GandCrab version 3 was released earlier this week with a few noticeable changes. The most noticeable change is the addition of a desktop background.
Unfortunately, at this time GandCrab 3 cannot be decrypted for free. This variant was being distributed via the Magnitude exploit kit.
It also spotted GandCrab v3 being distributed through malspam campaigns. These malspam emails contain subjects like “Order #65121” and contain attachments with a VBS downloader that installs GandCrab v3.
Changes in GandCrab v3
The most noticeable change in this release of GandCrab is the increment of the version number to 3, new ransom note text, and the introduction of a pretty bad desktop background.
The ransom note is still named CRAB-DECRYPT.txt and encrypted files still have the .CRAB extension.
With this version, GandCrab also introduces a low resolution background that tells you to read the CRAB-DECRYPT.txt ransom note in order to learn what happened to your files. This background can be seen below.
The ransom note also contains new text as can be seen below.
A RunOnce autorun key was introduced in older versions will cause GandCrab to start automatically when a user logs in. When GandCrab is installed, it will encrypt the computer, set the background, and then automatically reboot the computer. For Windows 7 users, there is a problem with this method as the autorun causes the browser to open the TOR web site and the background to display, but does not display the desktop.
Researchers feel this may be a bug in the program for those using Windows 7 that causes it to exhibit this screenlocker behavior. In some ways, this behavior could actually benefit the ransomware developers as it may cause further panic and more ransom payments.
Finally, this version introduces the domain “carder.bit” as a server that the ransomware communicates with. The GandCrab devs have a sense of humor when they name associated domains as shoutouts to security companies, websites like BC, and researchers. This one is a reference to those who perform credit card fraud.
All your files, documents, photos, databases and other important files are encrypted and have the extension:. CRAB
The only way to recover files is to buy a private key. It’s on our server, and only we can recover your files.
All Users are requested to:
- Install and keep NPAV updated up-to-date.
- Make sure NPAV Data Backup is ON.
- Always use trusted and secure sites for downloading setups.