February 5, 2018
The Trojan, the creators of which dubbed it “GandCrab!”, has been added to the Dr.Web virus databases under the name Trojan.Encoder.24384. It appends the extension *.GDCB to encrypted files. Currently, two versions of this encoder are known.
Once launched on an attacked device running Microsoft Windows, Trojan.Encoder.24384 can collect information on launched processes of anti-viruses. It then performs a check to prevent the repeated launch and kills programs’ processes according to the cybercriminals’ list. The encoder installs its copy on a disk and modifies the Windows system registry branch to provide its automatic launch.
The Trojan encrypts the contents of the fixed, removable and network disks, excluding a range of folders that include service and system ones. Each disk is encrypted in a separate thread. When the encryption is completed, the Trojan sends the data on the amount of encrypted files and the encryption time to the server.
The Trojan uses the command and control server, the domain name of which is not resolved by standard methods. To obtain the IP address of this server, the encryption ransomware executes the command “nslookup” and searches necessary information in its output.
Currently, decrypting files encrypted with Trojan.Encoder.24384 is impossible. Doctor Web again reminds its users the most reliable method for saving their files is timely backing up all important data. Moreover, it is advisable to use external data carriers to store the backup copies.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.