The latest version of GrandCrab ransomware uses the Vidar information stealer to steal credentials of the victim computer prior to encryption.
Vidar is a new payload equipped in GrandCrab which lets the authors to steal passwords and forms on web browsers. Additionally, it can be configured to search for particular strings such as payment card numbers and other credentials. The stolen data are compiled into a ZIP archive and sent to the attackers’ C&C server.
Furthermore, Vidar is equipped with a GUI for easy monitoring of victims and stolen data.
After credentials were stolen, GrandCrab now proceeds with the following process:
It should be noted that files encrypted by GrandCrab 5.0.4 are appended with a randomly-generated extension.
This way, by using Vidar, GrandCrab authors can earn by selling the stolen credentials in dark web forums, even if a victim refused to pay the demanded ransom.
As of now, there is no third-party decryption tool yet for victims of GrandCrab 5.0.4 and 5.0.3. However, all earlier versions can be decrypted by the tool developed by Romanian antivirus, Bitdefender. The said decryption tool can be downloaded for free under the following link address: