Dealing with GandCrab v5.1

“Ransomware”, “Cryptoviruses”, being a cyber security student, these were just buzzwords to me. I thought the ransomware attack happened to organizations, or institutes, or basically, other people. People who might actually have something valuable. Do you see where this is going?

So one fine day my dad calls for me from the other room, I go and he points to the PC monitor. (so we still have a desktop PC that my parents use.)

Anyway, this is what I see as the Desktop Wallpaper:

Source: https://sensorstechforum.com

For the uninitiated, the GandCrab ransomware, or basically any ransomware, encrypts all your files and demands a ransom usually in the form or BitCoin or DASH, in order to share the key to decrypt them. If the victim fails to pay the ransom before a particular deadline, the ransom price doubles.

The initial ransom note on my PC, in the file called GVHZVBK-DECRYPT.txt looked like this:

— = GANDCRAB V5.1 = —

UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED
FAILING TO DO SO WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS

Attention!

All your files, documents, photos, databases and other important files are encrypted and have the extension: GVHZVBK

The only method of recovering files is to purchase an unique private key. Only we can give you this key and only and only we can recover your files.

The server with your key is in a closed network TOR. You can get there by the following ways:

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — –

| 0. Download Tor browser — https://www.torproject.org/

| 1. Install Tor Browser
| 2. Open Tor Browser
| 3. Open link in TOR browser <the link was here>
| 4. Follow the instructions on this page

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — –

On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.

ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW

And then two random looking strings.

So each file on the PC now had the extension GVHZVBK (v5.1 appends a random 6–8 character string as extension) appended to it’s original name, and each file was apparently encrypted. Also, each folder and its sub-folders had a copy of this ransom note (GVHZVBK-DECRYPT.txt).

Of-course the virus skipped essential windows files such as system files and program files, so that the PC still remains functional.

So now I’m stuck with an infected PC, with no intention of paying a ransom. I cannot become a ransomware expert overnight, so I decide to do the next best thing. I have a victim PC, I start making observations.

To give a little context, the PC runs Windows 7, and has no password set on the user profile (again, I don’t use it :/). There is also no antivirus and Windows defender was disabled (whaaaat! I felt like flipping a table). This PC does not really have any critical data, or basically anything blackmail worthy. The only thing we’d regret losing were some childhood videos stored on it from our Sony Handycam (remember when phones didn’t have awesome cameras?).

Anyway, I search about GandCrab and find that the most common way it propagates is through spam email. Couldn’t find any that matched the profile.

It also propagates through faulty software updates, so that could have happened. But back to the data.

I searched for the said videos and on a whim, just tried to play them. And they played normally! Apart from the added extension, they were perfectly fine. While all word documents and pdfs and excel files and images were successfully damaged/encrypted, the videos were fine. There were also some jpg files in the D drive that were unaffected. Encouraged, I found a folder with some old mp3’s, (remember Roar by Katy Perry, or Beating Heart by Ellie Goulding? And good old Taylor Swift?) and tried to play them. Some of them played too! I don’t understand how one played and another didn’t, and I’m no close to figuring it out.

So finally, I figured I could just take a backup of the videos on a pendrive and the just format the whole PC. So I took out a pendrive I hadn’t used in a while, and plugged it into my Laptop, to empty it out and create space for the videos. By sheer luck, this pendrive not only had a backup of every single video we wanted, but also a lot of the docx, pdf, jpeg files from a long time back. Turns out we took a backup a few years ago when were experiencing some other problems and decided to format the PC.

So luckily, this attack didn’t have any major impact on us. My dad plans on getting the whole thing formatted and Windows reinstalled again (I told him to get an updated Windows).

But I think it would be better if we just switched to Linux. It’s hard to convince my parents though, since they’ve been using Windows for 12 years, and have no idea what Linux is, even though I’ve tried explaining. :P

Just another day in the life of an engineer with a very non-engineer family, if that makes any sense.

Master’s student in Cyber Security