Malware warning: Gandcrab sent via fake application emails

The Trojan Gandcrab is currently distributed through fake application emails. The malware encrypts all data on a PC and demands ransom. You can protect yourself if you act carefully.

How do I recognize emails that distribute Gandcrab?

The fake application emails that distribute Gandcrab share certain characteristics according to CERT BWL.

  • They might have the following subject line (usually in German):

    Betreff: "Bewerbung auf die ausgeschriebene Stelle - Nadine Bachert"

    The names at the end vary.
  • They often contain a short introduction:

    Sehr geehrte Damen und Herren,
    anbei erhalten Sie meine Bewerbung für Ihre ausgeschriebene Stelle. Warum ich die Stelle optimal ausfüllen kann und Ihrem Unternehmen durch meine Erfahrung im Vertrieb und der Kundebetreuung zahlreiche Vorteile biete, entnehmen Sie bitte meinen ausführlichen und angehängten Bewerbungsunterlagen.
    Ich freue mich auf ein persönliches Vorstellungsgespräch.
    Mit besten Grüßen
    Nadine Bachert
  • Most of the time, a portrait photo of a young woman is attached.
  • In addition, a .zip file which contains an .exe file, is attached. If this .exe file is executed, the malware encrypts the computer's data and demands ransom.


How can I protect my PC?

According to, only Windows PCs are endangered by Gandcrab at present. Nevertheless, the following advice is also useful for users of other operating systems.

  • If you receive an email with an executable file (most of the time an .exe file packed into a .zip file), please do not execute this file, especially if you are not expecting any file. If you are expecting a file, please call the sender and ask for a description of the file before you open it.
  • In general, please be suspicious of emails which contain attachments and links. If you have the slightest doubt about an email's credibility, please call the sender to verify the email. As it is very easy to fake sender addresses, this caution also applies to emails from people you know.
  • If the email is not trustworthy, please delete it by pressing the key combination shift+del. By doing this, the email is deleted permanently.


What can I do if my PC has already been infected?

Do NOT pay the ransom that is demanded! Instead, if you are a member of Heidelberg University, please contact the staff unit IT Security at the URZ.

The URZ ensures that the server's spam and virus filters recognize most of the dangerous emails before they reach your inbox. Nevertheless, new malware crops up all the time, so that our filters are not always able to recognize current threats. In such cases, the respective software manufacturers need to adjust the filter definitions and provide the appropriate updates. Hence, in order to protect yourself, it is very important to treat incoming emails with a healthy caution.


Bild: Ransomware