360 Total Security Blog

The new findings of GrandCrab ransomware V5.0.5

Recently, 360 Security Center detected that the GandCrab ransomware is back to attack Windows-based servers and PCs. We also found that if it detects that the computer system is using the Russian language, it will stop intruding. Not only that, but we also recently discovered that the GrandCrab ransomware will stop invading war-torn areas.

On 16th October, a Syrian user said on Twitter that GandCrab ransomware encrypted his computer files. Because he couldn’t afford to pay the ransom of up to $600, he could no longer see the photos of the younger son who lost his life because of the war.

The ransomware authors posted an apology statement and released the decryption keys for all Syrian infected people. GandCrab also carried out a V5.0.5 update to exclude Syria from the list of infected areas.

In recent years, GandCrab has gradually broadened its infection channel. The early versions of it have spread through webpages, but the advanced version of GandCrab has spawned the use of mail garbled, mobile storage tools and camouflage or other ransomware. It is also getting more and more refined in its encryption process.

Once the host machine is successfully checked in, it will modify the file suffix to 5 random letters, encrypt multiple types of files on the device and leave extortion information on the desktop, asking users for bitcoin or Dash as the ransom.

As an excellent network security company, in May of this year, Qihoo 360 first launched the world’s largest distributed intelligent security system, 360 Security Brain, which can focus on global network security trends in real time through technologies such as artificial intelligence, big data and cloud computing.

In this ransomware attack, 360 Security Brain cooperated with 360 Security Team, and at the beginning of the GandCrab 5.0 outbreak, the corresponding solution was launched.

It scans the encrypted file in the computer to confirm the type of encryption, so as to further determine which kind of ransomware infection, the user can quickly recover the poisoned file by simply clicking one-click decryption.

After the encrypted file is restored, the user can use 360 Total Security to scan the computer for comprehensively defending against multiple dimensions such as weak automatic detection, remote login protection, vulnerability intrusion prevention, and document protection. At present, 360 Total Security can fully support the decryption and killing of GrandCrab 4.0/5.0/5.0.2/5.0.3.