Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GandCrab Ransomware Help & Support Topic (.GDCB, .CRAB & CRAB-DECRYPT.txt)


  • Please log in to reply
294 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:29 AM

Posted 29 January 2018 - 08:13 PM

This is the support topic for the GandCrab Ransomware. This ransomware is currently being distributed via malvertising bundled with exploit kits.

When infected, a user will have their files encyrpted and their names will have the .GDCB extension encrypted to them. This ransomware will also drop a ransom note named GDCB-DECRYPT.txt.

Unfortunately, at this time there is no way to decrypt files for free.
 

ransom-note.jpg

 
Update 02/28/18: Free Decrypter Available for GandCrab V1 Ransomware Victims
Update 03/06/18: GandCrab Ransomware Version 2 Released With New .Crab Extension & Other Changes

BC AdBot (Login to Remove)

 


#2 Emmanuel_ADC-Soft

Emmanuel_ADC-Soft

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Paris
  • Local time:02:29 PM

Posted 30 January 2018 - 08:48 AM

Hello,

I am looking for some helps to decrypt those files for a client with GandCrab Ransomware.

Here are 2 crypted files : https://we.tl/qz4cdJNrkv https://we.tl/qz4cdJNrkv

 

Thank you, kind regards

Emmanuel



#3 HeideggerOnline

HeideggerOnline

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 01 February 2018 - 10:07 AM

Hello.

 

My wife's computer was just infected with this. Do you want me to provide infected files ? I deleted everything but since it infected a dropbox... Is there still no way to retrieve the data ?

 

[edit : sorry my phrasing is idiotic, I'm not a native english speaker : I meant I deleted it from my computer (what came through the dropbox) but her computer still has all the encrypted data but is kept offline)]

 

Is there a risk for users with whom I shared files via dropbox to get the rest of their computer infected ?

 

Thanks already

 

sorry if I'm misusing the website, I just stumbled upon it while google searching for this crap GDCB


Edited by HeideggerOnline, 01 February 2018 - 10:14 AM.


#4 Amigo-A

Amigo-A

  • Members
  • 585 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:05:29 PM

Posted 01 February 2018 - 01:33 PM

HeideggerOnline
 
You did the right thing, that you came here for information.
This topic is intended for such cases.
Information on this issue is collected and studied.
In the first hours of detection, there were many victims from South Korea.

Edited by Amigo-A, 01 February 2018 - 01:51 PM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#5 Amigo-A

Amigo-A

  • Members
  • 585 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:05:29 PM

Posted 01 February 2018 - 01:51 PM

HeideggerOnline
 
Possible that one of the specialists will want to look closer at your case. Watch the topic and answers.
 
There is an article about GandCrab on this site by Lawrence Abrams 
 
Also there is my article about GandCrab (description with visual elements, text in Russian)

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:29 AM

Posted 01 February 2018 - 02:36 PM

If you can find the malicious executable that you suspect was involved in causing the infection, it can be submitted here with a link to this topic...it's best to zip (compress) all files before sharing. There is a "Link to topic where this file was requested" box under the Browse button.. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 jvw199

jvw199

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rotterdam, The Netherlands
  • Local time:01:29 PM

Posted 02 February 2018 - 08:44 AM

So, unfortunately I have also been affected by this nasty ransomware. :angry: 

 

Luckily I succeeded getting rid of the virus. For reference: I have three drives: One for windows and most used programs (C which contains approx. 100GB of 240GB), one for other programs and games (D which contains approx. 500GB of 1TB) and also one for storage (E which contains approx. 15GB of 1TB). I was able to recover some files from E to E with recuva (not the best option, however otherwise files from other drives might be gone), but quite a lot were corrupted. I didn't try this on the other drives however, since I read that the private key might still be somewhere arround on my system, according to Malwarebytes. Is this true? And if yes, how can I recover it and share it so maybe others can be helped?

 

Also, I did find a previous version of C (version after an update, a couple of days ago), but I also don't trust reverting to this because of the above.

 

If you can find the malicious executable that you suspect was involved in causing the infection, it can be submitted here with a link to this topic...it's best to zip (compress) all files before sharing. There is a "Link to topic where this file was requested" box under the Browse button.. Doing that will be helpful with analyzing and investigating by our crypto malware experts.

I'm quite certain that I know where to find the virus which caused all my trouble, is that the file you mean? Or are you really looking for the virus executable itself? I really like to help, since I'm dying to get my files back (and if not, at least I tried).



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:29 AM

Posted 02 February 2018 - 09:26 AM

The malicious executable that you suspect was involved in causing the infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 jvw199

jvw199

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rotterdam, The Netherlands
  • Local time:01:29 PM

Posted 02 February 2018 - 10:57 AM

The malicious executable that you suspect was involved in causing the infection.

 

Done!



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:29 AM

Posted 02 February 2018 - 11:32 AM

Ok. Please be patient. BleepingComputer is inundated with support requests and not everyone may receive an individual reply. After our volunteer experts have examined submitted files, they typically will only reply in a support topic if they can assist or need further information. If not, then the submitted files were not helpful.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 l0standf0und

l0standf0und

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 05 February 2018 - 09:26 AM

BTW, just a tip. 

 

If you want to decrypt a zip file or docx file.

Take your encrypted file private_file.docx.GDCB and rename it to private_file.txt.GDCB and upload it to your ransom page.

This admininstrator of grandcarab  did a newbie mistake and allows you only (txt, jpg/jpeg, jpeg, bmp, png, gif) files, but he doesn't have other verifications.... So take your encrypted files and rename it and decrypt it through his website.

 

So, the php lines in his code which does the check of extension are useless.....


Edited by l0standf0und, 05 February 2018 - 09:42 AM.


#12 jvw199

jvw199

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rotterdam, The Netherlands
  • Local time:01:29 PM

Posted 05 February 2018 - 12:54 PM

BTW, just a tip. 

 

If you want to decrypt a zip file or docx file.

Take your encrypted file private_file.docx.GDCB and rename it to private_file.txt.GDCB and upload it to your ransom page.

This admininstrator of grandcarab  did a newbie mistake and allows you only (txt, jpg/jpeg, jpeg, bmp, png, gif) files, but he doesn't have other verifications.... So take your encrypted files and rename it and decrypt it through his website.

 

So, the php lines in his code which does the check of extension are useless.....

Does this mean that the site doesn't check how many files you decrypted? So in theory all our files could be decrypted through his site?



#13 jvw199

jvw199

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rotterdam, The Netherlands
  • Local time:01:29 PM

Posted 06 February 2018 - 03:30 PM

Ok. Please be patient. BleepingComputer is inundated with support requests and not everyone may receive an individual reply. After our volunteer experts have examined submitted files, they typically will only reply in a support topic if they can assist or need further information. If not, then the submitted files were not helpful.


Well, apparently it wasn't the executable I initially thought to be the cause. Just read something about a "Hoefflerfont installer" that was in fact the CandGrab ransom (according to the source) and vaguely remembered that I installed this. I still have this on my pc, should I sent it?

#14 Amigo-A

Amigo-A

  • Members
  • 585 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:05:29 PM

Posted 07 February 2018 - 03:06 AM

 "Hoefflerfont installer"

 

 

jvw199

Installing a malware under the guise of a font is a long-time favorite method of attackers. This is also used when attacking Ransomware. You should not accept fonts with exe-extensions  and other atypical ones on your computer. And in typical cases - thorough checking of the file by your antivirus and by online analysis sites is necessary.
 
The trick with the fake font-installer HoeflerText was also used in the malicious campaign of Spora Ransomware.  

Edited by Amigo-A, 07 February 2018 - 03:26 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#15 jvw199

jvw199

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rotterdam, The Netherlands
  • Local time:01:29 PM

Posted 07 February 2018 - 05:00 AM

 

 "Hoefflerfont installer"

 

jvw199

Installing a malware under the guise of a font is a long-time favorite method of attackers. This is also used when attacking Ransomware. You should not accept fonts with exe-extensions  and other atypical ones on your computer. And in typical cases - thorough checking of the file by your antivirus and by online analysis sites is necessary.
 
The trick with the fake font-installer HoeflerText was also used in the malicious campaign of Spora Ransomware.

Yeah, pretty stupid now I think about it... I also thought I was protected by Malwarebytes, but apparently scanning of downloaded files is only for premium nowadays. But well, can't undo things of the past.

 

Edit:

Just found something interesting at "%appdata%/Microsoft/Crypto". There are two maps; RSA and Keys with both one dll file in the subfolder, could these possibly be my decryption keys?


Edited by jvw199, 07 February 2018 - 07:33 AM.





6 user(s) are reading this topic

0 members, 6 guests, 0 anonymous users