My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

Doctor Web warns of a new encryption ransomware

February 5, 2018

Encryption ransomware that encrypts files on an infected device and demands a ransom for their decryption still poses a serious threat. Doctor Web is warning users about the spreading of yet another such encryption ransomware.

The Trojan, the creators of which dubbed it “GandCrab!”, has been added to the Dr.Web virus databases under the name Trojan.Encoder.24384. It appends the extension *.GDCB to encrypted files. Currently, two versions of this encoder are known.

Once launched on an attacked device running Microsoft Windows, Trojan.Encoder.24384 can collect information on launched processes of anti-viruses. It then performs a check to prevent the repeated launch and kills programs’ processes according to the cybercriminals’ list. The encoder installs its copy on a disk and modifies the Windows system registry branch to provide its automatic launch.

The Trojan encrypts the contents of the fixed, removable and network disks, excluding a range of folders that include service and system ones. Each disk is encrypted in a separate thread. When the encryption is completed, the Trojan sends the data on the amount of encrypted files and the encryption time to the server.

The Trojan uses the command and control server, the domain name of which is not resolved by standard methods. To obtain the IP address of this server, the encryption ransomware executes the command “nslookup” and searches necessary information in its output.

Currently, decrypting files encrypted with Trojan.Encoder.24384 is impossible. Doctor Web again reminds its users the most reliable method for saving their files is timely backing up all important data. Moreover, it is advisable to use external data carriers to store the backup copies.

Use Data Loss Prevention to protect your files from encryption ransomware

More  about encryption ransomware What to do if... Free decryption Category “Encrypt everything”

More about this Trojan

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments