Malware Information

GandCrab Ransomware Distribution Begins in Korea

A new ransomware named GandCrab is also being distributed in Korea. The ransomware infects PC when user visits a website vulnerable due to exploit kit. Ever since its first discovery, GandCrab has been distributed incessantly across the cyber sphere. Once PC is infected by GandCrab ransomware, file extension is changed to .GDCB and GDCB-DECRYPT.txt is created. Figure 1. Extension change due to the ransomware When GandCrab ransomware is executed, it copies itself as ‘%appdata%\Microsoft\[Randomstr{6}].exe’ adds to registry so it can remain in PC and secure its persistence for execution. File creation path   %appdata%\Microsoft\[Randomstr{6}].exe  Registry  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Table 1. Copying file and registering auto run for a continuous execution Afterward, it checks if a certain process is running and if so, it…