Gandcrab V3 ransomware is free of the flaws that enabled security enthusiasts and authorities to mitigate impacts caused by previous versions with the release of free decryption for all the parties concerned.
The infection aims at harvesting a ransom to be paid in DASH for the solution that decrypts the data it has encrypted in the course of its invasion. Thereby, unlike threats doing damage continuously, for instance, a keylogger or a mining trojan, this malware completes its malicious business at once. Once the data becomes scrambled, the malicious payload is done. That is to say, removal of Gandcrab V3 is not a big relief for the victims. They need to get rid of the encryption caused by the malware.
In the case of this ransomware initial release (version 1), it was the shortcomings in communication with the remote server that enabled the security watchdogs to break in and release the decryption codes for free. In the second version, including Gandcrab V3, the crooks fixed the vulnerability.
They still use a somewhat marginal type of DNS, a decentralized system of NameCoin.bit top-level domain. Again, anti-hacking measures in the case of version 1 succeeded due to the flaws in this type of DNS as applied by the ransomware developers. In the version under review, those flaws are no longer in place.
The infection uses decentralized DNS and, of course, just like any encryption-for-ransom attack, accepts payments in a decentralized crypto-currency. However, it is true to its marginal choices being the first ransomware to introduce payments in DASH (Bitcoin dominates as a payment method in ransomware business).
The crooks apply a variety of infection vectors to drop their encryption explosive. To name a few, they run massive spam campaigns, use RIG exploit kit to install the malware via software vulnerabilities.
An installed instance of the infection would first try to establish a connection with its remote command-and-control server. It fails quite often as the DNS it uses might be incompatible with the host system settings. Where the communication is established, the ransomware exchanges data with the remote server. It sends details of the host system and receives a public key. It proceeds with scanning computer system to discard certain types of data by extension.
The data selected by the scanning is subject to the encryption with the public key. Once the encryption completes, the infection comes up with its ransom note selling the private key as a decryptor for certain amount payable in DASH. The so-called crypto-currency is losing its value rather steadily over this spring so that the crooks are likely to set higher amounts to level the actual value. The sum they claim typically ranges within USD 1,000 to 2,000.
The files encrypted also have their names modified as Gandcrab V3 adds GDCB or CRAB extension. The crooks might amend those suffixed.
A recap of decryption methods tailored to deal with Gandcrab V3 encryption-for-ransom is available below.
Automatic removal of Gandcrab V3 Virus
The benefits of using the automatic security suite to get rid of this infection are obvious: it scans the entire system and detects all potential fragments of the virus, so you are a few mouse clicks away from a complete fix.
- Download and install recommended malware security suite
- Select Start Computer Scan feature and wait until the utility comes up with the scan report. Proceed by clicking on the Fix Threats button, which will trigger a thorough removal process to address all the malware issues compromising your computer and your privacy.
Restore files locked by Gandcrab V3 Virus
new Locky variant aka Gandcrab V3 Virus represents a unique category of malicious software whose attack surface reaches beyond the operating system and its components, which is why removing the virus itself is a part of the fix only. As it has been mentioned, it encrypts one’s personal information, so the next phase of the overall remediation presupposes reinstating the files that will otherwise remain inaccessible.
Launch data recovery software
Similarly to the rest of its fellow-infections, Gandcrab V3 Virus most likely follows an operational algorithm where it erases the original versions of the victim’s files and actually encrypts their copies. This peculiarity might make your day, because forensics-focused applications like Data Recovery Pro are capable of restoring the information that has been removed. As the virus further evolves, its modus operandi may be altered – in the meanwhile, go ahead and try this.
Take advantage of Volume Shadow Copy Service
This technique is based on using the native backup functionality that’s shipped with Windows operating system. Also referred to as Volume Snapshot Service (VSS), this feature makes regular backups of the user’s files and keeps their most recent versions as long as System Restore is on. Gandcrab V3 Virus ransomware hasn’t been found to affect these copies therefore the restoration vector in question is strongly recommended. The two sub-sections below highlight the automatic and manual workflow.
- a) Use Shadow Explorer Shadow Explorer is an applet that provides an easy way of retrieving previous versions of files and folders. Its pro’s include an intuitive interface where the computer’s entire file hierarchy is displayed within one window. Just pick the hard disk volume, select the object or directory to be restored, right-click on it and choose Export. Follow the app’s prompts to get the job done.
- b) Use file propertiesEssentially, what the above-mentioned Shadow Explorer tool does is it automates the process that can otherwise be performed manually via the Properties dialog for individual files. This particular approach is more cumbrous but just as effective as its software-based counterpart, so you can proceed by right-clicking on a specific file, which has been encrypted by Gandcrab V3 Virus, and selecting Properties in the context menu. The tab named Previous Versions is the next thing to click – it displays available versions of the file by date of the snapshot creation. Pick the latest copy and complete the retrieval by following the prompts.
Data backups work wonders
Ransomware like Gandcrab V3 Virus isn’t nearly as almighty and destructive in case you run regular file backups to the cloud or external data media. The virus itself can be completely removed in a matter of minutes, and the distorted information can then be just as easily recovered from the backup. Luckily, this is a growing trend, so ransom Trojans are hopefully going to become less subversive in the near future.
Verify thoroughness of the removal
Having carried out the instructions above, add a finishing touch to the security procedure by running an additional computer scan to check for residual malware activity