GANDCRAB V3病毒特征解密研究

信件样本：

文件名字：CRAB-DECRYPT.txt

中毒特征：所有文件添加一个扩展名：.CRAB

文件内容：

—= GANDCRAB V3  =—

Attention!

All your files documents, photos, databases and other important files are encrypted and have the extension: .CRAB

The only method of recovering files is to purchase a private key. It is on our server and only we can recover your files. 

The server with your key is in a closed network TOR. You can get there by the following ways:

0. Download Tor browser – https://www.torproject.org/

1. Install Tor browser

2. Open Tor Browser

3. Open link in TOR browser: http://gandcrab2pie73et.onion/f204fd37566af699                        

4. Follow the instructions on this page

On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.

The alternative way to contact us is to use Jabber messanger. Read how to:

0. Download Psi-Plus Jabber Client: https://psi-im.org/download/

1. Register new account: http://sj.ms/register.php

    0) Enter “username”: f204fd37566af699                        

    1) Enter “password”: your password

2. Add new account in Psi

3. Add and write Jabber ID: ransomware@sj.ms any message

4. Follow instruction bot 

ATTENTION!

It is a bot! It’s fully automated artificial system without human control!

To contact us use TOR links. We can provide you all required proofs of decryption availibility anytime. We are open to conversations.

You can read instructions how to install and use jabber here http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf 

CAUGHTION!

Do not try to modify files or use your own private key. This will result in the loss of your data forever! 

加密算法：

全字节加密，不是仅仅加密一部分，不论文件的大小，均采用一个算法。

解密研究：

研究中…西数科技: 司法鉴定/产品质量鉴定/检验检测/数据恢复专家. 4006184118