GandCrab ransomware author retaliates after security experts release a vaccine

• The cybercriminal claimed the new version of GandCrab would come with a zero-day exploit.
• The vaccine app was designed to trick the ransomware into thinking that the targeted system was already infected by it.

The cybercriminal who developed the GandCrab ransomware is reportedly unhappy that security experts South Korean cybersecurity firm AhnLab created a vaccine app for the ransomware. The malware developer has reportedly threatened that the new version of GandCrab will contain a zero-day exploit.

The GandCrab ransomware author, who goes by the pseudonym “Crabs”, reportedly said that the zero-day feature was added in retaliation to AhnLabs releasing its GandCrab vaccine app on July 19. The vaccine app is designed to trick the ransomware into thinking that the targeted system has already been infected by it.

"Their kill switch has become useless in only few hours," Crabs told Bleeping Computer. "My exploit will be an reputation hole for ahnlab for years.”

New GandCrab version - no zero-days

The cybercriminal boasted that he developed and released a new version of GandCrab just hours after AhnLab released its vaccine (killswitch) app.

Several researchers observed two newly released versions of GandCrab - 4.2.1 and 4.3 - targeting AhnLab’s vaccine in the wild. Although the new versions did contain an exploit, researchers identified it as a denial of service (DoS) bug and not a zero-day.

The DoS bug, however, can reportedly crash one of the vaccine’s components and is even capable of crashing the operating system (OS) with a black screen of death (BSOD).

However, AhnLab researchers claim that DoS bug is not an issue.

"The attack code is inserted in GandCrab 4.21 and 4.3 version, and it is executed after infecting normal files," AhnLab Director Changkyu Han told Bleeping Computer. "Our product is detecting the GandCrab ransomware before reaching the BSOD attack code. So, the BSOD attack code has very low chances on being executed."

"Strictly speaking, that code is not an exploit or zero-day code. It’s only a denial of service code," Han added. "It causes BSOD to our product, but we analyze it and it’s not easy to execute any extra payload by attack code."