FortiGuard Labs Threat Research

GandCrab V3 Accidentally Locks Systems with New ‘Change Wallpaper’ Feature

By Joie Salvio | May 04, 2018

GandCrab is one of the most talked about ransomware families this year primarily due to its increasing distribution volume, as we described in our previous article. At the end of last month, FortiGuard Labs discovered a new spam wave from the same campaign delivering the latest version, GandCrab v3.

In this new version, following in the footsteps of past infamous ransomware families such as Locky and Sage, this latest version now also changes the wallpapers of its victims. However, when we analyzed this new feature we found a bug that can be detrimental to its goals, as well as more frustrating to its unfortunate victims.

New Spam Wave, Same Old Tricks

The attack chain is practically the same as the one discussed in our previous article. Only this time, it uses Visual Basic Scripts as downloaders instead of Java Scripts.

Fig.1 KTIS’ visualization of spam mails with attached VBS scripts downloading GandCrab v3

Same goes for the email content. The next figure shows a sample spam email that was caught by FortiMail delivering the latest version of this malware.

Fig.2 Sample email from this spam wave caught by FortiMail

From Wallpaper Change to Accidental Screen Lock

As mentioned, GandCrab now also changes its victim’s Desktop wallpapers to display a ransom note, a tactic which has long been used by other ransomware families. It’s as if seeing strange filename extensions and unusable files, not to mention actual ransom notes in every directory, are not enough signs of the device being infected. Even worse, however, we found a bug in this new feature when we tested it with Windows 7.

After this malware has encrypted the victim’s files, it forces the system to reboot. On our tests with Windows 10 and Windows 8.1 systems, the malware was able to change the wallpaper and the systems were able to start up normally, as expected. 

Fig.3 Windows 10 infected with GandCrab v3 after reboot

On Windows 7 however, for some reason booting does not finish but instead gets stuck at a point before the Windows Shell is completely loaded. That means an infected user would not have the Windows interface to interact with, rendering the entire machine seemingly unusable – reminiscent of the old lock screen ransomware behaviour. Only the ransom note wallpaper and TOR Browser download site can be seen by the user.

We know this wasn’t intentional because the instructions on the ransom note tells the user to read a copy of one of the“CRAB-DECRYPT.txt” ransom notes scattered around the system for further instructions. And for the average user, that would at least require the Windows interface to do it.

Fig.4 GandCrab ransom note text

One way to force the reboot to proceed is by executing the Task Manager through the keyboard (CTRL+SHIFT+DEL) and terminating the malware process. Although for an average user, finding an actual malware from the list of running processes can be a complicated undertaking. Furthermore, this malware has an autorun mechanism, which means it will just execute again upon reboot. So to prevent the “lock screen” in subsequent reboots, after the user terminates the process the malware executable located in APPDATA%\Microsoft\<random chars>.exe (e.g. gvdsvp.exe) must be deleted. Deleting its autorun registry is also recommended:

SubKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\

Name: <random chars> (e.g. solmnyduktr)

Value: %APPDATA%\Microsoft\<random chars>.exe (e.g. gvdsvp.exe)// Placeholder

Fig.5 Infected Windows 7 screen after reboot


Seeing a ransom note and realizing that all of your files are gone is frustrating on so many levels. And it’s even more frustrating (if that’s even possible) when on top of that you also lose your access to the machine. Malware flaws with unintended consequences are really quite common, which is another reason why being extra cautious with unsolicited emails is very important. As a general rule, any unexpected emails with attachments (an executable or a document) must be scanned and verified first before opening. And as always, create isolated backups for your important files.

GandCrab’s new feature does not work well across the board. But the fact that the actors behind it are actively developing it says something about the level of motivation that they have in carrying out their criminal enterprise. And it makes this malware campaign even more dangerous.

-= FortiGuard Lion Team =-



Fortinet users are protected with the following solutions:

·       Emails are blocked by our FortiMail FortiGuard Virus Outbreak Protection Service

·       Files in the attack chain are detected by FortiGuard Antivirus

·       Malicious download URLs and C2s are blocked by our FortiGuard Web Filtering Service

·       FortiSandbox rates any execution point in the attack chain as “High Risk”



GandCrab V3

4fb5ea4fd30838756fa643c399c3d82e952f60e25de4127c4d0b9849dc617d1e (GandCrab v3) - W32/GandCrab.KAD!tr.ransom







VBS Downloaders

59e1a31e8ee30f00baf230d25e6b655d3779fbbcba1b2c109864520e51156960 -

7be804f1918cb6f6519642270f81ccd8558021931832438313891081cdd3eb78 -

389e1b29a38a1a2f65d36a7c8308eb7dc321fa2431652a5993a13ef6a6992578 -


Added Registry

SubKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\

Name: <random chars> (e.g. solmnyduktr)

Value: %APPDATA%\Microsoft\<random chars>.exe (e.g. gvdsvp.exe)



http[:]// (download URL)

carder.bit (C2) (DNS Server)




Check out our latest Quarterly Threat Landscape Report for more details about recent threats.

Sign up for our weekly FortiGuard intel briefs or for our FortiGuard Threat Intelligence Service.