New version of GandCrab emerges with autorun feature, desktop wallpaper

A new version of the infamous GandCrab ransomware is spreading via spam emails, according to security researchers. Two Malware Intel Analysts from Malwarebytes discovered GandCrab V3 being distributed through the Magnitude exploit kit and malspam campaigns. The attackers behind the ransomware usually frequently use phishing emails to deliver the ransomware to victims.

In this case, the malicious email contains subjects such as "Order #65121" along with an attachment with a VBS downloader that downloads the ransomware. Below is an image of a sample spam email:

Image credit: Fortinet

Similar to Locky and Sage ransomware, GandCrab v3 changes the wallpaper of the infected computer. The ransom note is still named CRAB-DECRYPT.txt while the encrypted files still have the .CRAB extension. However, the content of this ransom note seems to be different and a bad, low-resolution desktop background has been included. The ransomware also communicates with a different domain namely “carder.bit” that serves as its C2 server.

Once the victim's computer is compromised, the desktop background is changed and asks the victim to read to CRAB-DECRYPT.txt ransom note to find out what happened to their files.

A RunOnce autorun key was seen in previous versions of GandCrab that causes the ransomware to automatically start once the user logs in. After the ransomware is installed in the system, it immediately proceeds to encrypt the system files, change the desktop background and automatically reboot the computer. However, the ransomware does not boot completely on Windows 7 and gets stuck before the Windows Shell is completely loaded.

Instead, the victim is blocked from interacting with the Windows interface, essentially rendering the entire machine unusable. Researchers state this is an unintentional flaw in the ransomware's code.

Fortinet researchers said victims can try to force the reboot to proceed by executing the Task Manager through the keyboard shortcut (CTRL+SHIFT+DEL) and end the malware process. The malware comes with an autorun mechanism that means it can simply execute once the system restarts. After terminating the process, the malware executable located in APPDATA%Microsoft<random chars>.exe (e.g. gvdsvp.exe) and its autorun registry must be deleted.

GandCrab first emerged in the beginning of 2018 and has since infected about 50,000 computers, extracting nearly $600,000 within just 4 months. Since then, the actors behind the campaign have been continuously developing and improving the ransomware, highlighting the level of sophistication and danger this campaign holds.