GandCrab 5.0.5 ransomware – the newest variant of the infamous crypto-locker which is immune to the released decryptor

GandCrab 5.0.5 is a file locking virus that has been infecting PCs or not only regular users but also organizations all over the world since early 2018. To this date, it is estimated that the malware affected around half a million victims worldwide. Because it operates ransomware as a service scheme, many cybercriminals are employing GandCrab for money extortion purposes, which explains the immense prevalence of the threat. Recently, security researches claimed a victory against hackers by releasing a free decryptor which worked for GandCrab versions 1, 4 and 5.[1] Unfortunately, crooks are quick to recover, and this variant of malware is not decryptable.[2] Just as its predecessors, GandCrab 5.0.5 virus uses Salsa20 and RSA-2048 to encrypt data, adds .[random_5] file extension, and asks for payment in Dash or Bitcoin in [random_5]-DECRYPT.txt ransom note.
| SUMMARY | |
| Name | GandCrab 5.0.5, |
| Type | Ransowmare |
| Most recent variants | Gandcrab 5.0.1, GandCrab 5.0.2, GandCrab 5.0.3, GandCrab 5.0.4 |
| Cipher used | Salsa20 and RSA-2048 |
| File extension | .[random-5] |
| Ransom note | [random_5]-DECRYPT.txt |
| Distribution | Fallout EK, spam emails, vulnerabilities, weak RDP, etc. |
| Elimination | Use FortectIntego or SpyHunterCombo Cleaner to get rid of the virus |
GandCrab 5.0.5 ransomware uses various infiltration techniques. Looking at the infection rate alone, one can conclude that those methods are very successful. Hackers can use the following to spread the malware:
- Exploit kits (Rig, GrandSoft, Fallout)[3]
- Contaminated email attachments
- Weak RDP configuration
- Software vulnerabilities (ALPC Task Scheduler)
- Backdoor trojans
- Fake updates, etc.
As soon as GandCrab 5.0.5 virus is injected into the PC, it modifies Windows settings to retain persistence, for example, adds Windows Registry keys. Next, it starts the scan on the computer, looking for personal files to encode (note that system and few other file types are not affected). After that, GandCrab 5.0.5 ransomware contacts C&C server which is controlled by hackers and sends off the decryption key, uploading the ransom note to the victim's PC.
While GandCrab 5.0.5 ransomware removal will not return the files back to normal, it will make sure that your machine is virus-free again. Besides, as ransomware can get in with the help on a trojan horse, there is a chance that more cyber threats might be present. We recommend using FortectIntego or SpyHunterCombo Cleaner for prompt elimination, although any other reputable software that detects the infection can work as well.
GandCrab 5.0.5 uses a preset list of countries which computers the virus avoids. Among such countries are mainly post-Soviet ones, such as Russia, Belarus, Ukraine, Armenia, etc. Surprisingly, malware authors recently released a free decryptor for Syrian residents, showing sympathy to the victims of a relentless war. However, they do claim that such action is unique and will not be repeated in the future. GandCrab 5.0.5 now also includes Syria in its list of exemptions.
Nevertheless, malware authors are still criminals, and should never be trusted, even if the act mentioned above was considerate. Therefore, if you found your files encrypted by the virus, better remove GandCrab 5.0.5 ransomware from your PC and attempt to recover your files with the help of third-party software, if you have not kept backups of your data.

Be attentive while browsing the internet, it will help you avoid ransomware attacks
Ransomware, among all the other cyber threats, is one of the most impactful and prevalent viruses in the existence because it can result in permanent data loss and disrupt the operation of the vital sectors like healthcare units or the aircraft plants. WannaCry was one of the most successful ransomware attacks in history, showing cybercriminals that the potential of such malware is immense.
Those who infect their machines are very unlucky. Putting luck aside, many things can be done to prevent the infiltration. Experts suggest to do the following:
- Beware of phishing emails, do not open attachments or click on hyperlinks inside – these actions can result in the immediate payload execution on your machine;
- Update your software as soon as security patches come out. This way, exploit kits will not be able to penetrate your system;
- Protect your RDP by using strong passwords and VPN;
- Avoid file-sharing and torrent sites. Malware can be disguised as legitimate executables;
- Employ sophisticated security software to prevent viruses from entering.
Get rid of GandCrab 5.0.5 ransomware and only then attempt file recovery
Unfortunately, if you got infected with the latest variant of GandCrab virus family, the files cannot be decrypted without the original key. Nevertheless, contacting and paying cybercriminals is not an option, as you might get scammed and lose your money (hackers might ask as much as $2400).
Therefore, if you noticed that your files are encrypted, do not panic. There is still a possibility to recover your data, even if you have not kept any backups. See the below instructions on how to use third-party software for that. Nevertheless, before you proceed, you need to take care of GandCrab 5.0.5 virus removal.
You should not try to remove GandCrab 5.0.5 ransomware manually, as the procedure requires professional tools. We suggest using FortectIntego or SpyHunterCombo Cleaner for the purpose, although other reputable security applications will work as well.
Was this guide helpful?
Be the first to comment