Security researchers have discovered a new GandCrab ransomware Version 4 which is being distributed through fake software crack websites.
The GandCrab V4 ransomware comes with many changes such as a new encryption algorithm, new .KRAB extension, new ransom note, and new TOR payment site.
The ransomware is distributed through fake software crack sites. Attackers hack the legitimate website and trick users by creating fake software crack websites and making them download the file and install it.
When the user downloads the crack file and executes it, the ransomware will be installed in the user’s device said by security analyst who goes by twitter handle Fly.
Security researcher Marcelo Rivero who analyzed the debug message found in GandCrab V4 ransomware found out that the ransomware has changed the encryption algorithm to Salsa20.
Working of GandCrab ransomware Version 4
After installation, the ransomware will scan the computer for files to encrypt. The ransomware also scans for any network shares for files to encrypt.
The files will be encrypted and appended with a .KRAB extension to the encrypted file name. The ransomware also creates a ransom note named KRAB-DECRYPT.txt during encryption.
The ransom note contains details about what happened to the files, link to the TOR site (gandcrabmfe6mnef.onion) which contains payment instruction.
In the TOR payment site user are asked to pay a ransom amount of $1200(as of now) in Dash (DSH) cryptocurrency to get back their encrypted files. The site also contains instructions for users to decrypt one file for free and as of now victim’s of GandCrab V4 ransomware cannot decrypt their file for free.
How to prevent yourself from the GandCrab Ransomware Version 4:
- Perform regular backups. Ideally, this data should be kept on a separate device, and backups should be stored offline
- Maintain updated Antivirus software for all systems
- Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited email, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through the browser.
- Keep the operating system and third-party applications (MS office, flash player, browsers, browser Plugins) up-to-date with the latest patches.