Skip to Content

Malware authors want more and more money. They keep updating their computer viruses and target more and more victims. GandCrab v5.0.3 is a fifth essential deviation detected as a stand-alone release within GandCrab ransomware family. Random extension added to the files affected by the malware as compared to the previous versions. IT researchers use Crab in parallel with the general name (GandCrab).

The GandCrab ransomware applies a sophisticated infection vector to get installed on a host machine. The infection enjoys a support of website network cracked by the crooks. The websites affected, originally legitimate and harmless, became fake blogs dedicated to software cracks. The users redirected to such blogs may opt for getting attractive software for free by means of the crack available from the blog. Needless to say, this way of obtaining software is unfair, if not illegal and subject to a criminal offense. That is why the users encountering GandCrab ransomware invasion are hesitating to report it as they are expecting a reproach, if not a prosecution due to the way they get their device compromised.

GandCrab V5 surfaced this October 2018. There is no master remedy for the malware so far, but there is hope as the initial release of GandGrab failed under the attack of security enthusiasts and authorities. The vulnerability that enabled the successful counter-attack is no longer in place as the crooks patched it with the release of the second version.

Installation of GandCrab V5 might induce a forced system reboot, so that the data not yet saved may be lost. Following the reboot, the GandCrab ransom-trojan launches a scan encompassing any locations available on and through the host machine. The scan discards several data formats and locations. This measure ensures the system keeps on running in order that the users read the ransom note dropped by the infection.

Compared to previous releases, the GandCrab applies Salsa20 encryption algorithm to deprive the users of access to their data. The criminals remain true to the mocking spirit of previous releases as they have sent a message to the developer of the Salasa-20 reading ‘let’s dance salsa’. Previously, the crooks trolled IT security hubs and authorities giving names to the ransomware remote servers resembling that of Romanian Police, BleepingComputer etc.

The encryption applies a flow symmetric. That is, the same key encrypts and decrypts data. This implies the key for decrypting the data once had been present in the computer memory concerned. The crooks did their best to delete it properly, yet that could be potentially a flaw for the IT security to exploit in order to restore the data readability.

Once the encryption completes, the infection drops its ransom note, typically a file dubbed [RANDOM EXTENSION]-DECRYPT.txt. The message lays down the purpose of the attack, prompts to download and install TOR browser and open ransom payment page in TOR. The payment page instructs the victim to transfer a certain amount in DASH. GandCrab is the first ransomware using DASH (instead of Bitcoin that dominates the ransomware transactions) crypto-currency. The crooks seem to fix the amount in fiat currency by adjusting the sum in crypto-money to the amount of $800.

Again, there is no magic wand to restore data encrypted with salsa20 crypt by GandCrab V5, yet there some workarounds that provide helpful tools and tips for GandCrab v5.0.3 ransomware data recovery.

 

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply