GandCrab Ransomware Included in Javascript Prompting to Remove V3

While monitoring the distribution process of GandCrab ransomware in Korea, AhnLab ASEC has detected the feature that prompts to uninstall V3 Lite from the distribution script; it only targets V3 Lite. Figure 1 – Obfuscated script code Distribution script contains obfuscated Javascript as shown in Figure 1, and the main function of Javascript is found as Figure 2 when unobfuscated. Figure 2 – Unobfuscated script code There are two techniques that unobfuscated Javascript shown in Figure 2 runs GandCrab ransomware. The path of GandCrab downloaded via technique that uses powershell(no.2) was confirmed to be http://pastebin.com/raw/****. The internal version of all GandCrab is v4.3.  Execution Technique of GandCrab ransomware  1. Create and run internally encoded GandCrab executable in user system  2….

Magniber Ransomware Decryption Tool with Random Vector Recovery Feature

AhnLab’s new Magniber decryption tool renewed the existing tool in GUI format and now supports recovery for the parts that used to be unrepairable due to a variable vector found since April 8. However, it is limited to the case where encrypted/decrypted file exists as a pair with extension and key information. The tool is designed to show key and vector information upon entering the encryption extension information. Key and vector information of extension is managed as the database file with the name of ‘magniber.db’ inside the decryption tool and it was continuously updated until it was expired in October 2019. It is not able to be recovered if key and vector information do not appear after entering the extension….

GandCrab Ransomware Distribution Begins in Korea

A new ransomware named GandCrab is also being distributed in Korea. The ransomware infects PC when user visits a website vulnerable due to exploit kit. Ever since its first discovery, GandCrab has been distributed incessantly across the cyber sphere. Once PC is infected by GandCrab ransomware, file extension is changed to .GDCB and GDCB-DECRYPT.txt is created. Figure 1. Extension change due to the ransomware When GandCrab ransomware is executed, it copies itself as ‘%appdata%\Microsoft\[Randomstr{6}].exe’ adds to registry so it can remain in PC and secure its persistence for execution. File creation path   %appdata%\Microsoft\[Randomstr{6}].exe  Registry  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Table 1. Copying file and registering auto run for a continuous execution Afterward, it checks if a certain process is running and if so, it…