GandCrab V5 Released With Random Extensions And New HTML Ransom Note
(Sep 25, 2018)
The latest version of the ransomware, “GandCrab,” has been released with several notable changes. Similar to previous versions, this version of GandCrab is distributed via malvertising, redirecting users to sites containing the “Fallout” exploit kit that installs the malware on the victim’s machine. The new changes to this version of GandCrab include using a random five-character extension for encrypted files and contains an HTML ransom note. The malware encrypts files on the local drive, as well as searches for network shares and will encrypt network files on those if there is access to the larger network. The ransom note contains a URL to a Tor site that contains further instructions on how to decrypt files and states the ransom amount of $800 USD paid in DASH (DSH) cryptocurrency. There is currently no free way to decrypt files for free that are encrypted with GandCrab v5.
Recommendation: Never pay threat actors the requested ransom as it does not ensure you will receive your file back. Ransomware can potentially be blocked by using endpoint protection solutions (HIDS), but as this news shows, new threats are constantly evolving to bypass these protections. Always keep your important files backed up, using the 3-2-1 rule: 3 different copies, on 2 different mediums, with 1 off-site. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber-criminals. It is crucial to secure your networks to avoid malware from propagating through the whole network by segmenting them.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.