The fifth version of GandCrab ransomware marks encrypted files with extension formed from five random letters

GandCrab file-encrypting ransomware released the new version that detects the language of your OS automatically

Notorious ransomware family grew with the latest GandCrab v5 ransomware. This crypto-demanding ransomware has a few new features which are new for the family. Virus detects the language of your Windows to show a corresponding ransom note, if there is one, in the corresponding language. A ransom note is displayed after a successful encryption process, during which your data gets a marker of random five letters.

This ransomware family is known for a while now and uses both AES and RSA encryption algorithms. The latest variant employs Salsa20 and RSA-2048 army-grade encryption methods to lock various users’ data. After this, encoded files get a randomly formed appendix, and the ransom message is placed on the system. HTML file named in the [uppercased extension]-DECRYPT.html pattern appears in every folder containing encrypted data.

Ransom note developed in different languages

All data-encrypting cyber threats designed to extort money from the user using the ransom messages form the ransom file immediately after file encryption. Often text or HTML file contains more details about the attack and instructions for further actions. This particular GandCrab v5 ransomware message includes a few sentences about the TOR browser installation.

When you enter the suggested window the message there is displayed in the language victims’ OS is set to. The ransom note then states the specific ransom amount, currency,  and the time left to proceed with the payment if you want to get your data back. However, this language detecting feature is not typical for previous versions of the family. It is possible that the newest version of GandCrab have this feature because it is geared to attack devices all over the world. Unfortunately, this is not decryptable, so you need to have backups to restore your encrypted files.

Various methods to distribute data-locking ransomware

While there is no detailed information about specific GandCrab v5 ransomware distribution, there are a few common ways to spread all kinds of cyber threats. Unfortunately, all of these methods are silent and unnoticeable, so you need to pay more attention and be cautious if you want to avoid cyber infection repetition.

The most common way of malware spreading is spam email attachments. Various safe-looking documents can be macro-embedded and spread malicious payload directly. Phishing email campaigns are used widely to inject ransomware into the system. This method works because the malicious activity is masked behind a well-known service or company name and Word or Excel file attachment named “Invoice or “order information”.