GandCrab v5 ransomware is back with new features

This fall has not only brought us rain, cold and colorful leaves, but also the notorious GandCrab ransomware back, this time even more improved and vicious. GandCrab v5 just showed up on September 24, 2018, roaming around and encrypting precious personal files all around the globe, but mainly Central Europe. After getting rather upset about the pre-infection, developers had to take some time and figure how to improve the maliciousness and increase the chances of getting ransom from the victims. Therefore after a couple of months now we see the fifth and the latest GandCrab ransomware variant.

What is new about the GandCrab v5 virus

Found and reported on Twitter by the undefended malware researcher MarceloRivero GandCrab 5 ransomware demonstrated a few different features (take a look at VirusTotal for full technical data) that were not present in the previous versions of GandCrab, GandCrab 2, GandCrab3 and GandCrab 4. One of the major ones is that GandCrab does not require an internet connection to compromise the PC, which before seemed like a necessity. Here are the other characteristics we noticed in GandCrab v5 ransomware:

Encryption mechanism

GandCrab virus has already been one of the most famous ransomware amongst the Locky, WannaCry, Petya and etc. Even though it did not make such horrible damage as the latter infections resulting in billions of dollars lost, yet it approximately brought close to $600k to developers from over 50,000 victims. That being said, the main working principles of GandCrab v5 ransomware remained the same – it sneaks in, encrypts files and asks for a ransom. This version uses more sophisticated and double encryption first with Salsa20 cipher and then RSA-2048 algorithm to make sure that there will be no chances of victim decrypting their data. As a cherry on top, the virus uses a command ‘WMIC.exe shadowcopy delete’ was added to remove all Shadow Copies of the files. 

Unlike the previous versions, GanCrab 5 is able to stop the Word, Excel and other popular software processes, allowing it to encrypt even the temporary files, which were opened by the applications. Interesting enough, GandCrab v5 is not going to encrypt files and attack if your interface language is Slavic, meaning that Russia, Ukraine, Belarus, Georgia, Azerbaijan, and a few other countries are safe from this virtual devil, as the Fortinet.com analysis shows.

Extension and lock screen

The fifth GandCrab virus variant instead of the regular .CRAB extension chose a more personal and unique string made out of 5 different characters – .[5-random-char], which later plays a part in the ransom note’s name – [same-5-extension-characters]-DECRYPT.html. Additionally, to that GandCrab 5 ransomware decided to put another feature and change the victim’s desktop background to a dark ‘pidor.bmp’ image saying:

ENCRYPTED BY GANDCRAB 5.0
DEAR [USER NAME]
YOUR FILES ARE UNDER STRONG PROTECTION BY OUR SOFTWARE IN ORDER TO RESTORE IT YOU MUST BUY DECRYPTOR
For further steps read [unique-ID]-DECRYPT.html that is located in every encrypted folder.

Ransom and ransom notes

Files that are locked by the new ransomware remained the same: photos, audio files, videos, documents and the rest data that is not crucial to the System to work properly. Yet the ransom price increased drastically, double since GandCrab v4. Right now the cryptovirus asks for $2400 (12.14390528 DSH) in DASH/Bitcoin but in a very clever way. The first ransom note that appears to the user after finalization of file encryption does not say anything about how much GandCrab developers are expecting but it gives victims the Tor link (http://gandcrabmfe6mnef.onion, which is the same a in previous variants) which sends them to an anonymous site dedicated to GandCrab v5 ransomware. The ‘[unique-ID]-DECRYPT.html’ note also has an ability to adapt according to the language of your Windows:

—= GANDCRAB V5.0 =—
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: .XMMFA
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:>—————————————————————————————->
•Download Tor browser – https://www.torproject.org/
• Install Tor browser
• Open Tor Browser
• Open link in TOR browser: http://gandcrabmfe6mnef.onion/e499c8afc4ba3647
• Follow the instructions on this page—————————————————————————————-
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW

The Tor page then gives a very detailed explanation and rather impressive 24/7 live customer (victim) interface with the crooks. This is where it asks for $2,400.00 as a current price. Since the ransom payment is on the bigger side, developers offer for you to try to recover a few of your files for free to prove that they will restore your data back if you will send them desired cryptocurrency.

We are sorry, but your files have been encrypted!
Don’t worry, we can help you to return all of your files!
Files decryptor’s price is 2400 USD
If payment isn’t made until 2018-07-20 02:32:41 UTC the cost of decrypting files will be doubled
Amount was doubled!
Time left to double price:
—————————————————————————————–
What the matter? Buy GandCrab Decryptor Support is 24/7 Test decrypt
—————————————————————————————–
Please turn on javascript!!
What the matter?
Your computer has been infected with GandCrab Ransomware. Your files have been encrypted and you can’t decrypt it by yourself.
In the network, you can probably find decryptors and third-party software, but it won’t help you and it only can make your files undecryptable
What can I do to get my files back?
You should buy GandCrab Decryptor. This software will help you to decrypt all of your encrypted files and remove GandCrab Ransomware from your PC.
Current price: $2,400.00. As payment, you need cryptocurrency DASH or Bitcoin
What guarantees can you give to me?
You can use test decryption and decrypt 1 file for free
What is cryptocurrency and how can I purchase GandCrab Decryptor?
You can read more details about cryptocurrency at Google or here.
As payment, you have to buy DASH or Bitcoin using a credit card, and send coins to our address.
How can I pay to you?
You have to buy Bitcoin or DASH using a credit card. Links to services where you can do it: Dash exchanges list, Bitcoin exchanges list
After it, go to our payment page Buy GandCrab Decryptor, choose your payment method and follow the instructions

The second page of Tor link:

Please turn on javascript!!
Payment amount: 12.14390528 DSH ( $2,400.00 )
1 DSH = $197.63
Buy cryptocurrency DASH. Here you can find services where you can do it.
Send 12.14390528 DSH to the address:
Please turn on javascript!!
Attention!
Please be careful and check the address visually after copy-pasting (because there is a probability of a malware on your PC that monitors and changes the address in your clipboard)

If you don’t use TOR Browser:
Send a verification payment for a small amount, and then, make sure that the coins are coming, then send the rest of the amount.
We won’t take any responsibility if your funds don’t reach us
After payment, you will see your transactions bellow
The transaction will be confirmed after it receives 3 confirmations (usually it takes about 10 minutes)
This process is fully automated, all payments are instant.
After your payment, please refresh this page and get an opportunity to download GandCrab’s Decryptor!

Yet Judging from the malware researchers experience crooks were not so nice when communicating. It can be due to the dislike of cybersecurity specialists and grudge kept from that GandCrab v4 vaccine or it can be a sign not to pay the crooks anything and wait until the official free decryption will come out.

Is GandCrab v5 ransomware decryptable

As of October 25th, 2018, GandCrab v5 got an official long-waited decryption tool which can be found on one of the biggest anti-ransomware projects called NoMoRansom.  This decryption software was developed by three united forces of Europol, Bitdefender and Romanian Police and is considered to be one of the most successful cybersecurity victories. The same tool can also be used for GandCrab v1 and V4.

However, it is still advisable to use malware researcher’s @Valthek vaccine for GandCrab 5 ransomware to prevent it in the future.

Lastly to see the GandCrab in action take a look at another malware researcher’s Gruja video: