GANDCRAB 5.0.3 Ransomware – How to Remove It (+ Restore Files)

GANDCRAB 5.0.3 Virus – How Does It Infect

For the GANDCRAB 5.0.3 ransomware virus to be effective during the course of it’s infection, the ransomware aims to be replicated via multiple different methods, the primary of which are reported to be carried via spammed e-mails that contain malicious e-mail attachment, posing as important documents. The primary strategy of the hackers Is to trick victims into opening the attachment or clicking on the URL they want them to, which eventually triggers the infection process.

These types of e-mails often pose as messages coming from large companies from the likes of DHL, eBay and many other reputable and massively used sites. The attachments themselves may pose as many documents of utmost importance, for example:

• Order cancellation document.
• Invoice.
• Receipt.
• Banking statement.
• Other files.

The primary method of infection that is characteristic for infection from the magnitude of GANDCRAB ransomware has so far been reported by researchers to be conducted via malicious PDF files, that contain Macros, embedded directly in them. Once opened, the PDF file then leads to a Microsoft Word document, that asks the victim to Enable Editing in order to unlock the contents of the document. Enable Editing triggers the malicous macros and the infection commences. To best explain how it works, we have designed an example infection sequence containing all of the infection steps in a chronological order:

And the e-mails themselves are not made by amateurs as well. They contain seemingly reputable senders. Here is one malicious e-mail spreading such .PDF file that contains GANDCRAB:

From: “Brandon Clay” Brandon@cdkconstruction.org
Subject: Electricity bill Feb-6509
Attachment: Feb-10451.pdf
Body Text: Download the attached file.

Furthermore, GANDCRAB 5.0.3 may also infect victims in a similar way as GANDCRAB 5.0.1 does and that is to use malicious cracks in order to replicate.

Related: GandCrab Ransomware Now Infects Via Software Cracks

These types of cracks are uploaded as .exe files on a WordPress site that is either hacked by the malware spammer or created by the spammer himself. They imitate the activators for different free programs that could be useful to users who work with documents. One of the crack pages has been shown in the image below:

GANDCRAB 5.0.3 Ransomware – What Does It Do

GANDCRAB 5.0.3 ransomware infects users by running it’s malicious executable file. According to latest reports, the sample itself is a JavaScript downloader type of file, called “GandCrab 5.0.3 downloader.js”. It has the following indicators of compromise:

→ Name: GandCrab 5.0.3 downloader.js
MD5: 595A31A4913951D3EB7211618AE75DEA
Size: 986 KB
Location: C:\Users\Admin\AppData\Temp\

The malicious script spawns two other malicious processes, likely in the same location. They have the following names:

• dsoyaltj.exe
• Wermgr.exe

The malicious processes obtain administrative privileges and then run the following commands in Windows Command Prompt as an administrator:

→ wmic.exe shadowcopy delete
wmd.exe /c timeout –c 5 & del “C”\Windows\System32\wermgr.exe” /f /q
wimeout.exe –c 5

Then, the malware drops it’s ransom note file by creating thousands of copies of it in each of the folders where files are encrypted. The ransom note contains the file extension of the encrypted files and then the suffix “-DECRYPT.txt”. It has the following message to victims:

—= GANDCRAB V5.0.3 =—
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: {5 random letters}
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
———————————————————————–
| 0. Download Tor browser – https://www.torproject.org/
| 1. Install Tor Browser
| 2. Open Tor Browser
| 3. Open link in TOR browser https://gandcrabmfe6mnef.onion/{victim’s unique ID}
| 4. Follow the instructions on this page
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
• DO NOT MODIFY ENCRYPTED FILES
• DO NOT CHANGE DATA BELOW

The ransom note’s main purpose is to get victims to be scared enough to visit the Tor payment page of GANDCRAB, which is a very well designed page for cyber-extortion (see image below) that even contains “customer support” and provides free decryption of 1 file:

Furthermore, alongside the ransom note of GANDCRAB 5.0.3, the virus also drops it’s ransom note file in the following Windows Directory:

→C:\Users\Admin\AppData\Temp\Liebert.bmp

The ransom note is set as wallpaper shows the following extortion message:

Note from Image:

ENCRYPTED BY GANDCRAB 5.0.3
DEAR admin,
YOUR FILES ARE UNDER STRONG PORTECTION BY OUR SOFTWARE. IN ORDER TO RESTORE IT YOU MUST BUY DECRYPTOR.
For further steps read {extension}-DECRYPT.txt that is located in every encrypted folder.

But the sad part here is that GANDCRAB 5.0.3 does not stop there as it also accesses Windows Registry Editor in order to furthr obtain permissions over the infected machine. The virus is believed to access the following sub-keys and tamper with entries within them:

→ HKEY_CURRENT_USER\Control Panel\International
HKEY_CURRENT_USER\SOFTWARE\keys_data\data
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\ex_data\data
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters

GANDCRAB 5.0.3 does not stop there as the virus establishes hundreds of connections and a lot of POST traffic, all of which can be seen by visiting the full report on Any.run’s web page:

• Full Any.Run Report of GANDCRAB 5.0.3 Ransomware

GANDCRAB 5.0.3 Ransomware – Encryption Information

GANDCRAB family of viruses are unique for the fact that they use a different encryption algorithm than most ransomware infections out there and version 5.0.3 is no exception. The virus uses Salsa20 encryption algorithm, which guarantees it to encrypt files faster on the computers of victims. The encryption process of GANDCRAB 5.0.3 is conducted in the following steps:

Step #1: GANDCRAB 5.0.3 begins scanning your computer for documents, videos, images, audio files, archives, databases and other important files, based on their file extensions. The virus may target and encrypt files of the following types:

→ .1cd, .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .7zip, .aac, .ab4, .abd, .acc, .accdb, .accde, .accdr, .accdt, .ach,.acr, .act, .adb, .adp, .ads, .agdl, .ai, .aiff, .ait, .al, .aoi, .apj, .apk, .arw, .ascx, .asf, .asm, .asp, .aspx,.asset, .asx, .atb, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bin, .bkp,.blend,.bmp, .bpw, .bsa, .c, .cash, .cdb, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cfn,.cgm, .cib, .class, .cls, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cry, .cs, .csh, .csl, .css, .csv,.d3dbsp, .dac, .das, .dat, .db, .db_journal, .db3, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .def, .der, .des,.design, .dgc, .dgn, .dit, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb,.eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flb, .flf, .flv, .flvv, .forge, .fpx, .fxg, .gbr, .gho,.gif, .gray, .grey, .groups, .gry, .h, .hbk, .hdd, .hpp, .html, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .info, .info_,.ini, .iwi, .jar, .java, .jnt, .jpe, .jpeg, .jpg, .js, .json, .k2p, .kc2, .kdbx, .kdc, .key, .kpdx, .kwm, .laccdb, .lbf, .lck, .ldf, .lit,.litemod, .litesql, .lock, .log, .ltx, .lua, .m, .m2ts, .m3u, .m4a, .m4p, .m4v, .ma, .mab, .mapimail, .max, .mbx, .md, .mdb, .mdc, .mdf, .mef, .mfw,.mid, .mkv, .mlb, .mmw, .mny, .money, .moneywell, .mos, .mov, .mp3, .mp4, .mpeg, .mpg, .mrw,.msf, .msg, .myd, .nd, .ndd, .ndf, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb,.nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .omg, .one, .orf, .ost,.otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pbf, .pcd, .pct, .pdb, .pdd, .pdf, .pef,.pem, .pfx, .php, .pif, .pl, .plc, .plus_muhd, .pm!, .pm, .pmi, .pmj, .pml, .pmm, .pmo, .pmr, .pnc, .pnd, .png, .pnx,.pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .private, .ps, .psafe3, .psd, .pspimage, .pst,.ptx, .pub, .pwm, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .qcow, .qcow2, .qed, .qtb, .r3d, .raf, .rar, .rat, .raw, .rdb, .re4, .rm,.rtf, .rvt, .rw2, .rwl, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sd0, .sda, .sdb, .sdf, .sh, .sldm, .sldx, .slm, .sql, .sqlite, .sqlite3,.sqlitedb, .sqlite-shm, .sqlite-wal, .sr2, .srb, .srf, .srs, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stl, .stm, .stw, .stx, .svg, .swf,.sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tax, .tbb, .tbk, .tbn, .tex, .tga, .thm, .tif, .tiff, .tlg, .tlx, .txt, .upk, .usr, .vbox, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx,.vmxf, .vob, .vpd, .vsd, .wab, .wad, .wallet, .war, .wav, .wb2, .wma, .wmf, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx,.xlt, .xltm, .xltx, .xlw, .xml, .xps, .xxx, .ycbcra, .yuv, .zip

While scanning, GANDCRAB 5.0.3 may skip encrypting files in the following Windows directories, so that you can still use your PC to pay the ransom:

→ \ProgramData\
\Program Files\
\Tor Browser\
Ransomware
\All Users\
\Local Settings\
desktop.ini
autorun.inf
ntuser.dat
iconcache.db
bootsect.bak
boot.ini
ntuser.dat.log
thumbs.db

Step #2: GANDCRAB 5.0.3 copies the original files and encrypts the copies, after which deletes the original versions of the files themselves.

Step #3: The virus then creates a unique decryption key, which is hidden and might have either the .KEY or the .lock suffix added to it. The file itself cannot be opened by any form of software as it is also encrypted.

Step #4: GANDCRAB 5.0.3 ransomware adds a 5.letter extension to the encoded files, making them appear like the image below shows: