Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

GandCrab v3.0 Ransomware (.CRAB)

  • Distribution Method : Automatic infection using exploit by visiting website or Mail attachment
  • MD5 : bf9982a200bd7b30226e2ac1c2f2759f
  • Major Detection Name : TR/Ransom.ssaxe (Avira), a variant of Win32/GenKryptik.BYNJ (ESET)
  • Encrypted File Pattern : .CRAB
  • Malicious File Creation Location :
         - C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CRAB-DECRYPT.txt
         - C:\Users\%UserName%\AppData\Roaming\Microsoft\<Random>.exe
  • Payment Instruction File : CRAB-DECRYPT.txt
  • Major Characteristics :
         - When infection is done through vulnerability, the ransomware utilizes svchost.exe system file for file encryption (C:\Windows\SysWOW64\svchost.exe -k ahnlab)
         - Block processes execution (msftesql.exe, oracle.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe etc.)
         - Disable system restore (wmic.exe shadowcopy delete)
         - Automatically reboot Windows after file encryption is complete (shutdown -r -t 60 -f)
         - Changes desktop background (C:\Users\%UserName%\AppData\Local\Temp\pidor.bmp)