Gandcrab: LKA warns against new blackmail Trojan

The LKA warns against the blackmail Trojan Grandcrab, who is cleverly hidden in an application e-mail. This encrypts files and requests ransom.

The LKA Lower Saxony warns against the Gandcrab blackmail Trojan. He turned up first and foremost as a fake application. They are usually distributed via exploit kits, other malware or, as in this case, e-mail attachments. At the moment hackers send e-mails to personnel departments and introduce themselves as applicants.

The application also includes pictures that have been stolen from the net. In the cases known so far, the name of the person photographed does not match the information in the mail text.

The cybercriminal attaches further “application documents” as a ZIP file. Who opens it and executes the contained .exe file unleashes the blackmail Trojan. As the security experts at G Data have found out, hackers use Salsa 20 symmetric encryption for this purpose. Currently, only 26 antivirus programs out of 65 detect the virus, according to the LKA. As is usual with blackmail Trojans, the hackers demand a ransom for the decryption code after encrypting the system. Also, the victims are asked to pay a sum of money in Bitcoin.

Whoever is the victim of such an attack shall not comply with the ransom demands. Too high is the risk that the hackers will not send a decryption code. In addition, affected parties must disconnect their system from the network as quickly as possible. Otherwise, the blackmail Trojan could settle on other computers. To prevent such incidents, security expert Tim Berghoff of G Data advises opening applications on a separate PC that is not connected to the rest of the corporate network. Caution is generally advised with e-mail attachments.