The GandCrab ransomware V4 appears in the threat landscape
4.7.18 securityaffairs
Ransomware

A new variant of the infamous GandCrab ransomware V4 was released during the weekend, experts shared details of the threat,
A new version of the dreaded GandCrab ransomware (V4) was released during the weekend and according to the experts it included numerous changes.

Fly
@china591
New #GandCrab version "V4" GANDCRAB V4 Ransomware – Remove and Restore .KRAB Encrypted Files

Fly
@china591
Replying to @malwrhunterteam and 2 others
https://www.virustotal.com/#/file/ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23/detection …https://app.any.run/tasks/daa35edf-94dc-416b-a7b1-fd45b6900c43 …

MD597a910c50171124f2cd8cfc7a4f2fa4f
SHA-13737d782cb64fa92d2c42f3c2857ee2295dc8aa4
Authentihashd64152842b2b787a86bb5dd2084ae40efd9914df8a880eb242f67ce5447a46f6

10:29 AM - Jul 3, 18
See Fly's other Tweets
Twitter Ads info and privacy
The GandCrab ransomware V4 uses different encryption algorithms (likely the Salsa20 stream cipher) and a new TOR payment site (gandcrabmfe6mnef.onion), it appends the “.KRAB” extension to the encrypted file’s names and use a new ransom note name.

GandCrab ransomware V4

Marcelo Rivero
@MarceloRivero
· 3 Jul
#GandCrab #v4 🦀🆕
[+] Extension: ".KRAB"
[+] Internal version: 4.0
[+] Note: KRAB-DECRYPT.txt
[+] Tor: gandcrabmfe6mnef[.]onion
[-] No more wallpaper routine and no C2C.https://beta.virusbay.io/sample/browse/97a910c50171124f2cd8cfc7a4f2fa4f … pic.twitter.com/dvw604AKBG

Marcelo Rivero
@MarceloRivero
#GandCrab V4 internal version: 4.0 - seems to use now #Salsa20 stream cipher 🧐 pic.twitter.com/Op01bBC50g

4:42 AM - Jul 3, 18
View image on Twitter
12
See Marcelo Rivero's other Tweets
Twitter Ads info and privacy
The GandCrab authors left a message in the code for the computer science professor at the University of Illinois at Chicago Daniel J. Bernstein who created the Salsa20 algorithm.

@hashbreaker Daniel J. Bernstein let's dance salsa <3
According to a malware researcher Fly, the GandCrab ransomware V4 is currently being distributed through fake software crack sites.

“The ransomware distributors will hack legitimate sites and setup fake blogs that offer software crack downloads. When a user downloads and runs these cracks, they will install the GandCrab Ransomware onto the computer.” wrote Lawrence Abrams from Bleeping Computer.

Like previous variants, when GandCrab ransomware V4 is executed it will scan the computer and network shares for files to encrypt.

Lawrence added that this variant enumerates all shares on the network and not just mapped drives. Once encrypted files, the ransomware will create ransom notes named KRAB-DECRYPT.txt that includes payment instructions. The ransom amount is currently $1,200 USD worth of DASH (DSH) cryptocurrency.

GandCrab ransomware V4

The TOR payment site includes a support section where victims can send messages to the developers and request to decrypt one file for free as the proof of their abilities.

The bad news is that, at this time, victims of GandCrab ransomware v4 cannot decrypt their files for free.