GandCrab v5 has been released with a few noticeable changes. The most noticeable changes are that the ransomware now uses a random 5 character extension for encrypted files and has a HTML ransom note.

Security researcher nao_sec has discovered that the GandCrab v5 ransomware is currently being distributed via malvertising that redirects to sites hosting the Fallout exploit kit.  As the exploit kit utilizes vulnerabilities in the visitors software to install the software, a victim will become infected without knowing about it until they find the encrypted files and ransom note.

Like previous versions, there is no way to decrypt victims of GandCrab v5 for free. For those who wish to discuss this ransom or receive support, you can use our dedicated GandCrab Help & Support topic.

How GandCrab v5 encrypts a computer

When GandCrab v5 is executed it will scan the computer and any network shares for files to encrypt. When scanning for network shares, it will enumerate all shares on the network and not just mapped drives. Therefore, it is important to make sure all network shares are locked down on your network.

When it encounters a targeted file, it will encrypt the file and then append a random 5 character extension. For example, when I tested the ransomware it appended the .lntps extension to the encrypted file's name. This would cause a file called test.doc to be encrypted and renamed to test.doc.lntps.

You can see an example of a folder with encrypted files below.

Encrypted Files
Encrypted Files

When encrypting files, the ransomware will also create ransom notes named [extension]-DECRYPT.html and [EXTENSION]-DECRYPT.txt. For example, in our test the extension was lntps, so the ransom note is named LNTPS-DECRYPT.html.

This ransom note contains information on what happened to your files and instructions on how to access the TOR payment site, which is currently at http://gandcrabmfe6mnef.onion. You can see an example ransom note below.

GandCrab v5 Ransom Note
GandCrab v5 Ransom Note

If a user visits the TOR payment site they will be presented with the ransom amount and instructions on how to pay it in order to receive the GandCrab Decryptor.

TOR Payment Site
TOR Payment Site

The ransom amount is currently $800 USD to be paid in the DASH (DSH) cryptocurrency as can be seen below.

The TOR payment site also includes a free test decryption and a support site where you can send and receive messages with the ransomware developers. 

As previously stated, there is no way to decrypt files encrypted by GandCrab v5 for free. As always if you wish to discuss this ransomware or receive help with it, you can use our GandCrab Help & Support topic

How to protect yourself from the GandCrab Ransomware

In order to protect yourself from ransomware it is important that you use good computing habits and security software. The most important step is to always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack. 

You should also make sure that you do not have any computers running remote desktop services connected directly to the Internet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who have VPN accounts on your network.

A good security software solution that incorporates behavioral detections to combat ransomware and not just use signature detections or heuristics is important as well.  For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.

Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all:

  • Backup, Backup, Backup!
  • Do not open attachments if you do not know who sent them.
  • Do not open attachments until you confirm that the person actually sent you them,
  • Scan attachments with tools like VirusTotal.
  • Do not connect Remote Desktop Services directly to the Internet. Instead, make sure they can only be accessed by logging into a VPN first.
  • Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
  • Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.
  • Use hard passwords and never reuse the same password at multiple sites.
  • BACKUP!

For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.

Update 9/25/18: Added information from nao_sec about GandCrab v5 being distributed through the Fallout Exploit kit. Updated with info on the addition of a .txt ransom note.

Related Articles:

The Week in Ransomware - October 19th 2018 - GandCrab, Birbware, and More

GandCrab Devs Release Decryption Keys for Syrian Victims

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More

The Week in Ransomware - September 28th 2018 - RDP and gandCrab

GandCrab v5 Ransomware Utilizing the ALPC Task Scheduler Exploit

IOCs

Hashes:

d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0

Associated Files:

[EXTENSION]-DECRYPT.html
[EXTENSION]-DECRYPT.txt