Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help

User Tag List

GANDCRAB V5.0.4

This is a discussion on GANDCRAB V5.0.4 within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category. I have been encrypted by the newest version of GANDCRAB V5.0.4. After seeing the extortion files everywhere on my system


Closed Thread
 
Thread Tools Search this Thread
Old 11-14-2018, 12:20 PM   #1
Registered Member
 
BudParker's Avatar
 
Join Date: Nov 2018
Location: Mississippi
Posts: 5
OS: Windows 7 Ultimate (64-bit)



I have been encrypted by the newest version of GANDCRAB V5.0.4. After seeing the extortion files everywhere on my system I did some research and downloaded BitDefender's GandCrab Decryption Tool. I got no results from this so I contacted BitDefender folks who said my particular version of the Trojan had not yet bee encountered and dealth with.


Here is the text file:


---= GANDCRAB V5.0.4 =---

***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED***********************

*****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS*****

Attention!

All your files, documents, photos, databases and other important files are encrypted and have the extension: .IONOXSLS

The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.


The server with your key is in a closed network TOR. You can get there by the following ways:

----------------------------------------------------------------------------------------

| 0. Download Tor browser - https://www.torproject.org/

| 1. Install Tor browser
| 2. Open Tor Browser
| 3. Open link in TOR browser: https://gandcrabmfe6mnef.onion/a2ab5c2938ea8d57
| 4. Follow the instructions on this page

----------------------------------------------------------------------------------------


On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.


ATTENTION!

IN ORDER TO PREVENT DATA DAMAGE:

* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW

---BEGIN GANDCRAB KEY---
lAQAAMs0ORLz66YIvvpdoftOm5OPZJ1EvdJOPs+QkzWbGNaoZlhXOxD3uFijymJscuz6cd7XTPEcyarClBSI7mihn0ZDxuCv0UZid7O5HnaH1xrRq6uh51Jin3Mu8R2MD/57R+WL77EwtZlx8eB80h0B4+IO/7UL1lXkcig3DfCPI4wdY1Ep+KXrbPUh1QBm2dosAkQp668f6D4FC7Q8A75XGt9q9ugrZk7UCooYca4OAYfuyGdji6gsxIuLLGARcz1bH2FGC5lCLJOaVUA82kyCMyy27od+IfE88WS53540YENkKhBOSP77iTqqrrmodhoBWrgmeDCCrg8XzNUQ0EB81EW/2eapjHIZNkaNj3hOjDO5j/pTTXxFXgVho6VaGqG14YpncGcuOBuytDap3oaVjnqlWXcKau5YY/aWBolSyJQjAX7wG9RfDQ8gJhOwSHHN8i+vchNjVxpP3M1EDwKxeKrt8m4HZsbX1VKAfZqJr5UdyiPLZ6I+qjNVbo9mHdfsGcQIFF1BHxpcEbiMpY0CLaxzEPk7aZnv55lirtDy7nIFuUtbIxKDeTviF+8ohzqObQ1zT3OOzdHWoituQ0LSdD76AT1/o7WBK76QqzGWKaRgI1L3/GcS0iA5Bn469JREXLO7KA0er88DMZCEx4F1ZN+oj2bikMgP4qZqNPGSy5MkXXD00Y0WqGcyxQ3qUr3Rk61yC+5LvU/tC80LHxeskY2NHlX4TwbTNgqhX3W9WpTsm2NztfUvg+IavzlgN+QPRbOiKCRjbM9ECpt+IHb8XxKEiA14+Od0M3Z89WzHlP67U4lSDfUA+sgc6lu08UrgYEj2QZth2aXor8lmQq7v2k5OVc32LQZjLaKEauv731oSeVqBJsJu/c6Wi4aarjsCtlDQJtvxvSXFHt71SF5Snt3aku2f0K0dRDXHv63DqPgzCwkZnJRq13vPyQBDqrRg0nhNwrl0YknZbw1Kvd71pjd8/N3Tph7ewPXow09hTYES+TKsAZ4AxA7m4BKCnbh4gX7I6XrP7VXUMj6REawNEgo7PrJDlr3ZdVze6kyJA0xqUnAwjHWDpQdh6q7vcOakXK9oXeZHB9sWR/AJSGAIaevo/cQTcxS2e6SjBmMdvodFXTLrvdPlqw9wGZ65hJ/UXgSZISjjEXXY6NqPvP+R1J5XKJu3EMvpaIAm94SuBTP1NR8d5/V8ST5i4UcIQhEtUspnf41z2vuk2jzk7YBiADxlcT69iS8LQZud7fGJGKRDVW7j96yWctGXzjuzyAhF2n1s7T3NUOfzq6ScQoNju1ti4Z9xaaNNOH7UH8upVLdnfCdaPSnIjnnoCC50eZx3qJEaDoBqwDSrpxoK2s4b7sAeUWIhvToUyBar2YPqn5VQQ1oqktgILSJY67J1v61tX8IaI9qZviy9s/cOvjPgOFtnCPgc/ZPm2i/n5ZYEEkl/Wl8og1O2svvLghyBK/dq3oik0mKQ2VxgChQxFSA+1nxPvjTKt9JaKHKdSIypsz9KM9HpOf6kQi8NYoECI+4gV7Ike61OubKPdkUPFhVkM7UgsgI7BpayD6TWpcilegfwtu7yzcmfrfBcv+yUAbl3nJDOPneEPxzsEWmEXMNFVrSKGwgIvcSgR/mPYytj/qbFUj9G55lqfSvYGJdEq0Si0SyTTH/c/7HDCgoMRjVmK3RURkYBXdPpykCiFr5lZMm8nozyHGdhpOu0VH3uqnkv13/Emhj+82V8wIe9ufNHYOc9rKUaNi2VP6zfDxyopq1HPg9R4Vcwd/OnjiDj7bNX0c5CMNqRqitBkO+tAaccWdSXq2SuO0MhMwgpVEcxikqCfwMrDP3Td7XVJ1WIfQyayTq3IBctSaEZ1tZaIcVNnNwrjIMbZIxXLv9G9n30hyk1ZqFatKESICGBBT97++1lyyO/hUglm8rj8sWmfN9PgheSbRFavlwXCQdP1VAv+/nwHsWXt/7/dzEw1u2h6vafuSjk4tZvWMButsAULcE8hJhEdlVJJxG42XDaFCIAgItnTGC+jOYKSrxMcQqGQvx9iRh888YEGmIx97VZB15xHcm70oW8VRMDWGsT0NnK/hyJaJdCYuilOfWi0LeHS+cWNYCayHN5s52NNkaNQBQlPvNxsDg6TsIaGRKxEhSRr1FvDmY0FueWNONyMotCLJimDoqEG0ECr8ltifHVmgeLZLSTgWzyvB6aeRBE3bLReUHLN//OTqtHvq+KEKIpWp1haPQPvok=
---END GANDCRAB KEY---

---BEGIN PC DATA---
wfKD6iudumBkmpL8IRr4U4SxAFahOUvtzzxyOq/1zVY7vKCWIh5IYZ5d7pZ2TrpRm3Zi7npWsLfRTHGH4R5IBLTzqdM37+n6TUGEDBbiCpJj89LFMP/fmBOoBJAGLoqj/Px82WjxHJK0ip6hCUS4AqkAxrZmOPWXzbnEbXUkZHQwbcaWrsC2YZxYDKSRxsQpKY4h29OASlKwZEZV5APFuQPcDiJF2LSMOkO4MJkP3IpYLEeTCZwBmoQoBnZiP6Q/ZvrO1sZzjjbqjd1ASXgYl5hnWd0yCA4xYw7BDIArtn0pSk7FUw/okeItJti8qdunpbq+57JioLEdkRrBueLg/2s2WesgGt9YelrBBnbt8xGVEYYb/Cd94oC4b6bsY5pya4zy2SmixJRITW0qZ1O8JIoJ9pE5wNooUBPNnKg+HO4HAOuf2WE7g99rIg2fxHdKqA6CZlvpZhFM3vTLOOag1wQZN3QQRl2KfTnX1lHgdH8SmUHfmSz3QUpnn7Irls+w4nIPVYbpeDfofGEcdsAVPw9N6n8jQwXCtKZAEuLtKEivBY1MZZH2HpwOfL/JRdkPoIlhV6Du57PAzMb9PXYHh8kz7exJRfttXv/GbknWtOJnXuleW9Re9DZhVVLc2rhgk2ncLV4zmQsAfmb5G2FfiT8EyrIcT7HbEAFzKd//xDNjdH03t24FfaOU4HJiLey8LR0EXd0DPtZKjVLf6grxwiUulcUrmI3gwIr0OnltESt+DjFIphtJYAACsLxcZkoy+csQO8ilZk/XrrFOlI8wQ7nDze6C47jlli3c3PxhHPnx59s1zMqHV40JxBVGiaTdhyiDDvHvRvHTl+kFUQNQeYbq/qetL7PBorNvvTEDGF3pZpJd5k6TPtROIZ3hC9ArzjrjgNS8ALCcA7HEa5WXCmlXpu2HAnuA2XVDq74/jqF/AxlC8E/F4yqtxipgqsIKJDUMgIDogFJl0ptYL7hSSR3/QyNetuYvWN353whsC/2jAyZ/vEJRXSdJq1zO+ipmhhtmsRagT5yMnIQ0+2SdYnObvqTlO/fiEKpTD44pA7lVAerJU5D4lBmxiIvkZHXRB3oEWdvSK07z267KmEEH/0iOOwT/uxPcuVt2qUp9OD314MwdusZz8aryJrK5TfkGC1wMyUx0GNG7Xv0ZF57/QrRc+QWrDJrQuwp4q1jsB9XipE74BwqFa5YwVJPFXNLAsqjvIHUsb53JoRh0ShCwLem9vumwPyn7vz7Q1odEIH1sUJVaf+nulMeEHSIO0mVWfFcq4GYAGIZCOKVfAMSdpt6f6n8zY2BH
---END PC DATA---


What do you folks think?
BudParker is offline  
Sponsored Links
Advertisement
 
Old 11-15-2018, 03:43 AM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello BudParker. Unfortunately, it currently appears there is no way to decrypt files for free. That does not mean we advise users to pay the ransom.

https://www.bleepingcomputer.com/for...eded-urgently/

https://www.bleepingcomputer.com/for...ab-decrypttxt/

You may also contact BitDefender, but it currently appears to break the BitDefender decryption tool.

https://www.bleepingcomputer.com/for...ypttxt/page-23
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 11-15-2018, 04:37 AM   #3
Registered Member
 
BudParker's Avatar
 
Join Date: Nov 2018
Location: Mississippi
Posts: 5
OS: Windows 7 Ultimate (64-bit)



The Internet used to be a dangerous place that you could recover from. Now, it appears that is no longer the case. More like a Driveby Shooting. DOA...
I have advised Bitdefender Team about this latest version of extortion (GandCrab) and they said, "We're working on it and will advise if we can decrypt it."Do you guys & gals know from what region of the Globe this Trojan originates?
BudParker is offline  
Sponsored Links
Advertisement
 
Old 11-16-2018, 02:59 AM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Unfortunately, you are correct. And it is likely of Russian origin:

Quote:
Interestingly, one of the most interesting features of the ransomware is that, when performing reconnaissance on the victimís system, before actually starting to encrypt files, it will identify whether the keyboard layout is in Russian and will abort the entire process, effectively choosing not to infect Russian-speaking victims.
https://labs.bitdefender.com/2018/10...e-of-the-year/

If you don't have multiple backups, you are playing Russian roulette(no pun intended).
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 06:31 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts