GandCrab2 Ransomware

The GandCrab2 Ransomware is an encryption ransomware Trojan that has been associated with websites on the Dark Web. The GandCrab2 Ransomware stands out because the people associated with the GandCrab2 Ransomware attack demand a ransom payment using the Dash cryptocurrency rather than the more common Bitcoin. The GandCrab2 Ransomware may be delivered to victims of the attack through the use of compromised spam email messages. These email messages will contain a Microsoft Word file attachment that uses embedded macro scripts to download and install the GandCrab2 Ransomware onto the victim's computer. The GandCrab2 Ransomware is very similar to most other encryption ransomware Trojans and, as in most cases, prevention is the key to defeating these threats.

This Week In Malware Episode 21 Part 3: GandCrab, REvil, Sodinokibi Ransomware Threats Remain Extremely Dangerous in Q4 2020

This Crab will Cause Double Indigestion to Computer Users

The GandCrab2 Ransomware attack is simple. The GandCrab2 Ransomware will encrypt the user-generated files using a strong encryption algorithm. This allows the GandCrab2 Ransomware to take the victim's files hostage. The following are some of the file types typically compromised by a GandCrab2 Ransomware attack:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.

The GandCrab2 Ransomware communicates with its Command and Control server to receive data and deliver information about the victim's computer. The GandCrab2 Ransomware will mark the files compromised by its attack with the file extension '.CRAB' added to the end of each affected file's name.

The GandCrab2 Ransomware’s Ransom Demand

The GandCrab2 Ransomware demands a ransom payment after taking the victim's files hostage. To do this, the GandCrab2 Ransomware delivers a ransom note contained in a text file named 'CRAB-DECRYPT.txt,' which demands the payment of a ransom from the victim. The following is the message that is delivered to victims of the GandCrab2 Ransomware attack:

'We are sorry, but your files have been encrypted!. Don't worry, you can return all your files! We can help you!
Files decryptor price is 500 USD If payment is not made after the cost of decrypting files will be doubled

Buy GandCrab Decryptor
1 DSH = $[current price]
Payment amount [price according to conversion rates] DSH
To complete a payment, please send 0.8095986 DSH to the address:
[random characters]
(≈$500.00)'

Protecting Your Data from the GandCrab2 Ransomware

PC researchers strongly advise computer users to refrain from paying the GandCrab2 Ransomware ransom. Instead, computer users should use a security program that is fully up-to-date to remove the GandCrab2 Ransomware and prevent these threats from being installed. The best protection against the GandCrab2 Ransomware is to have file backups on a portable memory device or stored in the cloud.