What is GandCrab ransomware ?
The GandCrab virus is a ransomware that is designed to encrypt personal photos, documents and music found on infected PC system using a strong encryption algorithm with a brutal key, adding the GDCB extension to all encrypted files. Once the encryption process is done, it will show a ransom demanding message offering decrypt all user’s photos, documents and music if a payment is made.
GandCrab is the newest variant in crypto viruses (malware that encrypt personal files and demand a ransom). It has the capability to affects all current versions of Microsoft Windows operating system such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10.
Immediately after the launch, the GANDCRAB ransomware scans all available drives, including network and cloud storage, to determine which files will be encrypted. This ransomware virus uses the file name extension, as a technique to club a group of files that will be subjected to encrypting.
Unique features and symptoms- GandCrab has some interesting features not seen before in a ransomware, such as being the first to accept the DASH currency and the first to utilize the Namecoin powered BIT tld.
This means that any software that wishes to resolve a domain name that uses the .BIT tld, must use a DNS server that supports it. GandCrab does this by making dns queries using the a.dnspod.com DNS server, which is accessible on the Internet and can also be used to resolve. bit domains.
GandCrab uses these. bit domains as addresses for its Command & Control servers. Interestingly, the domain servers used by this ransomware contain names that you might recognize. The victims will know that a large portion of their data is going to be encrypted with a strong cipher and renamed using a template extension. The infected user also experiences substantial performance issues, application failure and other types of damage.
Also read-How To Remove Search.hmyweatherradar.co Browser Virus From PC?
GandCrab being distributed through the Rig exploit kit
As per the exploit kit researchers nao_sec and Brad Duncan, GandCrab is currently being marketed through a malvertising campaign called Seamless that then forwards the visitors to the RIG exploit kit. The exploit kit will then make strong effects to maximize the vulnerabilities in the visitor's software to install GandCrab without their permission.
How GandCrab encrypts a computer?
When GandCrab is first launched it will attempt to connect to the ransomware's Command & Control server. As this server is hosted on one of Namecoin's .bit domains, it has to query a name server that supports this TLD. It does this by querying for the addresses of the following domains using the command nslookup [insert domain] a.dnspod.com. This command queries the a.dnspod.com name server, which support the .bit TLD.
If the victim's machine fails to connect to the C2 server, then the ransomware will not encrypt the computer. It will, though, continue running in the background trying to get the IP address for the C2 and connect to it.Once it is able to resolve the domain, it will connect to the C2 server's IP address. It is not known at this time what data is being sent and retrieved, but the C2 is most likely sending the public key that should be used to encrypt the files. During this process, the ransomware will also connect to http://ipv4bot.whatismyipaddress.com/ to determine the public IP address of the victim.
Before GandCrab encrypts the victim's files it will first check for certain processes and terminate them. This will close any file handles that are open by these processes so that they can be properly encrypted. According to security researcher Vitali Kremez, the list of processes that are terminated are:
GandCrab once it gets into the victim’s computer it will now begin to encrypt the victim's files and will target only certain file extensions.
While encrypting files, Kremez's analysis showed that GandCrab will skip any files whose full pathname contain the certain strings.
While this ransomware is encrypting files, the ransomware will append the .GDCB extension to the encrypted file's name. For example, test.jpg would be encrypted and renamed to test.jpg.GDCB.
At some point, the ransomware will relaunch itself using the command "C:\Windows\system32\wbem\wmic.exe" process call create "cmd /c start %Temp%\[launched_file_name].exe". If a user does not respond Yes to the below prompt, it will continuously display the UAC prompt.
When the ransomware has finished encrypting the computer, victim's will find ransom notes located through the computer. This ransom note is named GDCB-DECRYPT.txt and contains all the vital information on what happened to the victim's files and a list of TOR gateways that can be used to access the payment site.
When a user goes to the listed site, they will be presented with a site called GandCrab Decryptor. This site provides information such as the ransom amount, the DASH address to send payment to, a support chat, and a free decryption of one file.
Preventative Measures from GandCrab Ransomware
In order to guard yourself from ransomware, it is important that you practice few good computing habits and security software.
- The most important step to be followed is to have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack. With a good backup, ransomware has no effect on you.
- You should also have security software that incorporates behavioral detections to combat ransomware and not just signature detections or heuristics. For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.
- Scan attachments with tools like VirusTotal.
- Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors and exploit kits. Therefore it is important to keep them updated.
- Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.
- Use hard passwords and never reuse the same password at multiple sites.
- Do not open attachments if you do not know who sent them.
- Do not open attachments until you confirm that the person actually sent you them,
Also read-How To Remove Moradu.com Redirect Virus From Browser?
Download Free Removal Tool
Tips to prevent GandCrab Ransomware from entering your computer :
1. Enable your popup blocker: Pop-ups and ads in the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs. So, avoid clicking uncertain sites, software offers, pop-ups etc.
2. Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update. By doing this you can keep your device free from virus. According to the survey, outdated/older versions of Windows operating system are an easy target.
3. Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
4. Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection. Thus always backup important files regularly on a cloud drive or an external hard drive.
5. Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like McAfee or a good Malware Removal Tool like Download Free Virus Removal Tool
6. Install a powerful ad- blocker for Chrome, Mozilla,and IE.
