A transition version of the notorious GandCrab ransomware virus, called GandCrab 5.0.7 has been reported to have become active and einfect users. Malware researcher Marcelo Rivero who found the strain claims the virus has a different ransom message than conventional GandCrab v5.0 variants. The virus belongs to the ransomware type, meaning GandCrab aims to encrypt the files on the computers infected by it and then leave a ransom note with the extension of the encrypted files and the suffix “-DECRYPT.TXT”. The end goal of this malware is to get victims to pay ransom in order to get the cyber-criminals behind the malware to pay ransom in order to be able to use their files again. If your computer has been infected by this instance of GandCrab ransomware, we suggest that you read the following article as it explains more about GandCrab 5.0.7 and aims to show how to remove it and how you can attempt to recover encrypted files by yourself.
|Short Description||The GandCrab 5.0.7 ransomware encrypts files on your computer system and demands a ransom to be paid to decode them.|
|Symptoms||The ransomware will encrypt your files adding a 7-letter random file suffix and leave a ransom note with payment instructions.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by GANDCRAB 5.0.7 |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss GANDCRAB 5.0.7.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
GandCrab Ransomware – Update February 2019
GANDCRAB 5.0.7 -Distribution Methods
There is more than one method used for the distribution of GANDCRAB 5.0.7 ransomware. Since the virus is a variant of the GandCrab ransomware family, onee of the infection methods detected so far is by compromised game cracks for games that are downloaded from torrent sites, like fake versions of Pirate Bay and many other sites that are risky to visit. In addition to this, the virus may also imitate other often downloaded types of programs, like:
- Portable versions of programs.
- Activation software.
- Key generators.
- Setups of programs.
These seemingly legitimate files are usually uploaded on websites that may either be compromised or supported by the malware authors of GANDCRAB 5.0.7 virus.
In addition to this, another method of replication that is used by this variant of GANDCRAB ransomware may be the more aggressive spam e-mails tactic. These e-mails aim to convince users that the files attached to them are completely legitimate and can be opened and used and more so, important. They often pose as Invoices or Receipts coming from big companies, like PayPal, DHL, FedEx, eBay, Amazon and other big names, to increase the credibility.
GANDCRAB 5.0.7 Ransomware – Activity
Once the payload of GANDCRAB 5.0.7 is dropped on the victims’ computers, the ransomware may conduct series of malicious activites that end up with file encryption. For starters, GANDCRAB 5.0.7 drops it’s primary payload:
→ MD5: cd374fa30f9e9dc2adbc06aa08a8a89a
Size: 139.28 KB
Besides the payload of the virus, other forms of unwanted files and modules may also be created in the following Windows directories:
Among the files dropped on the compromised computer, the ransomware may also drop It’s main note file, which has the following ransom message:
—= GANDCRAB V5.0.7 =—
UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED
FAILING TO DO SO WIL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS
All your files, documents, photos, databases and other important files are encrypted and have the extension:
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
| 0. Download Tor browser – https://www.torproject.org/
| 1. Install Tor Browser
| 2. Open Tor Browser
| 3. Open link in TOR browser http://gandcrabmfe6mnef.onion/371525fbc2a9ddd2
| 4. Follow the instructions on this page
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW
The ransom note of this virus aims to take users to the main TOR web page of GANDCRAB ransomware which looks like the following:
In addition to this, GANDCRAB 5.0.7 ransomware also changes the wallpaper of the infected computer to the following image:
The virus may also perform other malicious activities on the infected computers, such as:
- Log the victim’s keystrokes.
- Create mutexes.
- Take screenshots.
- Modifies application directory.
- Adds file to open the next time Word is launched
- Touch system files of Windows.
- Creates process with hidden window .
- Writes an unusually large amount of data to the registry .
- Tries to detect virtual machine.
- Reads data related to browser cookies
- Steal files and information on the victim PC.
GANDCRAB 5.0.7 Ransomware – Encryption Process
The main encryption algorithm used by GandCrab ransomware is called Salsa20 and it is one of the fastest algorithms out there. The virus may encrypt files by creating copies of them and encrypting the copies while deleting the original unencrypted versions of the files or directly encrypting the files. Either way, the files appear with a 7 letter file extension that is random after encryption is complete:
GandCrab ransomware may scan only for files that are used in a very regular basis, such as:
- Shadow Copies.
Remove GANDCRAB 5.0.7 and Try to Restore Your Data
If you are a victim of GANDCRAB v5.0.7 ransomware, you should get rid of this ransomware as quickly as possible before it replicates on other devices and infects them. You should remove the ransomware virus, preferrablu by following the manual or automatic removal steps underneath. They have been made with the main goal to help you detect and delete the virus files of GandCrab either manually or automatically. For best results, it is highly advisable to download and run a scan with a reputable anti-malware program. Such software aims to detect and remove all GandCrab 5.0.7-related files and objects automatically and also aims to ensure future threat protection.
If you want to recover files, encrypted by this GandCrab 5.0.7 variant, we would advise you to follow the file recvery methods below. We have created them to help users to try and restore as many files as possible, although the methods come with no 100% guarantee to work.