passwords, as someone may be able to intercept them.

The new Bitdefender 2019 has introduced a new technology, dubbed Network Threat Prevention, specifically designed to help you steer away from online threats, and keep your passwords private. This new technology can also prevent vulnerabilities in your system from being exploited, and it can detect and block brute-force attempts aimed at guessing your passwords, prevent your device from being compromised in botnet attacks, and prevent sensitive information from being sent in an unencrypted format.

But for now, let’s focus on how Bitdefender 2019 Network Threat Prevention can help you keep your passwords private.

The Internet 1 on 1

The foundation for all communication across the internet is known as HTTP (Hypertext Transfer Protocol). It acts as a request-response protocol between a client (browser) and a server (website). Think of it as a universal language that everyone uses to exchange information.

However, because everyone can understand HTTP, it raises security and privacy issues, especially when broadcasting sensitive information, such as passwords. Because attackers can sometimes “eavesdrop” on your conversations and they understand what you’re saying, passwords need to be sent across in a way that’s difficult for bad guys to read.

As everyone knows, the address of a website usually looks something like “”. What modern browsers don’t show anymore, though, is the full address of the website, which looks like “”. This means that communication between the browser and the website is handled using a “common language” that everyone can understand.


However, because attackers can also “understand” HTTP, security experts have figured out a way to make the conversation between the browser and each visited website, private. Dubbed HTTPS (Hypertext Transfer Protocol Secure), its purpose is to protect the communication between the browser and the website from being “understood” by anyone eavesdropping.

If HTTP is an alphabet that everyone uses when sharing written information, HTTPS is like a different language that uses the same alphabet. Just because you understand each letter, doesn’t necessarily mean that you understand the word or the entire sentence.

The main advantage is that, whenever you’re visiting websites that have HTTPS instead of HTTP, everything you’re “saying” to them is looks like complete gibberish to someone listening in. Just like speaking a different language.

“This page was blocked for your protection”

Bitdefender has the ability to identify whenever you’re about to send passwords or credentials to a website in a manner that can be overheard by everyone. This is why you’ll sometimes see a message that reads “An attempt to send your password unencrypted, in plain text, was prevented on this page.” whenever you’re vising a website that doesn’t use HTTPS when requesting your passwords.

Websites that don’t have HTTPS enabled – usually represented by that little green lock at the beginning of the website’s name – are not necessarily bad or a danger to your privacy. But it’s worth noting that even websites that do have HTTPS can be fraudulent.

For instance, to add credibility to a phishing website that impersonates a popular bank or online retailer, attackers use HTTPS to throw people off. It’s pretty much like bad guys dressing up as cops, then committing a crime. This is why Bitdefender has an Encrypted Web Scan module designed to steer users away from accessing apparently safe but potentially hijacked or malicious websites.

So next time you log onto a website and input your password, make sure it’s sent across encrypted so that no one can intercept it.

For all those other cases when you’re online, Bitdefender 2019 Network Threat Prevention can do much more than just keep your passwords private. Stay tuned for more articles on how the new Network Threat Prevention technology can protect you from online threats that endanger your privacy and security.

source: Powered by BitDefender

Chrome Bug Allowed Hackers to Find Out Everything Facebook Knows About You

Posted Leave a commentPosted in Our Services

With the release of Chrome 68, Google prominently marks all non-HTTPS websites as ‘Not Secure’ on its browser to make the web a more secure place for Internet users.

If you haven’t yet, there is another significant reason to immediately switch to the latest version of the Chrome web browser.

Ron Masas, a security researcher from Imperva, has discovered a vulnerability in web browsers that could allow attackers to find everything other web platforms, like Facebook and Google, knows about you—and all they need is just trick you into visiting a website.

The vulnerability, identified as CVE-2018-6177, takes advantage of a weakness in audio/video HTML tags and affects all web browsers powered by “Blink Engine,” including Google Chrome.

To illustrate the attack scenario, the researcher took an example of Facebook, a popular social media platform that collects in-depth profiling information on its users, including their age, gender, where you have been (location data) and interests, i.e., what you like and what you don’t.

You must be aware of Facebook offering post targeting feature to page administrators, allowing them to define a targeted or restricted audience for specific posts based on their age, location, gender, and interest.

To demonstrate the vulnerability, the researcher created multiple Facebook posts with different combinations of the restricted audiences to categorize victims according to their age, location, interest or gender.

Now, if a website embeds all these Facebook posts on a web page, it will load and display only a few specific posts at the visitors’ end based on individuals’ profile data on Facebook that matches restricted audience settings.

For example, if a post—defined to be visible only to the Facebook users with age 26, male, having interest in hacking or Information Security—was loaded successfully, an attacker can potentially learn personal information on visitors, regardless of their privacy settings.

Though the idea sounds exciting and quite simple, there are no direct ways available for site administrators to determine whether an embedded post was loaded successfully for a specific visitor or not.

Though this method doesn’t display Facebook posts as intended, it does allow the attacker-controlled website to measure (using JavaScript) the size of cross-origin resources and number of requests to find out which specific posts were successfully fetched from Facebook for an individual visitor.

“With several scripts running at once — each testing a different and unique restriction — the bad actor can relatively quickly mine a good amount of private data about the user,” Masses said.

“I found that by engineering sites to return a different response size depending on the currently logged user properties it is possible to use this method to extract valuable information.”

A member from Google security team also pointed that the vulnerability could also work against websites using APIs to fetch user session specific information.

The core of this vulnerability has some similarities with another browser bug, patched in June this year, which exploited a weakness in how web browsers handle cross-origin requests to video and audio files, allowing attackers to read the content of your Gmail or private Facebook messages.

Imperva researcher reported the vulnerability to Google with a proof of concept exploit, and the Chrome team patched the issue in Chrome 68 release.

So, Chrome users are strongly recommended to update their browser to the latest version, if they haven’t yet.

The ABC of Cybersecurity: T is for Trojan

Posted 66 CommentsPosted in ECBS Blog

Say you used to know a Jane some years ago. If you’ve just received an email from her without having kept in touch for years, consider it suspicious and definitely don’t open the attachment. Jane could be a hacker just waiting to hack into your system through a Trojan. 

The Trojan horse was a sly trick the Greeks used to infiltrate their troops in Troy to ultimately conquer the city. If you apply the analogy, the Trojan is a malicious program a hacker will use to break into a computer. Just as the original Trojan horse deceived the people of Troy, so does the computer Trojan deceive the user by posing as legitimate software.

A closer look into how a Trojan works

A Trojan is a specific breed of malware that impersonates an application, utility or software product in order to deceive the user into running it. For instance a Trojan operator would attempt to trick the user trying to watch video content (usually downloaded via P2P networks) to install a “special codec”, that ultimately proves to be a backdoor or a piece of ransomware.

Trojans account for the bulk of currently existing malware and, unlike viruses or worms, they can neither infect files, nor propagate across a network without user intervention. These malicious applications are highly specialized: they can provide remote access to a computer, can be used to launch denial-of-service attacks, download other Trojans for other cyber-criminals or send spam e-mails from the infected computers.

As of late 2014, a new family of Trojans made headlines in the media: ransomware. Ransomware is a species of malware specialized in encrypting user data and asking for ransom in exchange of the decryption key.

How to identify and wipe out a Trojan

Because the concept behind a Trojan is to trick users in undetectable manner, they’re not always easy to catch and Trojan infections are on the rise. It’s better to be skeptical and double check that you know what you are downloading or clicking on so you don’t risk downloading a counterfeit program. Stay informed and pay close attention to the language used in emails or on the websites you visit, especially if they ask you to download software.

If you still have doubts about detecting Trojans by yourself, the best protection to keep your system clean is to install a software security solution that protects all your devices. However, do your part as well and refrain from visiting on suspicious sites, following unknown links or downloading bootleg games, music, or movies from questionable sources.



Chinese shipping firm infected by ransomware

Posted Leave a commentPosted in ECBS Blog

The ransomware meant Cosco staff could not send email messages

Chinese shipping firm Cosco has been caught out by Windows ransomware.

The infection has knocked out some electronic communications at several of its North American locations.

In a statement, it said a “local network breakdown” had hit its American region. It said it had isolated the offices as it investigated.

China Ocean Shipping is China’s largest carrier of containerised goods and the fourth largest of these maritime operators in the world.

‘Operating normally’

Cosco’s US website plus email and many phone lines were all reportedly rendered inoperable by the outbreak.

Instead of using its own communications system. the infection forced Cosco staff to use Twitter and free Yahoo email addresses to handle queries.

It is not clear which variant of Windows malware has hit the company. It told local media in Long Beach that problems at the company, including in its customer service centre, had been caused by the ransomware.

On its Facebook page, Cosco gave few details of the infection.

It added: “So far, all vessels of our company are operating normally, and our main business operation systems are stable.”

It said that despite the problems it was still doing business in America and expected to make a “full and quick recovery”.

Last year, shipping giant Maersk suffered a series of problems when it was infected by the Wannacry ransomware. Cleaning up required the firm to shut its facilities at the Port of Los Angeles for three days.


Check with us now how to obtain copy of BitDefender Gravityzone Business Security that has protection against Ransomware. Call us now at +603-27204116 or email us at