What is GandCrab 5.1 ransomware? And how does it execute its attack?

GandCrab 5.1 ransomware is the latest variant of the notorious GandCrab ransomware. This new variant has been caught spreading using .JS or JavaScript files. According to security experts, the infected JS files are disguised as jpeg files that are embedded in .ZIP file attach to emails. Once this ZIP file is opened, the file named “PIC0101302924102- jpg.JS” is extracted. As a result, this .JS file will launch GandCrab 5.1 ransomware in the targeted machine using the following malicious processes:

• SHA256:dffc26736e57470e4c56e4adf3f0425080c43a136d0dd72c22075fde3efd2239

Name:TempoJB62.exe

• SHA256:be0c8cdc1937d05242c672e3e61097dd1b48466839ac0a64e883d159a8df7343

Name:2510619273.exe
One of the notable difference in this new variant is that it creates a hidden window named as “AnaLab_sucks” which contains a timer that stays for a bit. After that, it continues its attack by following the same sequence of attacks as other GandCrab variants. It starts by dropping a malicious file with the following IOCs:
Name:1.exe
Size: 361.50 Kb
MD5: E387BD817E9B7F02FA9C2511CC345F12
SHA256:39514226b71aebbe775aa14627c716973282cba201532df3f820a209d87f6df9
SHA1: 98b3ec47b64198e3604c738f8c1f4753e0afa8c7
Once this file is dropped, it will trigger a Windows component named “wmic.exe” as an administrator which allows the crypto-virus to delete the Shadow Volume Copies of the files in the infected system. It triggers the “wmic.exe” file by executing the following command in the Command Prompt as an administrator:
“C\Windows\system32\wbem\wmic.exe” shadowcopy delete”
After deleting the Shadow Volume copies of the files, it opens its ransom note named “[user’s_ID]-DECRYPT.txt” which contains the following message:
“—= GANDCRAB V5.1 =—
UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED
FAILING TO DO SO WIL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension:
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
—————————————————————————————–
| 0. Download Tor browser – https://www.torproject.org/
| 1. Install Tor Browser
| 2. Open Tor Browser
| 3. Open link in TOR browser http://gandcrabmfe6mnef.onion/ b6314679c4ba3647/
| 4. Follow the instructions on this page
—————————————————————————————–
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW”
During the encryption, GandCrab 5.1 ransomware uses the Salsa20 cipher. Unlike the commonly used algorithms like RSA and AES, Salsa20 is a lot faster and can encrypt all targeted files in just a minute. Once it’s done encrypting files, it encrypts random characters to them which are the same as the victim’s user ID provided by the crypto-virus. GandCrab 5.1 ransomware skips the following Windows directories when encrypting files:

• \ProgramData\
• \Program Files\
• \Tor Browser\
• Ransomware
• \All Users\
• \Local Settings\

After the encryption, aside from displaying the ransom note given above, GandCrab 5.1 ransomware also changes the desktop wallpaper of the infected computer.
How does GandCrab 5.1 ransomware proliferate?
As pointed out earlier, GandCrab 5.1 ransomware proliferate using .JS files that are distributed via malicious spam email campaigns. According to a victim, the questionable emails contain the following content:
“From: Deanna Bennett <>
Subject: Payment Invoice #93611
Attachment: DOC402942349491-PDF.7Z
Dear Customer,
To read your document please open the attachment and reply as soon as possible.
Kind regards,
TCR Customer Support”
To successfully wipe out GandCrab 5.1 ransomware from your infected computer make sure that you follow the given removal instructions below thoroughly.
Step 1: Restart your PC and boot into Safe Mode with Command Prompt by pressing F8 a couple of times until the Advanced Options menu appears.

Step 2: Navigate to Safe Mode with Command Prompt using the arrow keys on your keyboard. After selecting Safe Mode with Command Prompt, hit Enter.
Step 3: After loading the Command Prompt type cd restore and hit Enter.

Step 4: After cd restore, type in rstrui.exe and hit Enter.

Step 5: A new window will appear, and then click Next.

Step 6: Select any of the Restore Points on the list and click Next. This will restore your computer to its previous state before being infected with the GANDCRAB V5.0  Ransomware. A dialog box will appear, and then click Yes.

Step 7: After System Restore has been completed, try to enable the disabled Windows services.

1. Press Win + R keys to launch Run.
2. Type in gpedit.msc in the box and press Enter to open Group Policy.
3. Under Group Policy, navigate to:
   1. User Configuration\Administrative Templates\System
4. After that, open Prevent access to the command prompt.
5. Select Disable to enable cmd
6. Click the OK button
7. After that, go to:
   1. Configuration\Administrative Templates\System
8. Double click on the Prevent Access to registry editing tools.
9. Choose Disabled and click OK.
10. Navigate to :
    1. User Configuration\Administrative Templates\System>Ctrl+Alt+Del Options
11. Double click on Remove Task Manager.
12. And then set its value to Disabled.

Step 8: Open Task Manager by pressing Ctrl + Shift + Esc at the same time. Proceed to the Processes tab and look for the malicious processes of GANDCRAB V5.0 ransomware such as “wmic.exe” and “GandCrab v5.1.exe” then end them all.

Step 9: Open Control Panel by pressing Start key + R to launch Run and type appwiz.cpl in the search box and click OK to open the list of installed programs. From there, look for GandCrab 5.1 ransomware or any malicious program and then Uninstall it.

Step 10: Tap Windows + E keys to open the File explorer then navigate to the following directories and delete the malicious files created by GandCrab 5.1 ransomware such as TempoJB62.exe, 2510619273.exe, 3449440902.exe, GandCrab v5.1.exe, putty.exe, Analysis’s Restrain, Technologyword, output.115120150.txt, 4.exe, 1.exe and [victim’s ID]-DECRYPT.txt.

• %USERPROFILE%\Downloads
• %USERPROFILE%\Desktop
• %TEMP%

Step 11: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use [product-name] this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 12: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.

Step 13: Navigate to the paths listed below and delete all the registry values added by GandCrab 5.1 ransomware.

• HKEY_CURRENT_USER\Control Panel\Desktop\
• HKEY_USERS\.DEFAULT\Control Panel\Desktop\
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization
• HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
• HKEY_CURRENT_USER\Control Panel\Desktop

Step 14: Close the Registry Editor and empty your Recycle Bin.
You have to continue the GandCrab 5.1 ransomware removal process using a reliable program like [product-name] once you’re done with the steps given above. How? Follow the advanced removal steps below.
Perform a full system scan using [product-code]. To do so, follow these steps:

1. Turn on your computer. If it’s already on, you have to reboot it.
2. After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
3. 
   3. To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
   4. Windows will now load the Safe Mode with Networking.
   5. Press and hold both R key and Windows key.

   

   6. If done correctly, the Windows Run Box will show up.
   7. Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
   8. After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
   9. Once the installation process is completed, run [product-code] to perform a full system scan.

   

   10. After the scan is completed click the “Fix, Clean & Optimize Now” button.