GandCrab version 3 was released earlier this week with a few noticeable changes. The most noticeable change is the addition of a desktop background.

Unfortunately, at this time GandCrab 3 cannot be decrypted for free. For those who wish to discuss GandCrab or receive support, you can post in our dedicated GandCrab Help & Support topic.

Distributed through exploit kits and malspam

Marcelo Rivero, a Malware Intel Analyst from Malwarebytes, discovered GrandCrab v3 this past monday and Jérôme Segura, another Malwarebytes Intel Analyst, this variant was being distributed via the Magnitude exploit kit.

Magnitude Exploit Kit Distribution of GandCrab
Magnitude Exploit Kit Distribution of GandCrab
Source: EKFiddler Twitter Account

Fortinet, also spotted GandCrab v3 being distributed through malspam campaigns. These malspam emails contain subjects like "Order #65121" and contain attachments with a VBS downloader that installs GandCrab v3.

GandCrab Malspam
GandCrab Malspam
Source: Fortinet

 

Changes in GandCrab v3

The most noticeable change in this release of GandCrab is the increment of the version number to 3, new ransom note text, and the introduction of a pretty bad desktop background.

The ransom note is still named CRAB-DECRYPT.txt and encrypted files still have the .CRAB extension.

With this version, GandCrab also introduces a low resolution background that tells you to read the CRAB-DECRYPT.txt ransom note in order to learn what happened to your files.  This background can be seen below.

GandCrab v3 Desktop Background
GandCrab v3 Desktop Background

The ransom note also contains new text as can be seen below.

GandCrab v3 Ransom Note
GandCrab v3 Ransom Note

A RunOnce autorun key was introduced in older versions will cause GandCrab to start automatically when a user logs in. When GandCrab is installed, it will encrypt the computer, set the background, and then automatically reboot the computer. For Windows 7 users, there is a problem with this method as the autorun causes the browser to open the TOR web site and the background to display, but does not display the desktop.

Fortinet researchers feel this may be a bug in the program for those using Windows 7 that causes it to exhibit this screenlocker behavior. In some ways, this behavior could actually benefit the ransomware developers as it may cause further panic and more ransom payments.

Finally, this version introduces the domain "carder.bit" as a server that the ransomware communicates with. The GandCrab devs have a sense of humor when they name associated domains as shoutouts to security companies, websites like BC, and researchers. This one is a reference to those who perform credit card fraud.

Once again, unfortunately this version cannot be decrypted for free and if you wish to discuss GandCrab or receive support, you can post in our dedicated GandCrab Help & Support topic.

Updated 5/6/18: Updated to reflect that the RunOnce autorun was in previous versions. Thx to Ravikant Tiwari and MalwareHunterTeam.

Related Articles:

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

Free Decrypter Available for the Latest GandCrab Ransomware Versions

The Week in Ransomware - October 26th 2018 - Decryptors, RaaS, and More

GandCrab Devs Release Decryption Keys for Syrian Victims

IOCs

Hashes:

SHA256: 0b193494ffbbc5396886715253582aea075f97f5c5e79b58de9a4c0c62ed9b02

Associated Files:

CRAB-DECRYPT.txt
%AppData%\Microsoft\[random].exe

Associated Registry Entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "[random]" = "%AppData%\Microsoft\[random].exe"

Network Connections:

ns1.wowservers.ru
carder.bit (only resolves through above NS)

Wallpaper Text:

ENCRYPTED BY GANDCRAB 3

DEAR [user_name],

YOUR FILES ARE UNDER STRONG PROTECTION BY OUR SOFTWARE. IN ORDER TO RESTORE IT YOU MUST BUY DECRYPTOR

For further steps read CRAB-DECRYPT.txt that is located in every encrypted folder.	

Ransom Note Text:

 ---= GANDCRAB V3  =--- 

Attention! 

All your files documents, photos, databases and other important files are encrypted and have the extension: .CRAB 

The only method of recovering files is to purchase a private key. It is on our server and only we can recover your files. 


The server with your key is in a closed network TOR. You can get there by the following ways: 

0. Download Tor browser - https://www.torproject.org/ 

1. Install Tor browser 

2. Open Tor Browser 

3. Open link in TOR browser: http://gandcrab2pie73et.onion/[id]                   

4. Follow the instructions on this page                    

On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. 


The alternative way to contact us is to use Jabber messanger. Read how to:
0. Download Psi-Plus Jabber Client: https://psi-im.org/download/
1. Register new account: http://sj.ms/register.php
    0) Enter "username": [id]
    1) Enter "password": your password
2. Add new account in Psi
3. Add and write Jabber ID: ransomware@sj.ms any message
4. Follow instruction bot 

ATTENTION!
It is a bot! It's fully automated artificial system without human control!
To contact us use TOR links. We can provide you all required proofs of decryption availibility anytime. We are open to conversations.
You can read instructions how to install and use jabber here http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf 

CAUGHTION! 

Do not try to modify files or use your own private key. This will result in the loss of your data forever!