GandCrab, also referred to as GDCB according to the extension it adds to mark the files it encrypts, is the first ransomware spotted so far to accept payments in DASH. Despite a great variety of crypto-currencies around, cybercriminals operating any encryption-for-ransom scheme in most stick to Bitcoin. The usage of Monero, Etherum remains rather a marginal option. DASH is another cryptocurrency to join the ominous list.
The infection, according to the reports of malware researchers, propagates via malware distribution network dubbed Seamless. This features RIG exploit which injects GandCrab into the devices without their users’ permit as they surf the web. The installation utilized gaps in security inherent in the software that do not get updated in a good time. Since the intervention runs on the background the users are obviously unaware of the invasion until after the malicious encryption fully completes.
However, the encryption cannot start unless GandCrab ransomware checks back to its remote command-and-control server. It might be a challenging task as the infection uses a special configuration of DNS, the NameCoin’s decentralized DNS of .BIT level. This basically aggravates the attempts to track back the communication, which is important for the crooks as they reasonably anticipate the law enforcement to prosecute them. On the other hand, this configuration also complicates the connection to remote server.
Remarkably enough, the infection assigns the name of quite renowned IT security hubs to its remote servers as they may be named as follows: bleepingcomputer.bit, emisoft.bit, esetnod32.bit. In doing so it is obviously mocking its natural rivals.
Again, to launch its encryption GandCrab must reach one of those mockingly named servers. In the case of a failure to do so, the infection runs in the background. All its actions in that mode would restrict to collecting IP addresses and ongoing attempts to reach the remote .bit server.
Where the connection successfully completes the GandCrab ransomware is to receive the public key to be sent by the remote server. This public key used by a sophisticated algorithm encrypts target data for good. During this initial Internet communication, the malware also connects to a website that enables identifying the victim’s public ID.
The encryption targets most of the files on the compromised device. Few exceptions only aim at ensuring the system remains functional in general so that the data scrambling could be followed by the ransom note duly presented to the victim. That is to say, the user just cannot read the demand of the crooks, if the encryption blocks all the files on the PC.
The files affected get extra string added at the end of their names, .GDCB. During encryption, the malware creates a file called [launched_file_name].exe and a ransom note GDCB-DECRYPT.txt. The former launches from Windows directory generating a User Account Control message. The message keeps popping up until the user clicks OK. The ransom note is available in almost every folder on the compromised PC. It contains typical message notifying the users that GandCrab Ransomware has scrambled the data, further details and follow-up are available in TOR browser with the link specified.
The link resolves into a GUI demanding a ransom of 1,54 DASH, which is currently a bit less than 1,000 USD. A free decryption is available for one file out of the encrypted bulk. There is countdown indicating the time left for the payment. If it expires, the ransom amount doubles.
As usual, the crooks do not provide any guarantees, no way to reclaim your money. To that end, the guidance below will walk you through the best practice of GandCrab Ransomware removal and .GDCB-data recovery.
Automated cleanup to remove GandCrab virus
1. Click the button to download the stub installer and go through several setup dialogs. Once the tool is up and running, click Start Computer Scan
2. Wait until the cleaner checks the PC for GandCrab ransomware malicious code. As soon as the scan is completed, the report will list all malware objects spotted in the system. Make sure the entries for detected infections are checked, and select the Fix Threats feature. This will result in malware removal and system remediation, so you should now be good to go.
Restore the encrypted files
GandCrab encryption is a sophisticated data modification. There is no simple and single solution to cover all the cases. Transferring the ransom as demanded by the crooks is not the way either.Kindly apply the methods outlined below as they have been carefully developed to provide a recovery help for the most severe cases of encrypting assaults.
Data recovery with automatic software
Good news is that the virus actually deals with copies of the files. The originals have been deleted. The removed data still can be restored by virtue of such tools as Data Recovery Pro.
Shadow Volume Copies
As Windows creates backups at given periods of time, a victim is advised to address relevant restore points. Unfortunately, the method cannot apply unless the System Restore had been enabled prior to the invasion. Please also note the recovery returns files as saved before the time associated with the restore point addressed.
- Previous Versions dialog to target individual files
One can open Properties for any file. The menu has a tab called Previous Versions. It indicates versions of a file that have been backed up.
To make use of the feature, right-click an affected file and choose Properties in the drop-down list. Proceed with clicking the above-mentioned tab. You can opt between the Copy or Restore procedures, the former enabling to copy the item into the location specified by the user.
Backups and removing remaining traces of ransomware
Prevention is the best cure. If you stick to making regular reserve copies of your data and store those outside your operating system, the impacts by the ransomware are very limited. However, prior to copying the data from backups into the system hit by GandCrab ransomware, make sure the removal of this virus has completed.
Your manual removal attempts may kill the ransomware in general. In most of the cases, some remnants manage to survive and are still capable of causing a significant damage. Please apply a reliable anti-malware scanner to detect and remove, if applicable, any remaining infections.