GandCrab4 Ransomware

The GandCrab4 Ransomware is a new version of the GandCrab Ransomware, a family of file-locking Trojans that its authors market under Ransomware-as-a-Service strategies. Due to being available 'for hire' to other criminals, its arrival methods on your PC may be unpredictable, but e-mails and brute-force attacks are traditional techniques. Having backups for protecting your files, and anti-malware products for deleting the GandCrab4 Ransomware immediately, are the defensive mechanisms that are most viable against this Trojan.

A Trojan that's Back with Both More and Less to Offer

Updates to Trojan families don't always follow the same development paths that one expects of 'normal' software. Although upgrading and adding features can be useful for threat actors, they also find it equally valuable to remove them or change other characteristics purely for the sake of confusing AV analytical tools. Such appears to be so with the newest version of the GandCrab Ransomware's family, the GandCrab4 Ransomware.

Unfortunately, for any users who aren't backing their files up habitually, the GandCrab4 Ransomware continues locking documents and additional media formats with a secure encryption attack. However, it uses a Salsa20 streaming cipher for doing so, instead of traditional choices like AES, XOR or RSA. Further examination by malware researchers is necessary for determining whether the GandCrab4 Ransomware's variation of encryption uses 256 or 128-bit keys (Salsa20 supports both options, but defaults to the former).

The GandCrab4 Ransomware does use minor changes to the names of its 'locked file' extensions and its ransoming messages. These updates are typical of a file-locking Trojan's next version release. However, its authors also are removing the desktop background-hijacking feature and the Command & Control server functionality from the GandCrab4 Ransomware. Potentially, the alteration could obfuscate the GandCrab4 Ransomware's identity, help it remain hidden during its attacks, or facilitate compromising PCs that guard their network connections securely, such as by using restrictive firewall rules.

Releasing Your Files from a Pincer Attack

The GandCrab4 Ransomware is distinguishable from old versions of its family, like the GandCrab2 Ransomware and the GandCrab3 Ransomware readily, by its removed features. Malware experts also recommend noting the extension that the Trojan uses ('example-locked-file.jpg.KRAB') and the name of any Notepad TXT-format ransoming messages. Paying the ransom should be relegated to the last resort option, if possible, and PC users should be careful about backing up any files that they can't afford losing to these encryption-based attacks especially.

Ransomware-as-a-Service gives criminals access to file-locker Trojans like the GandCrab4 Ransomware for distributing in whatever ways they prefer. Spam e-mails and brute-force hacks against non-secure network passwords are responsible for a majority of attacks by these threats. Users should respond to infections by uninstalling the GandCrab4 Ransomware with a robust anti-malware solution and having their files recovered through a backup that the Trojan has yet to compromise such as a cloud server or USB.

Taking away capabilities from a functional program may seem counter-intuitive, but it can help the GandCrab4 Ransomware avoid previous AV detection efforts. While criminals continue exercising their programming creativity, innocent PC users should keep on backing their media up and minding what they download.