A new variant of the infamous GandCrab ransomware has been released over the weekend that comes with a couple of new changes.
According to a malware analyst who goes by the online moniker Fly, GandCrab v4 is being distributed VIA fake software crack sites, Bleeping Computer reports.
The new ransomware version also appears to useuses a different encryption algorithm and new TOR payment site.
Bleeping Computer reports the ransomware now uses Salsa20 as its encryption algorithm of choice. Now, when the ransomware is executed, it scans the computer and any network shares for files to encrypt. During the scanning process, it also enumerate all shares on the network along with mapped drives.
Encrypted victim files are now appended with the new .KRAB extension.
Once the encryption process is complete, a ransom note named KRAB-DECRYPT.txt is created that contains information about what happened to the victim’s files along with a TOR site link that the victim is asked to connect to for payment instructions to retrieve an encryption key.
The TOR payment website even includes a support section that allows victims to send messages directly to the ransomware developers and decrypt one file for free.
“Attention! All your files, documents, databases and other important files are encrypted and have the extension: .KRAB,” the ransom note reads. “The only method of recovering files is to purchase our unique private key. Only we can give you this key and only we can recover your files.”
The ransom amount is currently set at $1200 to be paid in the DASH cryptocurrency. Unfortunately, GandCrab v4 victims currently cannot decrypt their files for free.