GandCrab 5.0.2 ransomware (Removal Guide) - Oct 2018 update
GandCrab 5.0.2 virus Removal Guide
What is GandCrab 5.0.2 ransomware?
GandCrab 5.0.2 — yet another version of GandCrab ransomware that emerged together with three other versions
GandCrab v5.0.2 ransomware is a malicious cryptovirus that locks data by using Salsa20 and RSA-2048 encryption algorithms. It emerged together with the GandCrab 5 and is using the same pattern using random characters to generate the file extension. To mark files that were encrypted by Gandcrab 5.0.2, the virus takes 10 random letters or less that it places at the end of each file name. According to one of our victims, his files were marked with the .bundvvi file extension, but other victims found .wrvoqvipr, and similar random characters added to their encrypted data. After this encryption[1] procedure is finished, the virus also creates a text file which is named by using the same characters used in the extension and a word “DECRYPT.” The note is asking to pay a ransom in exchange for the decrypted files, but keep in mind that this paying the ransom doesn't guarantee that your data will be presented with Gandcrab v5.0.2 decryptor.
Name | GandCrab 5.0.2 ransomware |
---|---|
Type | Cryptovirus |
FAMILY | GandCrab ransomware |
SUB-Versions | |
File extension | 6-10 random characters |
Encryption methods | Salsa20 and RSA-2048 |
Ransom note | [ransom characters]-DECRYPT.txt |
Distribution | Fallout exploit kit |
Decryption | There is no decryption tool for this variant, but previously discovered vaccine works for this second variant od GandCrab v5 |
Elimination | Use FortectIntego for GandCrab 5.0.2 ransomware removal |
The ransomware virus is one of the most recent variants in the notorious ransomware[2] family that is known to encrypt users' data and demand a hefty amount in Bitcoin as the only way to unlock them. This particular version came out on the 1st of October and has been spreading around with the help of Fallout exploit kit since then.
Immediately after the encryption process is finished, the ransomware virus generates a file with some instructions and more details about the initial attack. Since the appearance of the first variant of GandCrab family, these ransom messages have been placed in the HTML file. At the moment, the ransom note file is created as a text file. The particular GandCrab 5.0.2 ransomware creates a ransom note named as RANDOM FILE EXTENSION CHARACTERS-DECRYPT.txt and drops it on every folder that contains encoded files. It reads the following:
—= GANDCRAB V5.0.2 =—
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: {5 random letters}
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:———————————————————————–
| 0. Download Tor browser – https://www.torproject.org/| 1. Install Tor Browser
| 2. Open Tor Browser
| 3. Open link in TOR browser http://gandcrab{random}/{random}
| 4. Follow the instructions on this pageOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
• DO NOT MODIFY ENCRYPTED FILES
• DO NOT CHANGE DATA BELOW
As you can see in the quote, there are not many details about an encryption process or the ransom amount. However, when you follow these instructions and go to TOR browser, where the payment page is hosted, you can see your ransom amount, the time you have left to pay, and other information.
However, like any other researcher,[3] we do not recommend paying for GandCrab 5.0.2 ransomware virus developers. You should avoid contacting cybercriminals in any way and focus only on the ransomware removal instead. Then, when your device is clean, you can try recovery methods displayed down below or replace your data from a safe backup.
GandCrab 5.0.2 ransomware removal can be performed using your trusty antivirus or a reputable anti-malware program. Antivirus developers, who have already included this particular variant of ransomware into the data base of their software, detect the main its file under different names:
- Ransom.GandCrab
- ML.Attribute.HighConfidence
- Trojan-Ransom.Win32.GandCrypt.fbd
- TR/AD.GandCrab.wizji
- Trojan[Ransom]/Win32.GandCrypt
- Ransom:Win32/GandCrab.MTC!bit
- Trojan-Ransom.Win32.GandCrypt.fbd
- etc.
You need to remove GandCrab 5.0.2 ransomware as soon as possible because the ransom amount may double in time and, if you wait too long, criminals behind this threat can affect the system of your device in more prominent ways. This is a serious cyber infection, and you need to employ tools like FortectIntego for the correct virus elimination.
Ransomware developers use different tools set for distribution
Since crypto viruses are one of the most dangerous cyber threats, these techniques of distribution may vary from variant to variant and be more dangerous than you think. The most common way of spreading these cyber infections are spam email attachments containing malicious files or directs ransomware payload.
However, these few versions of ransomware in particular family of threats are known to be distributed using exploit kits and various system vulnerabilities. Fallout exploit kit, in particular, is used in this attack, alongside Adobe Flash and Task Scheduler ALPC vulnerabilities.
Also, ransomware can use brute-force to break through unprotected RDP and install malware directly or spread different malicious programs that are designed to infect the device with ransomware payload.
Get rid of GandCrab 5.0.2 ransomware right now
You should remove GandCrab 5.0.2 ransomware as soon as possible and using reputable tools like FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes. Cybercriminals may say that virus elimination may lead to more damage, but that statement is only for tricking you and giving more time for the developers.
GandCrab 5.0.2 ransomware removal is important if you want to get your files back and your device thoroughly cleaned. It is not easy but manageable and possible. You can follow further instructions down below. These step-by-step guides explain how to protect your system and get rid of the ransomware.
As a bonus, you can find decryption methods down below. If you do not have correct backups saved on an external device or cloud service, you can try one of the software designed to recover files that are listed below the article.
Getting rid of GandCrab 5.0.2 virus. Follow these steps
Manual removal using Safe Mode
Enter the Safe Mode with networking to surely remove GandCrab 5.0.2 ransomware:
Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
Downloads
Recycle Bin
Temporary files - Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
After you are finished, reboot the PC in normal mode.
Remove GandCrab 5.0.2 using System Restore
System restore feature can also help you to eliminate this ransomware:
-
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
-
Select Command Prompt from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
-
Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
-
Step 2: Restore your system files and settings
-
Once the Command Prompt window shows up, enter cd restore and click Enter.
-
Now type rstrui.exe and press Enter again..
-
When a new window shows up, click Next and select your restore point that is prior the infiltration of GandCrab 5.0.2. After doing that, click Next.
-
Now click Yes to start system restore.
-
Once the Command Prompt window shows up, enter cd restore and click Enter.
Bonus: Recover your data
Guide which is presented above is supposed to help you remove GandCrab 5.0.2 from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.If your files are encrypted by GandCrab 5.0.2, you can use several methods to restore them:
Since this is a file-locking GandCrab 5.0.2 ransomware, you may need to use Data Recovery Pro to recover your files and bring them back to you.
You can also use this Data Recovery Pro program to restore accidentally deleted files
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by GandCrab 5.0.2 ransomware;
- Restore them.
Windows Previous Versions feature helps with GandCrab 5.0.2 ransomware encrypted files
Use Windows Previous Versions if SystemRestore was enabled before
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
ShadowExplorer is a method for data recovery when you have no backups
Is Shadow Volume Copies still exists, you can use ShadowExplorer to restore your data
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Decryption tool is not available
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from GandCrab 5.0.2 and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Stream videos without limitations, no matter where you are
There are multiple parties that could find out almost anything about you by checking your online activity. While this is highly unlikely, advertisers and tech companies are constantly tracking you online. The first step to privacy should be a secure browser that focuses on tracker reduction to a minimum.
Even if you employ a secure browser, you will not be able to access websites that are restricted due to local government laws or other reasons. In other words, you may not be able to stream Disney+ or US-based Netflix in some countries. To bypass these restrictions, you can employ a powerful Private Internet Access VPN, which provides dedicated servers for torrenting and streaming, not slowing you down in the process.
Data backups are important – recover your lost files
Ransomware is one of the biggest threats to personal data. Once it is executed on a machine, it launches a sophisticated encryption algorithm that locks all your files, although it does not destroy them. The most common misconception is that anti-malware software can return files to their previous states. This is not true, however, and data remains locked after the malicious payload is deleted.
While regular data backups are the only secure method to recover your files after a ransomware attack, tools such as Data Recovery Pro can also be effective and restore at least some of your lost data.
- ^ Rick Correa. How fast does ransomware encrypt files? Faster than you think. Barkly. Endpoint protection platform.
- ^ Ransomware. Wikipedia. The free encyclopedia.
- ^ Semvirus. Semvirus. Spyware news.