GandCrab and Cerber Viruses - Made by The Same Devs?

GandCrab and Cerber Viruses – Made by The Same Devs?

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

The massive wave of GandCrab ransomware has sprung in series of versions that feature minor improvements. The virus cannot be stoped and it is become more and more widespread. But recent similarities with the versions of the virus raise one significant question we are yet to understand – are these two virus families made by the same people?

GandCrab ransomware has recently evolved into a new GandCrab v5.0 version, which has started to re-evolve in sub-versions (GandCrab 5.0.1, GandCrab 5.0.2…) and this has led us to examine the logical (not technical) similarities between the two viruses only to start seeing some pretty alarming stuff. Keep reading to see the scary similarities between the two virus entities.

The Similarities Between GandCrab and Cerber Ransomware

Don’t you believe that it is a pure coincidence that Cerber ransomware being a large ransomware virus that is non-decryptable suddenly came to an end and several months later GandCrab emerged? Well, you might consider this to be something normal as it would be with any other ransomware virus coming and going, but we have noticed several similarities between the viruses that illustrate somewhat of the same pattern or signature between the two. Here are some of the most interesting details we have noticed.

Similarity #1: The 1st Variants Were both Decrypted by Researchers + Their Extensions Were Similar

GandCrab and Cerber ransomware have both came out in a version that was initially decryptable. Let us start with Cerber ransomware, whose first variant came out with the .cerber file extension. This very variant was later deemed decryptable by Trend Micro researchers and we have even made instructions for victims to recover their files:

Related: Decrypt Files Encrypted by Cerber Ransomware

To compare this, GandCrab’s first version also came out in a variant using a fixed file suffix – .GDCB. The virus was also later deemed decryptable, this time by BitDefender researchers:

Related: GandCrab Ransomware Removal – Restore .GDCB Files

After this has happened, BOTH viruses immediately came out in a new version that uses a new extension, which for Cerber ransomware was .cerber2, then .cerber3, after which capital letters .CERBER and then random file extensions. To compare that with GandCrab, the virus’s new versions were respectively .crab, then .CRAB and then .KRAB. After these three versions for each, both ransomware viruses have started to appear with completely random file extensions and both were completely undecryptable since their firs decryptable versions came to an end. Something that we believe is a coincidence that is to close to not being such.

Similarity #2: The Wallpapers

Probably the most evident similarity between the two viruses is the styles in which their wallpapers are designed, which is extremely similar as you see in the image below:

As visible both wallpapers have extremely similar ransom notes and their wallpapers are in a text with a black background on a white noise overlay for Cerber and also a noise overlay for GandCrab ransomware.

Similarity #3: Well-Made Tor Web Pages

Another interesting part of the ransowmare viruses development is the well-made Tor web pages, which they ask victims to visit. When we take a look at those pages, it becomes very evidend that they both offer some type of “customer” support and also multi-language support:

GandCrab’s TOR web page:

Cerber’s TOR web page:

Similarity #4: The Newer Versions and File Extension

So here we are to present times. GandCrab is now in version 5.0.2 and uses a random file extension with 10 letters. Need I remind you that the Cerber ransomware in one of it’s intermediary versions also switched to a completely random file extension? Here is a comparison between both:

GandCrab 5.0.2 File Extension:

Red Cerber File Extension (Latest 2017 version):

To Sum It Up…

The versions which we have detected between the two viruses so far are the following:

Cerber Ransowmare’s Variants:
.cerber (decryptable)
Red Cerber
GandCrab’s Versions So Far
.gdcb (Decryptable).
.CRAB (v2)
.CRAB (v2.1)
.CRAB (v3)
.KRAB (v4)
.krab (v4.1)

We will leave it up to you, the informed reader to figure out the rest, but as far as we are concerned there clearly are patterns worth investingating, since the viruses may have nothing to do with each other, but they do share some very eyebrow-raising details.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share