GandCrab V3 Accidentally Locks Systems with New “Change Wallpaper” Feature

GandCrab V3 Accidentally Locks Systems with New “Change Wallpaper” Feature (May 4, 2018)

The threat actors behind the “GandCrab” ransomware have added new features to the malware and spam email distribution, according to Fortinet researchers. In regards to the email spam distribution, the tactics are essentially the same in that the emails ask the recipient to open an attachment and reply as soon as possible. In a change from previous malicious attachments, the current iteration uses Visual Basic Scripts (VBS) instead of JScripts. After the malware has encrypted files it forces a reboot and changes the machine’s desktop image, however, on Windows 7 the malware gets stuck prior to the Windows Shell completely loading. This means that this version of GandCrab could leave the entire machine “seemingly unusable.”

Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided by trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of ransomware infection.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.