Test subject – GandCrab v3 ransomware
We already covered the first version of GandCrab, but since then, two new versions were released. The developers promised to come back after their first command & control servers were seized, and they also managed to add new features to their malicious creation.
Some things didn’t change though, the ransomware still makes use of exploit kits and email campaigns to attack as many people as possible. Their new C2 servers are hosted under some other .bit domains, and the malware attacks the same file extensions.
GandCrab v3 ransomware test facts
The most significant change consists of a new feature that changes the Desktop background, which the malware dynamically builds, personalizing it with the username. It’s not the prettiest, being a low-resolution image, but impacts the user. There’s also a new ransom note. The RunOnce key, which is a new addition in v2, effectively makes sure no files are missed, as GandCrab will start after the forced restart.
Once executed, the files are very quickly encrypted. The background is changed and the ransom note is dropped at the very end, trying to hide its activity from the user, not to raise any immediate suspicions. When encryption is done, the malware restarts the computer and opens a few browser windows as well as the new ransom note. These will supposedly help the user recover the lost files, containing payment instructions and necessary software. Encrypted files can easily be recognized by their new extension, which “.crab”.
We do not know of any free tools able to decrypt the attacked files and paying the ransom is never encouraged.
GandCrab v3 ransomware test results
TEMASOFT Ranstop detects GandCrab v3 ransomware easily once it starts encrypting files. Upon detection, the user is alerted, and the ransomware process is blocked and quarantined. The affected files are automatically restored so that the user doesn’t lose her documents.
About TEMASOFT Ranstop
TEMASOFT Ranstop is an anti-ransomware software that detects present and future ransomware, based on file access pattern analysis with a high degree of accuracy. At the same time, it protects user files so that they can be restored in case of malware attacks or accidental loss.
For more information, follow us on social media and subscribe to our newsletter.