A new type of ransomware isn’t distributed through the usual fake emails with file attachments. Instead, the cyber criminals try to convince software pirates to download and install game and software cracks. When users download the .exe file, they think they download a crack. In reality, they’ve downloaded the GandCrab 4 ransomware that becomes active when the file is executed.
GandCrab does not infect Windows computers with the usual method where specially crafted malicious Word documents are disguised as e.g. an invoice and attached to fraudulent emails. Instead, the ransomware hides behind software cracks, according to security researchers from Sensor Techforum.
Internet pirates are looking for cracks to circumvent the copy protection of paid software. This allows them to illegally use the software for free. Pirates that download GandCrab ransomware-prepared cracks won’t be able to use the software for free and infect their own computer with the ransomware variant.
The cybercriminals behind the crack trick usually create WordPress sites where users think they can download cracks from. Usually users end up on the pages from an internet search. If they fall for the trick and download and install the ransomware-infected file from such a site, the ransomware becomes active. Gandgrab uses the Salsa20 algorithm, which currently can’t be cracked. The only way to get the files decrypted is to pay the ransom. Besides encrypting local files, GandCrab 4 can also encrypt files on network shares.
Users who want to protect themselves against ransomware attacks should make sure their OS and security software is up-to-date. They also shouldn’t open files from untrusted sites and also shouldn’t open attachments from unknown recipients. When the ransomware is properly coded, the only way to get the encrypted files back without paying, is restoring files from a backup.