GandCrab 5.0.2 ransomware (Removal Guide) - Oct 2018 update

GandCrab 5.0.2 virus Removal Guide

What is GandCrab 5.0.2 ransomware?

GandCrab 5.0.2 — yet another version of GandCrab ransomware that emerged together with three other versions

GandCrab 5.0.2 ransomware virusGandCrab 5.0.2 ransomware is a cyber threat that focuses on data encryption and ransom demanding.

GandCrab v5.0.2 ransomware is a malicious cryptovirus that locks data by using Salsa20 and RSA-2048 encryption algorithms. It emerged together with the GandCrab 5 and is using the same pattern using random characters to generate the file extension. To mark files that were encrypted by Gandcrab 5.0.2, the virus takes 10 random letters or less that it places at the end of each file name. According to one of our victims, his files were marked with the .bundvvi file extension, but other victims found .wrvoqvipr, and similar random characters added to their encrypted data. After this encryption[1] procedure is finished, the virus also creates a text file which is named by using the same characters used in the extension and a word “DECRYPT.” The note is asking to pay a ransom in exchange for the decrypted files, but keep in mind that this paying the ransom doesn't guarantee that your data will be presented with Gandcrab v5.0.2 decryptor.

Name GandCrab 5.0.2 ransomware
Type Cryptovirus
FAMILY GandCrab ransomware
File extension 6-10 random characters
Encryption methods Salsa20 and RSA-2048
Ransom note [ransom characters]-DECRYPT.txt
Distribution Fallout exploit kit
Decryption There is no decryption tool for this variant, but previously discovered vaccine works for this second variant od GandCrab v5
Elimination Use FortectIntego for GandCrab 5.0.2 ransomware removal

The ransomware virus is one of the most recent variants in the notorious ransomware[2] family that is known to encrypt users' data and demand a hefty amount in Bitcoin as the only way to unlock them. This particular version came out on the 1st of October and has been spreading around with the help of Fallout exploit kit since then.

Immediately after the encryption process is finished, the ransomware virus generates a file with some instructions and more details about the initial attack. Since the appearance of the first variant of GandCrab family, these ransom messages have been placed in the HTML file. At the moment, the ransom note file is created as a text file. The particular GandCrab 5.0.2 ransomware creates a ransom note named as RANDOM FILE EXTENSION CHARACTERS-DECRYPT.txt and drops it on every folder that contains encoded files. It reads the following:

—= GANDCRAB V5.0.2 =—
All your files, documents, photos, databases and other important files are encrypted and have the extension: {5 random letters}
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:

| 0. Download Tor browser –

| 1. Install Tor Browser
| 2. Open Tor Browser
| 3. Open link in TOR browser http://gandcrab{random}/{random}
| 4. Follow the instructions on this page

On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.


As you can see in the quote, there are not many details about an encryption process or the ransom amount. However, when you follow these instructions and go to TOR browser, where the payment page is hosted, you can see your ransom amount, the time you have left to pay, and other information.

However, like any other researcher,[3] we do not recommend paying for GandCrab 5.0.2 ransomware virus developers. You should avoid contacting cybercriminals in any way and focus only on the ransomware removal instead. Then, when your device is clean, you can try recovery methods displayed down below or replace your data from a safe backup.

GandCrab 5.0.2 ransomware removal can be performed using your trusty antivirus or a reputable anti-malware program. Antivirus developers, who have already included this particular variant of ransomware into the data base of their software, detect the main its file under different names:

  • Ransom.GandCrab
  • ML.Attribute.HighConfidence
  • Trojan-Ransom.Win32.GandCrypt.fbd
  • TR/AD.GandCrab.wizji
  • Trojan[Ransom]/Win32.GandCrypt
  • Ransom:Win32/GandCrab.MTC!bit
  • Trojan-Ransom.Win32.GandCrypt.fbd
  • etc.

You need to remove GandCrab 5.0.2 ransomware as soon as possible because the ransom amount may double in time and, if you wait too long, criminals behind this threat can affect the system of your device in more prominent ways. This is a serious cyber infection, and you need to employ tools like FortectIntego for the correct virus elimination.

GandCrab 5.0.2 ransomwareGandCrab 5.0.2 ransomware is a virus that locks your files with the goal of money extortion.

Ransomware developers use different tools set for distribution

Since crypto viruses are one of the most dangerous cyber threats, these techniques of distribution may vary from variant to variant and be more dangerous than you think. The most common way of spreading these cyber infections are spam email attachments containing malicious files or directs ransomware payload.

However, these few versions of ransomware in particular family of threats are known to be distributed using exploit kits and various system vulnerabilities. Fallout exploit kit, in particular, is used in this attack, alongside Adobe Flash and Task Scheduler ALPC vulnerabilities.

Also, ransomware can use brute-force to break through unprotected RDP and install malware directly or spread different malicious programs that are designed to infect the device with ransomware payload.

Get rid of GandCrab 5.0.2 ransomware right now

You should remove GandCrab 5.0.2 ransomware as soon as possible and using reputable tools like FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes. Cybercriminals may say that virus elimination may lead to more damage, but that statement is only for tricking you and giving more time for the developers.

GandCrab 5.0.2 ransomware removal is important if you want to get your files back and your device thoroughly cleaned. It is not easy but manageable and possible. You can follow further instructions down below. These step-by-step guides explain how to protect your system and get rid of the ransomware.

As a bonus, you can find decryption methods down below. If you do not have correct backups saved on an external device or cloud service, you can try one of the software designed to recover files that are listed below the article.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of GandCrab 5.0.2 virus. Follow these steps

Manual removal using Safe Mode

Enter the Safe Mode with networking to surely remove GandCrab 5.0.2 ransomware:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove GandCrab 5.0.2 using System Restore

System restore feature can also help you to eliminate this ransomware:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of GandCrab 5.0.2. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that GandCrab 5.0.2 removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove GandCrab 5.0.2 from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by GandCrab 5.0.2, you can use several methods to restore them:

Since this is a file-locking GandCrab 5.0.2 ransomware, you may need to use Data  Recovery Pro to recover your files and bring them back to you.

You can also use this Data Recovery Pro program to restore accidentally deleted files

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by GandCrab 5.0.2 ransomware;
  • Restore them.

Windows Previous Versions feature helps with GandCrab 5.0.2 ransomware encrypted files

Use Windows Previous Versions if SystemRestore was enabled before

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer is a method for data recovery when you have no backups

Is Shadow Volume Copies still exists, you can use ShadowExplorer to restore your data

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Decryption tool is not available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from GandCrab 5.0.2 and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Stream videos without limitations, no matter where you are

There are multiple parties that could find out almost anything about you by checking your online activity. While this is highly unlikely, advertisers and tech companies are constantly tracking you online. The first step to privacy should be a secure browser that focuses on tracker reduction to a minimum.

Even if you employ a secure browser, you will not be able to access websites that are restricted due to local government laws or other reasons. In other words, you may not be able to stream Disney+ or US-based Netflix in some countries. To bypass these restrictions, you can employ a powerful Private Internet Access VPN, which provides dedicated servers for torrenting and streaming, not slowing you down in the process.

Data backups are important – recover your lost files

Ransomware is one of the biggest threats to personal data. Once it is executed on a machine, it launches a sophisticated encryption algorithm that locks all your files, although it does not destroy them. The most common misconception is that anti-malware software can return files to their previous states. This is not true, however, and data remains locked after the malicious payload is deleted.

While regular data backups are the only secure method to recover your files after a ransomware attack, tools such as Data Recovery Pro can also be effective and restore at least some of your lost data.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions

Removal guides in other languages