What is GandCrab ransomware? And how is it being distributed online?
GandCrab ransomware is a new file-encrypting malware released towards the last week of January 2018. This ransomware was first discovered by a security researcher named David Montenegro. Since its discovery, other security experts were quick to jump in and analyze the threat.
GandCrab ransomware is distributed through a malvertising campaign referred to as “Seamless” that pushes users to the RIG exploit kits on shady websites. It identifies the vulnerabilities of a targeted system. Unfortunately, this kind of software kit does not need any permission to get installed which is why inexperienced users might not even recognize this threat at first until it’s already too late.
How does GandCrab ransomware implement its attack?
After its successful infiltration, GandCrab will try to connect to its Command and Control server. It also has to name a server that supports the Namecoin’s .bit domains as it is hosted in one. If it’s a victim’s lucky day and the ransomware wasn’t able to connect to its C&C server, it won’t be able to encrypt files although it will still continue running in the background and will keep on trying to connect to the remote server. And if it has managed to successfully connect, it will start to target certain file extensions which are quite many. Half of the file types it targets are indicated below:
.1cd, .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .7zip, .aac, .ab4, .abd, .acc, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .adp, .ads, .agdl, .ai, .aiff, .ait, .al, .aoi, .apj, .apk, .arw, .ascx, .asf, .asm, .asp, .aspx, .asset, .asx, .atb, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bin, .bkp, .blend, .bmp, .bpw, .bsa, .c, .cash, .cdb, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cfn, .cgm, .cib, .class, .cls, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cry, .cs, .csh, .csl, .css, .csv, .d3dbsp, .dac, .das, .dat, .db, .db_journal, .db3, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .def, .der, .des, .design, .dgc, .dgn, .dit, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flb, .flf, .flv, .flvv, .forge, .fpx, .fxg, .gbr, .gho, .gif, .gray, .grey, .groups, .gry, .h, .hbk, .hdd, .hpp, .html, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .info, .info_, .ini, .iwi, .jar, .java, .jnt, .jpe, .jpeg, .jpg, .js, .json, .k2p, .kc2, .kdbx, .kdc, .key, .kpdx, .kwm, .laccdb, .lbf, .lck, .ldf, .lit, .litemod, .litesql, .lock, .log, .ltx, .lua, .m, .m2ts, .m3u, .m4a, .m4p, .m4v, .ma, .mab, .mapimail, .max, .mbx, .md, .mdb, .mdc, .mdf, .mef, .mfw, .mid, .mkv, .mlb, .mmw, .mny, .money, .moneywell, .mos, .mov, .mp3, .mp4, .mpeg, .mpg, .mrw, .msf, .msg, .myd, .nd, .ndd, .ndf, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf.
After it has finished encrypting targeted files, it drops a file named GDCB-DECRYPT.txt containing the ransom note and information on what happened to the encrypted files – it contains the following message:
“GandCrab Ransom Note:
—= GANDCRAB =—
All your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB The only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
- Download Tor browser – https://www.torproject.org/
- Install Tor browser
- Open Tor Browser
- Open link in tor browser: http://gdcbghvjyqy7jclk.onion/[id] 5. Follow the instructions on this page
If Tor/Tor browser is locked in your country or you can not install it, open one of the following links in your regular browser:
- http://gdcbghvjyqy7jclk.onion.top/[id] 2. http://gdcbghvjyqy7jclk.onion.casa/[id] 3. http://gdcbghvjyqy7jclk.onion.guide/[id] 4. http://gdcbghvjyqy7jclk.onion.rip/[id] 5. http://gdcbghvjyqy7jclk.onion.plus/[id]
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
Do not try to modify files or use your own private key – this will result in the loss of your data forever!”
At the time of writing, there is no way to decrypt files yet so using any backup copies of the encrypted files remains the only option as paying the ransom should not even be considered as risky and unwise as it is.
Terminate GandCrab ransomware from your PC as soon as you can with the help of the removal instructions given below.
Step 1: Close GandCrab ranosmware’s program window and tap Ctrl + Shift + Esc keys to open the Task Manager.
Step 2: After opening the Task Manager, look for the following malicious processes of GandCrab ransomware, click on each one of them and select End Process or End Task.
msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, mydesktopqos.exe, agntsvc.exeisqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exeagntsvc.exe, agntsvc.exeencsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe
Step 3: Close the Task Manager.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 4: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 5: Navigate to the following paths:
- HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
- HKEY_CURRENT_USER\Control Panel\Desktop
Step 6: Under the paths listed above, look for registry values created by GandCrab ransomware and delete it.
Step 7: Close the Registry Editor and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 8: Look for GandCrab ransomware or any suspicious program and then Uninstall it/them.
Step 9: Tap Win + E to launch File Explorer.
Step 10: After opening File Explorer, navigate to the following locations below and look for GandCrab ransomware’s malicious components such as GDCB-DECRYPT.txt and delete them all.
Step 11: Close the File Explorer.
Step 12: Empty your Recycle Bin.
Make sure that you have completely removed GandCrab ransomware form your computer, to do so, follow the advanced removal guide below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. The installation will start automatically once a download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.