GandCrab Ransomware: Complete Guide 

GandCrab is a ransomware variant first seen in the cybersecurity landscape in early 2018. Ransomware attacks involve encrypting files on a victim’s system, compelling them to pay a ransom for the decryption key. This ransomware is known for its broad targeting of file types, effectively rendering a diverse range of files inaccessible to the victim. GandCrab has been implicated in various high-profile attacks, impacting individuals, businesses, and even government organizations.

As a dynamic and evolving threat, GandCrab has undergone multiple versions and updates since its emergence. These updates introduce new features and evasion techniques, showcasing the adaptability of its developers to security measures. This constant evolution poses a challenge for cybersecurity efforts aimed at effectively combating ransomware.

SalvageData experts recommend proactive data security measures, such as regular backups, strong cybersecurity practices, and keeping software up to date, to protect against ransomware attacks. And, in case of a ransomware attack, contact our ransomware recovery experts immediately.

Everything we know about GandCrab Ransomware

GandCrab has evolved into several versions, including GandCrab V2.0, GandCrab 3, GandCrab V5.0, GandCrab 5.0.2, GandCrab V5.0.3, GandCrab 5.0.4, GandCrab 5.0.5, GandCrab 5.0.7, GandCrab 5.0.8, GandCrab 5.0.9, GandCrab 5.1.0, GandCrab 5.1.4, GandCrab 5.1.5, and GandCrab V5.1.6.

Despite the diversity in versions, their fundamental behavior remains consistent. The main differences include the file extension added to encrypted files, the content of ransom messages, website designs, ransom amounts, and the cryptocurrency wallet used. These subtle distinctions help identify and distinguish each iteration within the GandCrab ransomware family.

Confirmed Name

• GandCrab virus

Threat Type

• Ransomware
• Crypto Virus
• Files locker
• Double extortion

Is There a Free Decryptor Available?

There are decryption tools for some GandCrab ransomware variants (V1, V4, V5). You can identify these variants by the file extension:

• .GDCB
• .GDCB
• .CRAB
• .KRAB
• .UKCZA
• .YIAQDG
• .CQXGPMKNR
• .HHFEHIOL

Distribution methods

• Phishing emails
• Exploiting vulnerabilities
• Weak or default passwords on Remote Desktop Protocol (RDP)

Consequences

• Files are encrypted and locked until the ransom payment
• Data leak
• Double extortion

What are GandCrab ransomware IOCs

Indicators of Compromise (IOCs) are digital clues cybersecurity professionals use to identify system compromises and malicious activities within a network or IT environment. When an IOC is detected, security teams evaluate possible threats or validate its authenticity. IOCs also provide evidence of what an attacker had access to if they did infiltrate the network.

They are essentially digital versions of evidence left at a crime scene, and potential IOCs include unusual network traffic, privileged user logins from foreign countries, strange DNS requests, system file changes, and more.

GandCrab specific IOCs include:

File Paths and Names

• %Application Data%\Microsoft{6 random character}.exe

Registry Entry:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
• {11 random characters} = %Application Data%\Microsoft{6 random character}.exe

URLs/IPs Connected

• Ipv4bot.whatismyipaddress.com
• {IP Address of domain}/curl.php?token=1019
• {BLOCKED}ransom.bit, {BLOCKED}ngcomputer.bit, {BLOCKED}ft.bit, {BLOCKED}d32.bit, {BLOCKED}ab.bit

Ransom Note

• Ransom note dropped as {Encrypted folder}\GDCB-DECRYPT.txt

GandCrab ransomware encrypted file extension:

GandCrab gang has many versions of their malware, and each version has its own extension and system to rename the encrypted files.

Version 1:

• File extension: .GDCB
• Starts with: —= GANDCRAB =—
• The extension: .GDCB

Version 2:

• File extension: .GDCB
• Starts with: —= GANDCRAB =—
• The extension: .GDCB

Version 3:

• File extension: .CRAB
• Starts with: —= GANDCRAB V3 =—
• The extension: .CRAB

Version 4:

• File extension: .KRAB
• Starts with: —= GANDCRAB V4 =—
• The extension: .KRAB

Version 5:

• File extension: .([A-Z]+)
• Starts with: —= GANDCRAB V5.0 =—
• The extension: .UKCZA

Version 5.0.1:

• File extension: .([A-Z]+)
• Starts with: —= GANDCRAB V5.0.1 =—
• The extension: .YIAQDG

Version 5.0.2:

• File extension: .([A-Z]+)
• Starts with: —= GANDCRAB V5.0.2 =—
• The extension: .CQXGPMKNR

Version 5.0.3:

• File extension: .([A-Z]+)
• Starts with: —= GANDCRAB V5.0.3 =—
• The extension: .HHFEHIOL

Version 5.0.4:

• File extension: .([A-Z]+)
• Starts with: —= GANDCRAB V5.0.4 =—
• The extension: .BYACZCZI

Version 5.0.5:

• File extension: .([A-Z]+)
• Starts with: —= GANDCRAB V5.0.5 =—
• The extension: .KZZXVWMLI

Version 5.1:

• File extension: .([A-Z]+)
• Starts with: —= GANDCRAB V5.1 =—
• The extension: .IJDHRQJD

GandCrab ransom note

Please note that the actual content of the ransom note may vary between different versions of GandCrab, and attackers may customize the messages. The note dropped typically contains instructions for the victim on how to pay the ransom and obtain the decryption key.

Below is an example of what a GandCrab ransom note might look like:

If you realize you’re a ransomware victim, contacting SalvageData ransomware removal experts provides you with a secure data recovery service and ransomware removal after an attack.

How does GandCrab ransomware work

GandCrab ransomware works through a series of steps, leveraging various techniques to infiltrate, encrypt files, and demand a ransom.

Here is an overview of how GandCrab typically operates:

Infection and delivery

GandCrab is often delivered through malicious email attachments, exploit kits on compromised websites, or as a payload dropped by other malware.

A payload refers to the malicious component or code within a cyberattack, typically designed to execute harmful actions on a targeted system. The payload of GandCrab ransomware consists of a malicious executable file, often delivered through email attachments or exploited vulnerabilities.

Once a system is infected, GandCrab may create copies of itself in specific locations on the victim’s machine.

Autostart and persistence

To ensure that it runs each time the system starts, GandCrab modifies the Windows Registry, adding entries that enable automatic execution.

Evasion

GandCrab employs various evasion techniques to avoid detection by security software and analysis by researchers.

It may terminate specific processes related to antivirus and security software running on the victim’s system.

Communication with Command and Control (C2) servers

GandCrab communicates with remote servers controlled by the attackers. This communication is used to send information about the infected system and, in some cases, to receive further instructions.

File encryption

GandCrab identifies and encrypts a wide range of files on the victim’s system, using a strong encryption algorithm, such as RSA and Salsa20, to encrypt files on the victim’s system.

It appends a specific file extension (e.g. GDCB) to the encrypted files, indicating that they are now inaccessible.

The drop of the ransom note

After completing the encryption process, GandCrab drops a ransom note in each affected folder. The note typically contains instructions on how to pay the ransom to get the decryption key.

The ransom note may also include details such as the amount of the ransom, a deadline for payment, and the cryptocurrency wallet address for payment.

Victims are instructed to pay a ransom in cryptocurrency (commonly Bitcoin) to obtain the decryption key.

GandCrab developers often threaten to permanently delete the decryption key or increase the ransom amount if victims delay payment.

How to handle a GandCrab ransomware attack

The first step to recovering from a GandCrab attack is to isolate the infected computer by disconnecting it from the internet and removing any connected device. Then, you must contact local authorities. In the case of US residents and businesses, it is the FBI and the Internet Crime Complaint Centre (IC3).

To report a ransomware attack you must gather every information you can about it, including:

• Screenshots of the ransom note
• Communications with threat actors (if you have them)
• A sample of an encrypted file

However, if you prefer to contact professionals, then do nothing. Leave every infected machine the way it is and ask for an emergency ransomware removal service. Restarting or shutting down the system may compromise the recovery service. Capturing the RAM of a live system may help get the encryption key, and catching a dropper file, i.e. file executing the malicious payload (a software code or programs that execute unauthorized actions on a target system), might be reverse-engineered and lead to decryption of the data or understanding how it operates.

You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. It is by using the data on your infected system that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.

1. Contact your Incident Response provider

A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with structured expertise and support through a security partner, enabling them to respond quickly and effectively during a cyber incident.

An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. An incident response retainer’s specific nature and structure will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.

If you contact your IR service provider, they can take over immediately and guide you through every step in the ransomware recovery. However, if you decide to remove the ransomware yourself and recover the files with your IT team, then you can follow the next steps.

2. Identify the ransomware infection

Identifying which ransomware infected your machine can be done by checking the file extension (some ransomware uses the file extension as their name), using a ransomware ID tool, or it will be on the ransom note. With this information, you can look for a public decryption key. You can also check the ransomware type by its IOCs. 

3. Remove the ransomware and eliminate exploit kits

Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.

4. Use a backup to restore the data

The importance of backup for data recovery cannot be overstated, especially in the context of various potential risks and threats to data integrity.

Backups are a critical component of a comprehensive data protection strategy. They provide a means to recover from a variety of threats, ensuring the continuity of operations and preserving valuable information. In the face of ransomware attacks, where malicious software encrypts your data and demands payment for its release, having a backup allows you to restore your information without succumbing to the attacker’s demands.

Make sure to regularly test and update your backup procedures to enhance their effectiveness in safeguarding against potential data loss scenarios. There are several ways to make a backup, so you must choose the right backup medium and have at least one copy of your data stored offsite and offline.

5. Contact a ransomware recovery service

If you don’t have a backup or need help removing the ransomware and eliminating vulnerabilities, contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup. If you don’t, ransomware data recovery services can help you decrypt and recover the files.

SalvageData experts can safely restore your files and prevent GandCrab ransomware from attacking your network again, contact our recovery experts 24/7.

Prevent the GandCrab ransomware attack

Preventing ransomware is the best solution for data security. is easier and cheaper than recovering from them. GandCrab ransomware can cost your business’s future and even close its doors.

These are a few tips to ensure you can avoid ransomware attacks:

• Keep software up to date to prevent vulnerabilities that can be exploited by ransomware.
• Use strong passwords and two-factor authentication to prevent unauthorized access to systems.
• Regularly backup important files and store them in a secure location.
• Be cautious when opening email attachments or clicking on links from unknown sources.
• Use reputable antivirus software and keep it up to date.