From bda0cd562595da01d8ad05fa3b8d719f8513610f Mon Sep 17 00:00:00 2001
From: Lilly Chalupowski <lillypadgirl86@gmail.com>
Date: Wed, 18 Jul 2018 17:11:50 -0300
Subject: [PATCH] GandCrab Ransomware Extensions

GandCrab ransomware file extensions `.CRAB` and `.KRAB`.

References:
https://www.bleepingcomputer.com/news/security/gandcrab-v4-released-with-the-new-krab-extension-for-encrypted-files/
https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-version-2-released-with-new-crab-extension-and-other-changes/
---
 modules/signatures/windows/ransomware_fileextensions.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/signatures/windows/ransomware_fileextensions.py b/modules/signatures/windows/ransomware_fileextensions.py
index 3cbf58a82..39c00e9f1 100644
--- a/modules/signatures/windows/ransomware_fileextensions.py
+++ b/modules/signatures/windows/ransomware_fileextensions.py
@@ -73,6 +73,8 @@ class RansomwareExtensions(Signature):
         (".*\.Venus(f|p)$", ["VenusLocker"]),
         (".*\.(?:WNCRY|WNCRYT|WCRY)$", ["WannaCry"]),
         (".*\.wflx$", ["WildFire-Locker"]),
+        (".*\.KRAB$", ["GandCrab v4"]),
+        (".*\.CRAB$", ["GandCrab v2"]),
     ]
 
     def on_complete(self):