GandCrab v3 – dangerous ransomware virus hailing from the infamous GandCrab family

GandCrab 3 is a crypto-virus[1] virus that functions as a third version of the notorious GandCrab ransomware. At the end of April 2018, only a couple of month after the release of GandCrab2, hackers struck again with a new strength targeting Russia, Belarus, Kazakhstan, and Ukraine PC users in particular. GandCrab v3 renders AES-256 (CBC mode) + RSA-2048 encryption to hardcode personal files and subsequently mark them with .CRAB file extension. The file CRAB-DECRYPT.txt stands for a ransom note, which contains an explicit guide on how the victim has to pay the ransom. Bitcoins accepted only.
| Name | GandCrab 3 |
|---|---|
| Versions | GandCrab, GandCrab 2 |
| Classification | Ransomware |
| File extension | .CRAB |
| Ransom note | CRAB-DECRYPT.txt |
| Main symptoms | Personal files inaccessible, ransom note created on the desktop, slow PC, compromised desktop's wallpaper, browser redirects to payment website |
| Main dangers | It compromises the system and can cause severe crash. Personal files may be permanently deleted. Money loss |
| Removing ransomware manually is not possible. To get rid of it, you should render a professional anti-malware like FortectIntego | |
At the very end of April 2018, cybersecurity experts detected a sample of the GandCrab v3 ransomware. Genealogically, its predecessors are GandCrab and GandCrab 2 versions, both of which appeared to be extremely successful from the perspective of the crooks.[2] The initial release managed to collect more than 600,000 USD within less than four months.
While the initial variant can already be decrypted, the v2 does not. GandCrab 3 decryptor is not yet available either.
Currently, it's not yet hundred percent clear what distribution techniques cybercriminals exploit to spread this malware around. However, based on the information collected about this malware, the following methods can be applied:
- Magnitude Exploit Kit;
- Rig Exploit Kit;
- GrandSoft Exploit Kit;
- Seamless malvertising campaign;
- Receipt Feb-21310 [random numbers] attachment of spam email;
- Fake Hoefler text font updates;
- Hacked Remote Desktop Services, etc.
Upon encryption, the GandCrab 3 virus changes boot sequence eliminates Volume Shadow Copies using Command Prompt and PowerShell as admin, and the unravels the AES-256 (CBC mode) + RSA-2048 encryption algorithm. In the background of the system, the malware runs random.exe. It may also hijack the explorer.exe file and force the system to restart to finish up the encryption.
Just like the previous version, it appends .CRAB file extension to the encoded files. It's targets more than 250 file types, including the most popular (.jpg, .png, .doc, .pdf, .avi, .docx, etc.). Once the files are encrypted, the virus generates a ransom note called CRAB-DECRYPT.txt. It says:
—= GANDCRAB V3 =—
Attention!
All your files documents, photos, databases and other important files are encrypted and have the extension: .CRAB
The only method of recovering files is to purchase a private key. It is on our server, and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
0. Download Tor browser – https://www.torproject.org/
1. Install Tor browser
2. Open Tor Browser
3. Open link in TOR browser:
4. Follow the instructions on this page
On our page, you will see instructions on payment and get the opportunity to decrypt 1 file for free.
The alternative way to contact us is to use Jabber messanger. Read how to:
0. Download Psi-Plus Jabber Client: https://psi-im.org/download/
1. Register new account: http://sj.ms/register.php
0) Enter “username”: 21b1a2d1729f0695
1) Enter “password”: your password
2. Add new account in Psi
3. Add and write Jabber ID: ransomware@sj.ms any message
4. Follow instruction bot
ATTENTION!
It is a bot! It's fully automated artificial system without human control!
To contact us use TOR links. We can provide you all required proofs of decryption availibility anytime. We are open to conversations.
You can read instructions how to install and use jabber here http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf
CAUGHTION!
Do not try to modify files or use your own private key. This will result in the loss of your data forever!
Unlike the two previous versions that accepted DASH cryptocurrency, the latest version demands victims to pay the ransom in Bitcoins. Besides, malware researchers found out that the provenance of the GandCrab-3 is Romania.
If you have the slightest suspicion that you're infected with this ransomware, make sure to remove GandCrab 3 from the system ASAP. For that, we recommend using FortectIntego, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes antivirus tools. As long as you keep it installed, you won't be able to recover your files without paying the ransom.
Upon GandCrab v3 removal, you should try to retrieve files locked with .CRAB file extension with the help of third-party data recovery tools or try to enable a previous Windows version. You can find a full guide on how to recover files encrypted by ransomware at the end of this article.

Criminals may use multiple techniques to spread malware
Bedynet.ru[3] team claim that this particular ransomware is not very likely to confine itself to one distribution method. While it did reach the mainstream distribution yet, it's difficult to name the whole list of techniques precisely.
Nevertheless, people should be careful with Receipt Feb-21310 [ random numbered] attachment sent from [random name ]@cdkconstruction.org. As soon as you spot a suspicious email from the unknown sender, we highly recommend you to report it as spam immediately.
Exploit Kits, including Magnitude, RIG, and GrandSoft are also known for being widely used ransomware carriers. To prevent malicious software from exploiting your PC's vulnerabilities, make sure to install all system's updates and patches.
Last, but not least, be careful with a free download on the net. It has been found that many suspicious and illegal websites contain fake software update downloads. One of the examples used to spread the ancestor of this ransomware is fake Hoefler TextFont. The potential victim is being redirected to a hacked website, which displays scrambled text, and displays a pop-up alert urging to download the latest font update to see the content.
GandCrab-3 removal options
There's only one possibility to remove GandCrab v3 ransomware from the system. It's called automatic since it requires the usage of a professional anti-malware program. Manual removal, when you try to get rid of malicious files by yourself, is practically impossible unless you don't mind damaging the system and the encrypted files permanently.
Instead of that, we would strongly recommend you to use a professional security program, for example FortectIntego, for elimination malicious files manually. Upon successful Gandcrab 3 removal, try to recover your files using data recovery methods listed down below.
Note that each of Gandcrab ransomware's versions has been trying to disable anti-virus/anti-malware scanners to prevent their removal from the system. No matter which version you have on your computer, try following the guide below to know what should be done if you want to create a safe environment for virus removal:
Was this guide helpful?
Be the first to comment