GandCrab v2 – the second version of the notorious ransomware virus which is asking 500 USD to recover victim's files

GandCrab v2 ransomware is a cryptovirus which has been developed soon after the GandCrab – one of the most aggressive forms of ransomware.[1] Just like its predecessor, the new version is distributed via Seamless malvertising campaign leading victims to RIG exploit kit. Nevertheless, it can also be disguised under HoeflerText Font Update scam[2] pop-ups. Upon successful infiltration, ransomware appends .CRAB file extension to each locked file and generates a CRAB-DECRYPT.txt ransom note.
| Name | GandCrab v2 |
|---|---|
| Type | ransomware |
| The predecessor | Gandcrab ransomware |
| Distribution techniques |
|
| Ransom amount | 500 USD |
| Currency | Dash |
| File extension | .CRAB |
| Ransom note | CRAB-DECRYPT.txt |
| Elimination | Use FortectIntego to get rid of Gandcrab or any its versions |
The malware redirects its victims to TOR site, which contains instructs the victim what they have to do to decrypt locked files. While the original variant of GandCrab2 demanded 1200 USD in Dash coins,[3] the new version detected at the beginning of March 2018 asks for 500 USD in Dash coins.
However, specialists mock the attempt of GandCrab2 virus developers to maximize profit since the virus can be decrypted using a free GandCrab decryptor available at NoMoreRansom. However, crooks provide a link to a decryption tutorial on NoMoreRansom and scare people by falsely claiming that the tool won't decrypt files. Contrary, it will make data undecryptable. Nevertheless, experts point out that the GandCrab2 (version 1.0.0r) and the GandCrab (v2.3.*) belong to the same group and can be decrypted in the same way.
To protect yourself from GandCrab2 ransomware attack, be careful with .doc file email attachments. Despite the fact that such spam emails can be sent by official authorities or other pretend-to-be legitimate sources, by opening a .doc file attached to a suspicious email can run a PowerShell script, which creates a sct5.txt or 128384.txt file, which connects to the remote server and download the ultimate GandCrab2 ransomware payload. In case of HoeflerText Font Update scam attack, the system gets infected with Font_Update.exe file, which subsequently downloads a g.js scrip and remote access tool known as NetSupport Manager remote access utility, which executes the ransomware completely.
Those whose files have already been encrypted by .CRAB file extension virus should immediately remove GandCrab2 virus. For this purpose, we recommend using FortectIntego, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes tool as they are powerful enough to detect and neutralize all related components. Following successful GandCrab2 removal, you should download a free decryptor provided in NoMoreRansom and decrypt your files with it.

Cybercrooks distribute viruses via malspam campaigns and fake updates
The developers of malicious cyber infections are accustomed to the use of exploit kits. Their purpose is to detect the vulnerabilities on the targeted system and open the back door for the cyber infections to enter the system quickly. This particular ransomware relies on the combination of two exploit kits – RIG and GrandSoft.[4]
Typically, people are exposed to the exploit kits by sending them malicious emails with infected .doc file attachments. Spam emails are developed in a way to mimic well-known brands or official institutions. In this particular case, people get an email message with the subject Receipt Feb-21310 [ random numbered] sent by [ransom name ]@cdkconstruction.org. Most of the victims reported that such email does not expatiate on the subject, but only indicate the fact that “DOC attached.” Beware that the type of the attached file might also differ, but usually, the file extension is somewhat suspicious ( .EXE, .COM, .PIF, .SCR, .HTA, etc.).
Apart from malspam, people can end up with this ransomware after downloading a fake “Chrome Font Pack” on hacked websites. People can be exposed to compromised domains by mistyping domain's name or after clicking on infected ads. The hacked website displays a scrambled text by default and generates a notification saying that “The “HoeflerText” font wasn't found” and urges people to install the fake font pack to see the content of the website normally.
GandCrab2 removal tutorial
Manual GandCrab2 removal is not possible. In general, ransomware virus cannot be eliminated manually as they inject multiple files, corrupt registries, change startup settings, and initiate other system's changes to evade easy detection and removal.
To remove GandCrab2 virus and get back the data, experts from senzavirus.it[5] recommend people to download FortectIntego, SpyHunterCombo Cleaner, MalwarebytesMalwarebytes or another reputable anti-malware tool. If you are currently using one, make sure to update its definitions before running a scan.
Don't fall into a panic if you cannot launch your anti-virus. The gandcrab2 virus can use helper objects that block any security-related tool. In this case, you should try to boot the system into Safe Mode with Networking or a couple of other methods to bypass ransomware's code. You can learn how to create safe environment on your computer before you start the removal of GandCrab v2 below. After you recover the data by following the step-by-step instructions below.
Was this guide helpful?
Be the first to comment