GandCrab V5 ransomware has surfaced in the wild with some noticeable changes. It is believed that the ransomware is distributed via spam emails. GandCrab V5 utilizes a random five-character extension for encrypted files and has new HTML ransomware note. When the ransomware is executed, it will scan the machine along with any network shares for files to encrypt. It will enumerate all shares on the network when scanning. During the process of encryption, the ransomware will also generate ransom notes titled “[extension]-DECRYPT.html”. When the user is presented with the ransom note, it informs the victim that they have been infected and gives them instructions on how to access the TOR payment page. When the victim visits the payment site, they are presented with the ransom amount which is $800 USD in DASH cryptocurrency. Users are advised to back their files up and be cautious when opening emails from unfamiliar sources.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased