Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

GandCrab v5.0.3 Ransomware (.<5~10 Digit Random Extension>)

  • Distribution Method : Download file by user
  • MD5 : 44f1c28272d675ec4111c9210f050278
  • Major Detection Name : Win-Trojan/Gandcrab09.Exp (AhnLab V3), Ransom:Win32/Gandcrab!MTB (Microsoft)
  • Encrypted File Pattern : .<5~10 Digit Random Extension>
  • Malicious File Creation Location : C:\Users\%UserName%\<Random>.exe
  • Payment Instruction File : <Encryption Extension>-DECRYPT.txt
  • Major Characteristics :
     - Offline Encryption
     - File encryption using system file "C:\Windows\System32\wermgr.exe" or "C:\Windows\SysWOW64\wermgr.exe".
     - Includes removal of antivirus (AhnLab V3, avast! Antivirus) and stop the Windows Defender service using javascript.
     - Block processes execution (dbsnmp.exe, msftesql.exe, oracle.exe, sqlagent.exe, sqlbrowser.exe, sqlwriter.exe etc.)
     - Disable system restore (wmic.exe shadowcopy delete)
     - Changes desktop background (C:\Users\%UserName%\AppData\Local\Temp\pidor.bmp)