Severity scale:  
  (98/100)

GandCrab 5.0.2 ransomware. How to remove? (Uninstall guide)

removal by Jake Doevan - - | Type: Ransomware

GandCrab 5.0.2 — yet another version of GandCrab ransomware that emerged together with three other versions

GandCrab 5.0.2 ransomware virus
GandCrab 5.0.2 ransomware is a cyber threat that focuses on data encryption and ransom demanding.

GandCrab v5.0.2 ransomware is a malicious cryptovirus that locks data by using Salsa20 and RSA-2048 encryption algorithms. It emerged together with the GandCrab 5 and is using the same pattern using random characters to generate the file extension. To mark files that were encrypted by Gandcrab 5.0.2, the virus takes 10 random letters or less that it places at the end of each file name. According to one of our victims, his files were marked with the .bundvvi file extension, but other victims found .wrvoqvipr, and similar random characters added to their encrypted data. After this encryption[1] procedure is finished, the virus also creates a text file which is named by using the same characters used in the extension and a word “DECRYPT.” The note is asking to pay a ransom in exchange for the decrypted files, but keep in mind that this paying the ransom doesn't guarantee that your data will be presented with Gandcrab v5.0.2 decryptor.

Name GandCrab 5.0.2 ransomware
Type Cryptovirus
FAMILY GandCrab ransomware
SUB-Versions
File extension 6-10 random characters
Encryption methods Salsa20 and RSA-2048
Ransom note [ransom characters]-DECRYPT.txt
Distribution Fallout exploit kit
Decryption There is no decryption tool for this variant, but previously discovered vaccine works for this second variant od GandCrab v5
Elimination Use Reimage for GandCrab 5.0.2 ransomware removal

The ransomware virus is one of the most recent variants in the notorious ransomware[2] family that is known to encrypt users' data and demand a hefty amount in Bitcoin as the only way to unlock them. This particular version came out on the 1st of October and has been spreading around with the help of Fallout exploit kit since then. 

Immediately after the encryption process is finished, the ransomware virus generates a file with some instructions and more details about the initial attack. Since the appearance of the first variant of GandCrab family, these ransom messages have been placed in the HTML file. At the moment, the ransom note file is created as a text file. The particular GandCrab 5.0.2 ransomware creates a ransom note named as RANDOM FILE EXTENSION CHARACTERS-DECRYPT.txt and drops it on every folder that contains encoded files. It reads the following:

—= GANDCRAB V5.0.2 =—
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: {5 random letters}
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:

———————————————————————–
| 0. Download Tor browser – https://www.torproject.org/

| 1. Install Tor Browser
| 2. Open Tor Browser
| 3. Open link in TOR browser http://gandcrab{random}/{random}
| 4. Follow the instructions on this page

On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.

ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
• DO NOT MODIFY ENCRYPTED FILES
• DO NOT CHANGE DATA BELOW

As you can see in the quote, there are not many details about an encryption process or the ransom amount. However, when you follow these instructions and go to TOR browser, where the payment page is hosted, you can see your ransom amount, the time you have left to pay, and other information.

However, like any other researcher,[3] we do not recommend paying for GandCrab 5.0.2 ransomware virus developers. You should avoid contacting cybercriminals in any way and focus only on the ransomware removal instead. Then, when your device is clean, you can try recovery methods displayed down below or replace your data from a safe backup.

GandCrab 5.0.2 ransomware removal can be performed using your trusty antivirus or a reputable anti-malware program. Antivirus developers, who have already included this particular variant of ransomware into the data base of their software, detect the main its file under different names:

  • Ransom.GandCrab
  • ML.Attribute.HighConfidence
  • Trojan-Ransom.Win32.GandCrypt.fbd
  • TR/AD.GandCrab.wizji
  • Trojan[Ransom]/Win32.GandCrypt
  • Ransom:Win32/GandCrab.MTC!bit
  • Trojan-Ransom.Win32.GandCrypt.fbd
  • etc.

You need to remove GandCrab 5.0.2 ransomware as soon as possible because the ransom amount may double in time and, if you wait too long, criminals behind this threat can affect the system of your device in more prominent ways. This is a serious cyber infection, and you need to employ tools like Reimage for the correct virus elimination.

Ransomware developers use different tools set  for distribution

Since crypto viruses are one of the most dangerous cyber threats, these techniques of distribution may vary from variant to variant and be more dangerous than you think. The most common way of spreading these cyber infections are spam email attachments containing malicious files or directs ransomware payload. 

However, these few versions of ransomware in particular family of threats are known to be distributed using exploit kits and various system vulnerabilities. Fallout exploit kit, in particular, is used in this attack, alongside Adobe Flash and Task Scheduler ALPC vulnerabilities. 

Also, ransomware can use brute-force to break through unprotected RDP and install malware directly or spread different malicious programs that are designed to infect the device with ransomware payload.

Get rid of GandCrab 5.0.2 ransomware right now

You should remove GandCrab 5.0.2 ransomware as soon as possible and using reputable tools like Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes. Cybercriminals may say that virus elimination may lead to more damage, but that statement is only for tricking you and giving more time for the developers.

GandCrab 5.0.2 ransomware removal is important if you want to get your files back and your device thoroughly cleaned. It is not easy but manageable and possible. You can follow further instructions down below. These step-by-step guides explain how to protect your system and get rid of the ransomware.

As a bonus, you can find decryption methods down below. If you do not have correct backups saved on an external device or cloud service, you can try one of the software designed to recover files that are listed below the article. 

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove GandCrab 5.0.2 virus, follow these steps:

Remove GandCrab 5.0.2 using Safe Mode with Networking

Enter the Safe Mode with networking to surely remove GandCrab 5.0.2 ransomware:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove GandCrab 5.0.2

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete GandCrab 5.0.2 removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove GandCrab 5.0.2 using System Restore

System restore feature can also help you to eliminate this ransomware:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of GandCrab 5.0.2. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that GandCrab 5.0.2 removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove GandCrab 5.0.2 from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by GandCrab 5.0.2, you can use several methods to restore them:

Since this is a file-locking GandCrab 5.0.2 ransomware, you may need to use Data  Recovery Pro to recover your files and bring them back to you.

You can also use this Data Recovery Pro program to restore accidentally deleted files

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by GandCrab 5.0.2 ransomware;
  • Restore them.

Windows Previous Versions feature helps with GandCrab 5.0.2 ransomware encrypted files

Use Windows Previous Versions if SystemRestore was enabled before

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer is a method for data recovery when you have no backups

Is Shadow Volume Copies still exists, you can use ShadowExplorer to restore your data

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Decryption tool is not available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from GandCrab 5.0.2 and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions

References

Removal guides in other languages