Severity scale:  
  (99/100)

Gandcrab 5.0.4 ransomware. How to remove? (Uninstall guide)

removal by Lucia Danes - - | Type: Ransomware

Gandcrab 5.0.4 ransomware is the newest variant of the file locking virus that has been around since January 2018

GandCrab 5.0.4 ransomware
GandCrab 5.0.4 ransomware is a data locking virus that is capable of locking all personal files on the system

GandCrab 5.0.4 is a ransomware virus that has been attacking companies and regular users by locking up their files and demanding ransom in Bitcoin or Dash cryptocurrency in return. The malware is well-known in cybersecurity community, as it is extremely prevalent and, since GandCrab v5 came out, its successors are following one right after another. All previous variants before v5 had distinctive file extensions, such as .KRAB or .CRAB, and now malware switched to using randomly generated letters instead (one minor change in 5.0.4 is that it uses 8 characters instead of 5). From version 5.0.1 onwards, ransomware also switched to .txt ransom note instead of .html one. Gandcrab 5.0.4 ransomware is spread with the help of Fallout exploit kit,[1] as well as utilizing several other methods. 

Summary
Name GandCrab 5.0.4
Type Ransomware
Related
Previous versions GandCrab 5.0.1, GandCrab 5.0.2
Spotted Early October 2018
File extension Randomly generated 8 characters
Cipher used RSA and Salsa20
Ransom note [randomly_generated_extension_of_8_characters]-DECRYPT.txt
Distribution Vulnerabilities, exploits, spam emails, malicious websites, etc.
Elimination Download anti-malware software Reimage or Malwarebytes MalwarebytesCombo Cleaner and perform full system scan
Decryptable? No
File recovery Only through backups or third-party software

RIG and GradSoft exploit kits[2] helped hackers to distribute malicious payload in its earlier variants. Version 5+ utilizes the new Fallout exploit kit, as well as spam emails, malicious websites and ALPC Task Scheduler Zero-day exploit, making Gandcrab 5.0.4 one of the most rampantly growing threat in the past few weeks.

Just as like its previous variants, Gandcrab 5.0.4 virus uses sophisticated encryption algorithm RSA and Salsa20 to encrypt files such as videos, pictures, images, databases documents, and renders them useless. To retrieve access to the data, victims are urged to contact criminals via the TOR browser. The link to the address is presented in the ransom note called [randomly_generated_extension_of_8_characters]-DECRYPT.txt which explains users in detail what should be done next.

As usually, experts recommend not to contact cybercriminals and take care of Gandcrab 5.0.4 ransomware removal instead, despite crooks' warnings. Hackers can never be trusted, as they use clever social engineering to trick people into paying money. Malware authors can simply ignore you after the ransom is paid (they usually demand between $800 and $2400 in Bitcoin or Dash), so you will end up losing both – files and money. Thus, do not risk being a victim of a scam, as such scenario is highly plausible.

To remove Gandcrab 5.0.4 ransomware, you should download and install comprehensive security software, bring it up to date, enter Safe Mode with Networking and perform a full system scan. This should disable the virus temporary and allow the security program to operate correctly.

Only after Gandcrab 5.0.4 elimination, you should attempt file recovery. Unfortunately, the latest variant of GandCrab is not decryptable yet, and, those who did not prepare backups, can either pay criminals or make use of third-party applications that might be able to help. As evident, we suggest you go with the latter and check our recovery guide below.

Patch your software on time and be aware of spam email campaigns

Since the latest variant utilizes Fallout exploit kit, as well as vulnerability, make sure you patch your software regularly. Security updates are vital for any machine, as it blocks malicious payloads bypassing bugs inside the software. It is equally important to update security software on a regular basis, as detection databases are updated daily.

Nevertheless, be aware that new malware strings are emerging every day, so staying alert while browsing the internet and opening spam emails is vital to virtual safety. We recommend you stay away from torrent, file-sharing, gambling, porn,[3] and similar insecure sites. Likewise, opening email attachments from an unknown source is also a bad idea. If you are not sure if the email is legitimate, contact the company that is allegedly sending it, and confirm that email is not fake. Also, scanning the attached file with security software is recommended.

Get rid of Gandcrab 5.0.4 ransomware virus

Despite crooks' warnings, you should not delay Gandcrab 5.0.4 ransomware removal. The malware might compromise the safety of the machine, and allow other dangerous infections to slip through. Therefore, if you still do not have security software, download and install Reimage or Malwarebytes MalwarebytesCombo Cleaner and run a full system scan. In some cases, the cyber threat might block anti-malware software, so entering Safe Mode with Networking might be a way out.

Only after you remove Gandcrab 5.0.4 virus, you can attempt file recovery. If you have backups available – do not connect the external device to the infected machine, of all your backups will be ruined and encrypted as well! If you do not have backups, follow our guide below on alternative methods that could help you to retrieve data.

Offer
We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.

If you decided to select another anti-spyware, uninstall Reimage from your computer.
Press mentions on Reimage
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove Gandcrab 5.0.4 virus, follow these steps:

Remove Gandcrab 5.0.4 using Safe Mode with Networking

To remove Gandcrab 5.0.4 ransomware safely, enter Safe Mode with Networking

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Gandcrab 5.0.4

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Gandcrab 5.0.4 removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Gandcrab 5.0.4 using System Restore

You can also disable the virus using System Restore:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Gandcrab 5.0.4. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Gandcrab 5.0.4 removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Gandcrab 5.0.4 from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Gandcrab 5.0.4, you can use several methods to restore them:

Data Recovery Pro can help you with file decryption

Data Recovery Pro was originally designed to help users who accidentally deleted or otherwise corrupted personal files. Nevertheless, this application was also useful in some cases of ransomware infections.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Gandcrab 5.0.4 ransomware;
  • Restore them.

Make use of Windows Previous Version feature

This method allows you to recover files one-by-one, so retrieving large amounts of data might be impossible

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer can utilize Shadow Volume Copies to recover files encrypted by Gandcrab 5.0.4 ransomware

If the virus failed to remove Shadow Volume Copies, this tool will recover all your files.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryptor available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Gandcrab 5.0.4 and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Lucia Danes
Lucia Danes - Virus researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions

References