Severity scale:  

Remove GandCrab 3 ransomware (Removal Instructions) - Jul 2018 update

removal by Olivia Morelli - - | Type: Ransomware

GandCrab v3 – dangerous ransomware virus hailing from the infamous GandCrab family

GandCrab 3 ransomware

Questions about GandCrab 3 ransomware

GandCrab 3 is a crypto-virus[1] virus that functions as a third version of the notorious GandCrab ransomware. At the end of April 2018, only a couple of month after the release of GandCrab2, hackers struck again with a new strength targeting Russia, Belarus, Kazakhstan, and Ukraine PC users in particular. GandCrab v3 renders AES-256 (CBC mode) + RSA-2048 encryption to hardcode personal files and subsequently mark them with .CRAB file extension. The file CRAB-DECRYPT.txt stands for a ransom note, which contains an explicit guide on how the victim has to pay the ransom. Bitcoins accepted only.

Name GandCrab 3
Versions GandCrab, GandCrab 2
Classification Ransomware
File extension .CRAB
Ransom note CRAB-DECRYPT.txt
Main symptoms Personal files inaccessible, ransom note created on the desktop, slow PC, compromised desktop's wallpaper, browser redirects to payment website
Main dangers It compromises the system and can cause severe crash. Personal files may be permanently deleted. Money loss
Removing ransomware manually is not possible. To get rid of it, you should render a professional anti-malware like Reimage Reimage Cleaner Intego

At the very end of April 2018, cybersecurity experts detected a sample of the GandCrab v3 ransomware. Genealogically, its predecessors are GandCrab and GandCrab 2 versions, both of which appeared to be extremely successful from the perspective of the crooks.[2] The initial release managed to collect more than 600,000 USD within less than four months.

While the initial variant can already be decrypted, the v2 does not. GandCrab 3 decryptor is not yet available either.
Currently, it's not yet hundred percent clear what distribution techniques cybercriminals exploit to spread this malware around. However, based on the information collected about this malware, the following methods can be applied:

  • Magnitude Exploit Kit;
  • Rig Exploit Kit;
  • GrandSoft Exploit Kit;
  • Seamless malvertising campaign;
  • Receipt Feb-21310 [random numbers] attachment of spam email;
  • Fake Hoefler text font updates;
  • Hacked Remote Desktop Services, etc.

Upon encryption, the GandCrab 3 virus changes boot sequence eliminates Volume Shadow Copies using Command Prompt and PowerShell as admin, and the unravels the AES-256 (CBC mode) + RSA-2048 encryption algorithm. In the background of the system, the malware runs random.exe. It may also hijack the explorer.exe file and force the system to restart to finish up the encryption.

Just like the previous version, it appends .CRAB file extension to the encoded files. It's targets more than 250 file types, including the most popular (.jpg, .png, .doc, .pdf, .avi, .docx, etc.). Once the files are encrypted, the virus generates a ransom note called CRAB-DECRYPT.txt. It says:

All your files documents, photos, databases and other important files are encrypted and have the extension: .CRAB
The only method of recovering files is to purchase a private key. It is on our server, and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
0. Download Tor browser –
1. Install Tor browser
2. Open Tor Browser
3. Open link in TOR browser:
4. Follow the instructions on this page
On our page, you will see instructions on payment and get the opportunity to decrypt 1 file for free.
The alternative way to contact us is to use Jabber messanger. Read how to:
0. Download Psi-Plus Jabber Client:
1. Register new account:
0) Enter “username”: 21b1a2d1729f0695
1) Enter “password”: your password
2. Add new account in Psi
3. Add and write Jabber ID: any message
4. Follow instruction bot
It is a bot! It's fully automated artificial system without human control!
To contact us use TOR links. We can provide you all required proofs of decryption availibility anytime. We are open to conversations.
You can read instructions how to install and use jabber here
Do not try to modify files or use your own private key. This will result in the loss of your data forever!

Unlike the two previous versions that accepted DASH cryptocurrency, the latest version demands victims to pay the ransom in Bitcoins. Besides, malware researchers found out that the provenance of the GandCrab-3 is Romania.

If you have the slightest suspicion that you're infected with this ransomware, make sure to remove GandCrab 3 from the system ASAP. For that, we recommend using Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes antivirus tools. As long as you keep it installed, you won't be able to recover your files without paying the ransom.

Upon GandCrab v3 removal, you should try to retrieve files locked with .CRAB file extension with the help of third-party data recovery tools or try to enable a previous Windows version. You can find a full guide on how to recover files encrypted by ransomware at the end of this article.

GandCrab 3 virus removalGandCrab 3 - a new strain of GandCrab ransomware that uses .CRAB file extension and demands a ransom in Bitcoins

Criminals may use multiple techniques to spread malware[3] team claim that this particular ransomware is not very likely to confine itself to one distribution method. While it did reach the mainstream distribution yet, it's difficult to name the whole list of techniques precisely.
Nevertheless, people should be careful with Receipt Feb-21310 [ random numbered] attachment sent from [random name ] As soon as you spot a suspicious email from the unknown sender, we highly recommend you to report it as spam immediately.

Exploit Kits, including Magnitude, RIG, and GrandSoft are also known for being widely used ransomware carriers. To prevent malicious software from exploiting your PC's vulnerabilities, make sure to install all system's updates and patches.

Last, but not least, be careful with a free download on the net. It has been found that many suspicious and illegal websites contain fake software update downloads. One of the examples used to spread the ancestor of this ransomware is fake Hoefler TextFont. The potential victim is being redirected to a hacked website, which displays scrambled text, and displays a pop-up alert urging to download the latest font update to see the content.

GandCrab-3 removal options

There's only one possibility to remove GandCrab v3 ransomware from the system. It's called automatic since it requires the usage of a professional anti-malware program. Manual removal, when you try to get rid of malicious files by yourself, is practically impossible unless you don't mind damaging the system and the encrypted files permanently. 

Instead of that, we would strongly recommend you to use a professional security program, for example Reimage Reimage Cleaner Intego, for elimination malicious files manually. Upon successful Gandcrab 3 removal, try to recover your files using data recovery methods listed down below. 

Note that each of Gandcrab ransomware's versions has been trying to disable anti-virus/anti-malware scanners to prevent their removal from the system. No matter which version you have on your computer, try following the guide below to know what should be done if you want to create a safe environment for virus removal:

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove GandCrab 3 virus, follow these steps:

Remove GandCrab 3 using Safe Mode with Networking

The ransomware can block you from removing the ransomware. In this case, you should restart your PC into Safe Mode with Networking. For this purpose, do the following:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove GandCrab 3

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete GandCrab 3 removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove GandCrab 3 using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of GandCrab 3. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that GandCrab 3 removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove GandCrab 3 from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

Unfortunately, your files won't be recovered after GandCrab 3 removal. Upon virus elimination, you should employ third-party data recovery tools. Our recommended options are provided here:

If your files are encrypted by GandCrab 3, you can use several methods to restore them:

Employ Data Recovery Pro

The Data Recovery Pro is a reliable software utility capable of recovering data lost due to ransomware attack, accidental deletion or system's crash. 

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by GandCrab 3 ransomware;
  • Restore them.

Enable Previous Windows version

In case you are using SystemRestore function, the system should automatically create System Restore Points. Of course, you can create these points by yourself. To check whether it's possible to recover files using the previous version feature, follow these steps:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.


ShadowExplorer won't help since the ransomware deletes the Volume Shadow Copies. 

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryptor available for Gandcrab v3

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from GandCrab 3 and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer various losses due to cyber infections or their own faulty doings. Software issues created by malware or direct data loss due to encryption can lead to problems with your device or permanent damage. When you have proper up-to-date backups, you can easily recover after such an incident and get back to work.

It is crucial to create updates to your backups after any changes on the device, so you can get back to the point you were working on when malware changes anything or issues with the device causes data or performance corruption. Rely on such behavior and make file backup your daily or weekly habit.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware occurs out of nowhere. Use Data Recovery Pro for the system restoring purpose.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

Removal guides in other languages

Your opinion regarding GandCrab 3 ransomware