GandCrab version 3 was released earlier this week with a few noticeable changes. The most noticeable change is the addition of a desktop background.
Unfortunately, at this time GandCrab 3 cannot be decrypted for free. For those who wish to discuss GandCrab or receive support, you can post in our dedicated GandCrab Help & Support topic.
Marcelo Rivero, a Malware Intel Analyst from Malwarebytes, discovered GrandCrab v3 this past monday and Jérôme Segura, another Malwarebytes Intel Analyst, this variant was being distributed via the Magnitude exploit kit.
Fortinet, also spotted GandCrab v3 being distributed through malspam campaigns. These malspam emails contain subjects like "Order #65121" and contain attachments with a VBS downloader that installs GandCrab v3.
The most noticeable change in this release of GandCrab is the increment of the version number to 3, new ransom note text, and the introduction of a pretty bad desktop background.
The ransom note is still named CRAB-DECRYPT.txt and encrypted files still have the .CRAB extension.
With this version, GandCrab also introduces a low resolution background that tells you to read the CRAB-DECRYPT.txt ransom note in order to learn what happened to your files. This background can be seen below.
The ransom note also contains new text as can be seen below.
A RunOnce autorun key was introduced in older versions will cause GandCrab to start automatically when a user logs in. When GandCrab is installed, it will encrypt the computer, set the background, and then automatically reboot the computer. For Windows 7 users, there is a problem with this method as the autorun causes the browser to open the TOR web site and the background to display, but does not display the desktop.
Fortinet researchers feel this may be a bug in the program for those using Windows 7 that causes it to exhibit this screenlocker behavior. In some ways, this behavior could actually benefit the ransomware developers as it may cause further panic and more ransom payments.
Finally, this version introduces the domain "carder.bit" as a server that the ransomware communicates with. The GandCrab devs have a sense of humor when they name associated domains as shoutouts to security companies, websites like BC, and researchers. This one is a reference to those who perform credit card fraud.
Once again, unfortunately this version cannot be decrypted for free and if you wish to discuss GandCrab or receive support, you can post in our dedicated GandCrab Help & Support topic.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "[random]" = "%AppData%\Microsoft\[random].exe"
ns1.wowservers.ru carder.bit (only resolves through above NS)
ENCRYPTED BY GANDCRAB 3 DEAR [user_name], YOUR FILES ARE UNDER STRONG PROTECTION BY OUR SOFTWARE. IN ORDER TO RESTORE IT YOU MUST BUY DECRYPTOR For further steps read CRAB-DECRYPT.txt that is located in every encrypted folder.
---= GANDCRAB V3 =--- Attention! All your files documents, photos, databases and other important files are encrypted and have the extension: .CRAB The only method of recovering files is to purchase a private key. It is on our server and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: 0. Download Tor browser - https://www.torproject.org/ 1. Install Tor browser 2. Open Tor Browser 3. Open link in TOR browser: http://gandcrab2pie73et.onion/[id] 4. Follow the instructions on this page On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. The alternative way to contact us is to use Jabber messanger. Read how to: 0. Download Psi-Plus Jabber Client: https://psi-im.org/download/ 1. Register new account: http://sj.ms/register.php 0) Enter "username": [id] 1) Enter "password": your password 2. Add new account in Psi 3. Add and write Jabber ID: email@example.com any message 4. Follow instruction bot ATTENTION! It is a bot! It's fully automated artificial system without human control! To contact us use TOR links. We can provide you all required proofs of decryption availibility anytime. We are open to conversations. You can read instructions how to install and use jabber here http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf CAUGHTION! Do not try to modify files or use your own private key. This will result in the loss of your data forever!