You are welcome to discuss various security topics with our professional team and other users like you!
Read our Registration Agreement and create your FREE account here!

*

jimdays

  • *
  • 5
  • +2/-0
      • View Profile
I got Gandcrab 5.0.4, have questions
« on: December 01, 2018, 02:06:21 am »
I downloaded a fake software from pirate bay. (This particular software now seems to be deleted from pirate bay). The exe showed a lot (about 3/4) of positives on Virus Total, but I clicked on it anyway. The computer was immediately infected. Documents, pictures, music, etc all encrypted and with file extension oldsb-decrypt.
I used Malwarebytes free and it found and deleted several hundred files. I ran Malwarebytes several more times and getting 0 infected files, although one time got two infected files. I did a Windows search and it found over 2000 files with name oldsb.
I deleted all 2000 files.  I don't care about my files because everything is backed up. Many infected files were on c/users
I noticed my Windows sample music ( like Beethoven) are gone and also Windows sample pictures are gone. The computer seems to run fine, maybe even faster than before.
I manually deleted a few other files on c/users that seemed to have any reference to the virus. I found one image, see below (that shows name of ransomware) I think I'll keep as a souvenir.
My questions are, do you think the computer is OK now? Where can I look in my computer to find any other files that are related to the virus?
Besides losing Windows sample music and pictures, what other differences will become evident after I deleted the 2000 infected files? So far, I can't see any problem with operation of the computer.

*

jimdays

  • *
  • 5
  • +2/-0
      • View Profile
Re: I got Gandcrab 5.0.4, have questions
« Reply #1 on: December 01, 2018, 06:55:25 pm »
I registered and posted on this forum yesterday about Gandcrab that I got. After I posted the message, I wanted to browse the forum, but I got message that I was banned permanently. I logged out and tried to read the forum, but it said that guest was banned permanently. Can you recover the message I sent to you and post it? I didn't post anything against the forum rules, so I shouldn't have been banned. It must be some mistake. 

*

Execute

  • *****
  • 361
  • +55/-0
  • Your friendly neighbourhood IT guy
      • View Profile
Re: I got Gandcrab 5.0.4, have questions
« Reply #2 on: December 04, 2018, 01:43:42 pm »
Hello @jimdays,
first let me disambiguate something for you:

Quote
...I got message that I was banned permanently...

You were never banned. The fact that you posted the comments and that they both went through already proves that. There is a spam-filter so it takes some time before posts get moderated (/approved). The error you have seen shows when a proxy, VPN or other similar service is used (when IP addresses, DNS settings and other Internet settings are changed).

To the main comment and question:

I think that the anti-malware tool you used did the heavylifting and supposedly your system should be clear of the executables that launch the GandCrab cryptovirus. However, there might be some registry files related to the virus, that might have stayed on your system. Regardless, even if that is true, the registry entries cannot do a thing if the executable files are missing. If I was you I would format the C drive or whichever drive holds the Windows OS (assuming that you have that OS). Then I would use my backup to recover the PC with all files that got encrypted. Also, there is no guarantee if there is a keylogger or some other malware that got in alongside the GandCrab ransomware.

In any case, I am truly happy that you had a backup and that you probably do them regularly! =)

P.S.: Some ransomware viruses and other malware can have all engines green/clear, especially if the malware sample is new and not in their databases yet. Let that be a lesson to you and don't open executables before you scan them with anti-malware software or do more research.

BTW, the newest version of the ransomware is already out - you can visit our article for GandCrab v5.0.9 Cryptovirus to check out what's new and if you are curious to know more about it.

Happy trails! =)

*

jimdays

  • *
  • 5
  • +2/-0
      • View Profile
Re: I got Gandcrab 5.0.4, have questions
« Reply #3 on: December 07, 2018, 02:23:30 am »
Thank you for unbanning me. I have one more question. The computer I have is Windows 7 netbook. It has a hidden partition that can be used to restore the computer (erase everything and re-image from the hidden partition). Do you think the hidden partition got affected by the Gandcrab 5.0.4? In other words, if I were to use that hidden partition to restore the computer, would that work OK? I don't have any plans to do that (because the computer seems to run fine now), but I want to know for future reference.  Malwarebytes free version is constantly showing zero virus/malware on the computer. Oh, one other question. I was looking online for other people that got gandcrab  and somebody posted the ransom screens (unfortunately I  deleted all my encrypted files (about 2000) with ransom info before I had a chance to look at them). The screen (posted) said you need to use a tor browser to see the ransom amount and how to pay. I used a regular browser ( on that person's posted info) and that didn't work. I downloaded the tor browser and I was able to see the ransom amount ($600) that just increased to $1200 because he didn't pay by the deadline. Also there was a chat function (now made inoperable until payment received) presumably to negotiate a lower price, and there was detailed but simple info on how to pay. My question is: why didn't the regular browser lead me to the ransom amount screen? What is so special about the tor browser that it is necessary to use it to see the ransom amount screen? In that chat function, are people typically able to negotiate a
lower ransom, say $300 instead of the initial $600?

*

Execute

  • *****
  • 361
  • +55/-0
  • Your friendly neighbourhood IT guy
      • View Profile
Re: I got Gandcrab 5.0.4, have questions
« Reply #4 on: December 07, 2018, 10:15:24 am »
Hello @jimdays.

First of all - you were never banned. I won't explain it further, but I will just say that there is post moderation due to spam.

Second, new viruses are released every single day - literally. So it is hard to tell specifics for each of them. The partition could have been infected, but we have received no reports of that happening thus far.

Third, most ransomware viruses today use the TOR network to host their ransom notes. The ransom note is inacessible from anywhere else. The reason is mainly for them to stay anonymous so they are not caught by FBI, CIA, Interpol and other such agencies. Other browsers can detect information about you and your computer.

Fourth, GandCrab v5.0.4 has new malware "strings" released in the Internet everyday, so each anti-virus and anti-malware vendor has to add these new variations of the virus to their database, so that can take from a few hours to weeks. If the variant is not discovered, half of the anti-virus programs won't detect it. Some malicious behaviour can be observed and stopped though.

Best Regards,
Execute

*

jimdays

  • *
  • 5
  • +2/-0
      • View Profile
Re: I got Gandcrab 5.0.4, have questions
« Reply #5 on: December 08, 2018, 05:38:49 pm »
Thank you for the response. Couple other questions:
1) You said tor browser is used because it doesn't store personal data. My question is, why doesn't a regular browser even work ( I tried Chrome/firefox/IE and it didn't work) to be able to go to the person's ransom amount page? (I was able to see the person's ransom amount page with tor browser). Is Chrome/firefox/IE just not able to resolve certain categories of internet addresses?
Here is the person's ransom amount page (posted in bleeping computer public forum):
http://gandcrabmfe6mnef.onion/60a5301a365e6aee
I went to that page a couple days ago with tor browser and was able to see his ransom amount page but I couldn't get to it with regular browser.
2) Do you have any idea what percentage of time (using the chat function in ransom amount page) the victim is able to negotiate a lower ransom amount?  Like, for example, negotiate from $600 to $300?

*

Execute

  • *****
  • 361
  • +55/-0
  • Your friendly neighbourhood IT guy
      • View Profile
Re: I got Gandcrab 5.0.4, have questions
« Reply #6 on: December 10, 2018, 10:05:19 am »
@jimdays,
No problem - we are here to help.

My question is, why doesn't a regular browser even work ( I tried Chrome/firefox/IE and it didn't work) to be able to go to the person's ransom amount page?

1) If I didn't make myself explicit, the ransomware creators make their ransom note and instructions pages hosted on the TOR network, meaning that ONLY the Tor browser can access these pages and nothing else in the World, not a browser, not another program.

That is indeed one of the addresses, but there are many such Web pages with GandCrab instructions.

2) Not really. Usually, ransomware authors want you to pay, so they can make exceptions for a lower amount, but not always. For negotiations and response time, it depends on the cybercriminals and whether they don't like the victim or are willing to get at least some money out of him.

We at SensorsTechForum have seen some respond right away, some take days and some never respond, but we also advise AGAINST paying the cybercriminals. Not only there is no guarantee that your files will get decrypted, but you are also supporting criminals, which will most probably continue to make ransomware, etc. Even if you unlock your files, you can become a victim again in the future...



*

jimdays

  • *
  • 5
  • +2/-0
      • View Profile
Re: I got Gandcrab 5.0.4, have questions
« Reply #7 on: December 13, 2018, 10:43:31 pm »
Thank you for the info on the tor browser. I went on a public computer to find another gandcrab ransomware (on pirate bay) to see how they would negotiate the price. It started out at $500 and they accepted my offer of $300. The screen then updated to $300. Then I offered $100 and they said *uck you and banned further chat. (see below screenshot). I suppose they will only spend not more than 15 seconds on the chat before they ban you. There is money to be made from somebody else.

*

Execute

  • *****
  • 361
  • +55/-0
  • Your friendly neighbourhood IT guy
      • View Profile
Re: I got Gandcrab 5.0.4, have questions
« Reply #8 on: December 17, 2018, 01:14:43 pm »
@jimdays

Well, that's only 1 chat. It could depend on a lot of factors, but that's quick money. Since GandCrab ransomware is one of the top 10 threats in the past few weeks, they are already probably swimming in money. I am also judging from the fact that they immediately agreed, on the spot, for 300 and they didn't even negotiate. Another reason could be that the BitDefender team is working on a decryptor for that version...

*

Execute

  • *****
  • 361
  • +55/-0
  • Your friendly neighbourhood IT guy
      • View Profile
Re: I got Gandcrab 5.0.4, have questions
« Reply #9 on: February 19, 2019, 04:29:15 pm »
The new GandCrab decryptor is a fact - works for every version of GandCrab until 5.1 (including 5.1). It does not work for version 5.2!
Grab it from BitDefender Labs: https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/