Pierluigi Paganini May 04, 2018

The latest variant of the dreaded GandCrab ransomware,version 3, locks the infected systems running on Windows 7.

A few days ago, experts from security firm Fortinet uncovered a new spam campaign delivering a new version of the GandCrab ransomware, the version v3.

Like other ransomware, such as Locky and Sage, the GandCrab ransomware v3 also changes the wallpapers of the infected systems. However, the researchers at FortiGuard Labs that analyzed this new feature discovered a bug that can accidentally lock systems running Windows 7 OS.

The feature correctly works for both Windows 10 and Windows 8 systems.

The attack vector continues to be spam mail messages and leverages Visual Basic Scripts as droppers instead of Java Scripts.

“After this malware has encrypted the victim’s files, it forces the system to reboot. On our tests with Windows 10 and Windows 8.1 systems, the malware was able to change the wallpaper and the systems were able to start up normally, as expected. ” reads the analysis published by Fortinet.

“On Windows 7 however, for some reason booting does not finish but instead gets stuck at a point before the Windows Shell is completely loaded. That means an infected user would not have the Windows interface to interact with, rendering the entire machine seemingly unusable – reminiscent of the old lock screen ransomware behaviour. Only the ransom note wallpaper and TOR Browser download site can be seen by the user.”

The flaw wasn’t intentional because the instructions on the ransom note tell the victim to read a copy of one of the“CRAB-DECRYPT.txt” ransom notes left on the infected system for payment instructions.  Windows interface, users cannot do it and will not pay the ransom.

Victims can force the reboot to proceed by launching the Task Manager using the CTRL+SHIFT+DEL keys combination, then killing process associated with the malware and reboot the system. However, this might not solve the problem either because of the persistence mechanism implemented by the malware.

The only way the victims have to prevent the “lock screen” from appearing in subsequent reboots is to delete the malware executable from APPDATA%\Microsoft\<random chars>.exe once killed the process using Task Manager. Victims should also delete the autorun registry associated with the ransomware.

“Seeing a ransom note and realizing that all of your files are gone is frustrating on so many levels. And it’s even more frustrating (if that’s even possible) when on top of that you also lose your access to the machine. Malware flaws with unintended consequences are really quite common, which is another reason why being extra cautious with unsolicited emails is very important.” concludes Fortinet. “As a general rule, any unexpected emails with attachments (an executable or a document) must be scanned and verified first before opening. And as always, create isolated backups for your important files.” 

Pierluigi Paganini

(Security Affairs – GandCrab ransomware, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]