Over the weekend, the GandCrab V4 Ransomware was released with numerous changes. These changes include a different encryption algorithms, a new .KRAB extension, a new ransom note name, and a new TOR payment site.

Unfortunately, at this time, victims of GandCrab v4 cannot decrypt their files for free. As always if you wish to discuss this ransomware or receive help with it, you can use our GandCrab Help & Support topic.

GandCrab v4 distributed via fake crack sites

According to a malware analyst who goes by the alias Fly, one of the methdos GandCrab v4 is being distributed is through fake software crack sites. The ransomware distributors will hack legitimate sites and setup fake blogs that offer software crack downloads. When a user downloads and runs these cracks, they will install the GandCrab Ransomware onto the computer. 

You can see an example of one of these fake crack blogs below.

GandCrab begins using the Salsa20 encryption algorithm

According to debug messages found in GandCrab v4 by Malwarebytes security researcher Marcelo Rivero, it appears that the ransomware has switched its encryption algorithm to Salsa20.

The GandCrab authors love to send shout outs to various researchers, companies, and sites and with this change in their algorithm, they sent a message to Daniel J. Bernstein, a computer science professor at the University of Illinois at Chicago who invented the Salsa20 algorithm.

@hashbreaker Daniel J. Bernstein let's dance salsa <3

How GandCrab encrypts a computer

When GandCrab is executed it will scan the computer and any network shares for files to encrypt. When scanning for network shares, it will enumerate all shares on the network and not just mapped drives.

When it encounters a targeted file, it will encrypt the file and then append the .KRAB extension to the encrypted file's name. For example, test.doc would be encrypted and renamed to test.doc.KRAB.

You can see an example of a folder with encrypted .KRAB files below.

When encrypting files, the ransomware will also create ransom notes named KRAB-DECRYPT.txt that contains information about what happened to the victim's files, a TOR site (gandcrabmfe6mnef.onion) to connect to for payment instructions, and encrypted information that the ransomware developers need to recover your encryption key.

You can see an example ransom note below.

If a user visits the TOR payment site they will be presented with the ransom amount and instructions on how to pay it in order to receive the GandCrab Decryptor.

The ransom amount is currently $1,200 USD to be paid in the DASH (DSH) cryptocurrency as can be seen below.

The TOR payment site also includes a support section where you can send messages to the developers and the ability to decrypt one file for free, so that they can prove they can do so.

It goes without saying that victims should make every effort not to pay the ransom. If you have a backup, even if its missing a few files, it is suggested that you still not pay the ransom.

As previously stated, at this time, victims of GandCrab v4 cannot decrypt their files for free. As always if you wish to discuss this ransomware or receive help with it, you can use our GandCrab Help & Support topic

How to protect yourself from the GandCrab Ransomware

In order to protect yourself from ransomware it is important that you use good computing habits and security software. The most important step is to always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack. 

You should also make sure that you do not have any computers running remote desktop services connected directly to the Internet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who have VPN accounts on your network.

A good security software solution that incorporates behavioral detections to combat ransomware and not just use signature detections or heuristics is important as well.  For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.

Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all:

  • Backup, Backup, Backup!
  • Do not open attachments if you do not know who sent them.
  • Do not open attachments until you confirm that the person actually sent you them,
  • Scan attachments with tools like VirusTotal.
  • Do not connect Remote Desktop Services directly to the Internet. Instead, make sure they can only be accessed by logging into a VPN first.
  • Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
  • Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.
  • Use hard passwords and never reuse the same password at multiple sites.
  • BACKUP!

For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.

Related Articles:

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

Free Decrypter Available for the Latest GandCrab Ransomware Versions

The Week in Ransomware - October 26th 2018 - Decryptors, RaaS, and More

GandCrab Devs Release Decryption Keys for Syrian Victims

The Week in Ransomware - October 19th 2018 - GandCrab, Birbware, and More

IOCs

Hashes:

ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23

Associated Files:

KRAB-DECRYPT.txt