25 Sep 2018

GandCrab v5, an improved variant of notorious GandCrab 3 has been released with some new changes. The changes made are that the ransomware now uses a random 5-character extension for encrypted files and a new HTML ransom note.

It is unknown how the GandCrab v5 is being distributed. The previous versions were distributed by using exploit kits and cracks, but here it doesn’t look like the exploit kits are distributing this version. Similar to the previous versions, there is no way to decrypt victims of GandCrab v5 for free

How GandCrab v5 encrypts a computer

When GandCrab v5 is executed it will scan the computer and any network shares for files to encrypt. While scanning for network shares, it will not only list just the mapped drives but also all shares on the network. So, it is important to ensure that all network shares are locked down on your network.

When a targeted file is met, it will encrypt the file and then append a random 5-character extension. When encrypting files, the ransomware will also create ransom notes named [extension]-DECRYPT.html

This ransom note contains information about what has happened to the files and instructions on how to access the TOR payment site, which is currently at http://gandcrabmfe6mnef.onion.

When a user visits the TOR payment site they will be provided with the ransom amount and instructions on how to make the payment to receive the GandCrab Decryptor

At present the ransom amount is $800 USD to be paid in the DASH (DSH) cryptocurrency.  The TOR payment site also includes a free test decryption and a support site where you can send and receive messages with the ransomware developers.

Leave your thought