Severity scale:  

Remove GandCrab 5.0.2 ransomware (Removal Guide) - Oct 2018 update

removal by Jake Doevan - - | Type: Ransomware

GandCrab 5.0.2 — yet another version of GandCrab ransomware that emerged together with three other versions

GandCrab 5.0.2 ransomware virus

GandCrab v5.0.2 ransomware is a malicious cryptovirus that locks data by using Salsa20 and RSA-2048 encryption algorithms. It emerged together with the GandCrab 5 and is using the same pattern using random characters to generate the file extension. To mark files that were encrypted by Gandcrab 5.0.2, the virus takes 10 random letters or less that it places at the end of each file name. According to one of our victims, his files were marked with the .bundvvi file extension, but other victims found .wrvoqvipr, and similar random characters added to their encrypted data. After this encryption[1] procedure is finished, the virus also creates a text file which is named by using the same characters used in the extension and a word “DECRYPT.” The note is asking to pay a ransom in exchange for the decrypted files, but keep in mind that this paying the ransom doesn't guarantee that your data will be presented with Gandcrab v5.0.2 decryptor.

Name GandCrab 5.0.2 ransomware
Type Cryptovirus
FAMILY GandCrab ransomware
File extension 6-10 random characters
Encryption methods Salsa20 and RSA-2048
Ransom note [ransom characters]-DECRYPT.txt
Distribution Fallout exploit kit
Decryption There is no decryption tool for this variant, but previously discovered vaccine works for this second variant od GandCrab v5
Elimination Use Reimage Reimage Cleaner Intego for GandCrab 5.0.2 ransomware removal

The ransomware virus is one of the most recent variants in the notorious ransomware[2] family that is known to encrypt users' data and demand a hefty amount in Bitcoin as the only way to unlock them. This particular version came out on the 1st of October and has been spreading around with the help of Fallout exploit kit since then. 

Immediately after the encryption process is finished, the ransomware virus generates a file with some instructions and more details about the initial attack. Since the appearance of the first variant of GandCrab family, these ransom messages have been placed in the HTML file. At the moment, the ransom note file is created as a text file. The particular GandCrab 5.0.2 ransomware creates a ransom note named as RANDOM FILE EXTENSION CHARACTERS-DECRYPT.txt and drops it on every folder that contains encoded files. It reads the following:

—= GANDCRAB V5.0.2 =—
All your files, documents, photos, databases and other important files are encrypted and have the extension: {5 random letters}
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:

| 0. Download Tor browser –

| 1. Install Tor Browser
| 2. Open Tor Browser
| 3. Open link in TOR browser http://gandcrab{random}/{random}
| 4. Follow the instructions on this page

On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.


As you can see in the quote, there are not many details about an encryption process or the ransom amount. However, when you follow these instructions and go to TOR browser, where the payment page is hosted, you can see your ransom amount, the time you have left to pay, and other information.

However, like any other researcher,[3] we do not recommend paying for GandCrab 5.0.2 ransomware virus developers. You should avoid contacting cybercriminals in any way and focus only on the ransomware removal instead. Then, when your device is clean, you can try recovery methods displayed down below or replace your data from a safe backup.

GandCrab 5.0.2 ransomware removal can be performed using your trusty antivirus or a reputable anti-malware program. Antivirus developers, who have already included this particular variant of ransomware into the data base of their software, detect the main its file under different names:

  • Ransom.GandCrab
  • ML.Attribute.HighConfidence
  • Trojan-Ransom.Win32.GandCrypt.fbd
  • TR/AD.GandCrab.wizji
  • Trojan[Ransom]/Win32.GandCrypt
  • Ransom:Win32/GandCrab.MTC!bit
  • Trojan-Ransom.Win32.GandCrypt.fbd
  • etc.

You need to remove GandCrab 5.0.2 ransomware as soon as possible because the ransom amount may double in time and, if you wait too long, criminals behind this threat can affect the system of your device in more prominent ways. This is a serious cyber infection, and you need to employ tools like Reimage Reimage Cleaner Intego for the correct virus elimination.

GandCrab 5.0.2 ransomwareGandCrab 5.0.2 ransomware is a virus that locks your files with the goal of money extortion.

Ransomware developers use different tools set  for distribution

Since crypto viruses are one of the most dangerous cyber threats, these techniques of distribution may vary from variant to variant and be more dangerous than you think. The most common way of spreading these cyber infections are spam email attachments containing malicious files or directs ransomware payload. 

However, these few versions of ransomware in particular family of threats are known to be distributed using exploit kits and various system vulnerabilities. Fallout exploit kit, in particular, is used in this attack, alongside Adobe Flash and Task Scheduler ALPC vulnerabilities. 

Also, ransomware can use brute-force to break through unprotected RDP and install malware directly or spread different malicious programs that are designed to infect the device with ransomware payload.

Get rid of GandCrab 5.0.2 ransomware right now

You should remove GandCrab 5.0.2 ransomware as soon as possible and using reputable tools like Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes. Cybercriminals may say that virus elimination may lead to more damage, but that statement is only for tricking you and giving more time for the developers.

GandCrab 5.0.2 ransomware removal is important if you want to get your files back and your device thoroughly cleaned. It is not easy but manageable and possible. You can follow further instructions down below. These step-by-step guides explain how to protect your system and get rid of the ransomware.

As a bonus, you can find decryption methods down below. If you do not have correct backups saved on an external device or cloud service, you can try one of the software designed to recover files that are listed below the article. 

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove GandCrab 5.0.2 virus, follow these steps:

Remove GandCrab 5.0.2 using Safe Mode with Networking

Enter the Safe Mode with networking to surely remove GandCrab 5.0.2 ransomware:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove GandCrab 5.0.2

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete GandCrab 5.0.2 removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove GandCrab 5.0.2 using System Restore

System restore feature can also help you to eliminate this ransomware:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of GandCrab 5.0.2. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that GandCrab 5.0.2 removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove GandCrab 5.0.2 from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by GandCrab 5.0.2, you can use several methods to restore them:

Since this is a file-locking GandCrab 5.0.2 ransomware, you may need to use Data  Recovery Pro to recover your files and bring them back to you.

You can also use this Data Recovery Pro program to restore accidentally deleted files

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by GandCrab 5.0.2 ransomware;
  • Restore them.

Windows Previous Versions feature helps with GandCrab 5.0.2 ransomware encrypted files

Use Windows Previous Versions if SystemRestore was enabled before

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer is a method for data recovery when you have no backups

Is Shadow Volume Copies still exists, you can use ShadowExplorer to restore your data

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Decryption tool is not available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from GandCrab 5.0.2 and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Backup files for the later use, in case of the malware attack

Computer users can suffer various losses due to cyber infections or their own faulty doings. Software issues created by malware or direct data loss due to encryption can lead to problems with your device or permanent damage. When you have proper up-to-date backups, you can easily recover after such an incident and get back to work.

It is crucial to create updates to your backups after any changes on the device, so you can get back to the point you were working on when malware changes anything or issues with the device causes data or performance corruption. Rely on such behavior and make file backup your daily or weekly habit.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware occurs out of nowhere. Use Data Recovery Pro for the system restoring purpose.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions

Removal guides in other languages

Your opinion regarding GandCrab 5.0.2 ransomware