Severity scale:  
  (98/100)

GandCrab 5.2 ransomware. How to remove? (Uninstall guide)

removal by Linas Kiguolis - - | Type: Ransomware

GandCrab 5.2 is the ransomware that came out quickly after Bitdefender's decryptor for previous versions was released

Questions about GandCrab 5.2 ransomware

GandCrab 5.2
GandCrab 5.2 is the ransomware that appears in the wild after recent decryptor release for the previous version.
GandCrab 5.2 is the cryptovirus that was released quickly after the security researchers presented the decryptor for its all previous variants,[1] including one of the most prevalent one GandCrab 5.1. The virus has been one of the most prominent threats in the wild, infecting users by using phishing emails, exploit kits, fake updates, and other distribution methods. GandCrab 5.2 employs a secure encryption algorithm to lock files and then demands a ransom to be paid in their return. The personal data that is marked with .[random] file extension is also accompanied by a ransom note [random]-DECRYPT.txt file, that is populated into each of the affected folders. This version of the virus appears to have changed slightly, with minor differences in ransom size ($550 in Dash or BTC) and payment instructions via the Tor browser. Within the few days of its discovery, malware researchers reported more than ten samples uploaded by victims[2]. Despite the undecryptable GandCrab 5.2 being actively distributed, researchers noticed that V5.1 is still being delivered with the help of Fallout EK.

Name GandCrab 5.2
Type  Cryptovirus
Family  GandCrab
Extension  Random 5-10 characters
Ransom size $550 in Dash or BTC (might vary)
Ransom note  [random]-DECRYPT.txt
Distribution  Spam email attachments, exploit kits, brute-force attacks, etc.
Decryption Decryption tool developed for previous versions is not working for GandCrab 5.2 ransomware
Elimination We recommend performing GandCrab 5.2 ransomware removal using anti-malware software and then clean the virus damage with Reimage 

If you recently discovered GandCrab 5.2 virus on the system, you should focus on malware elimination immediately because decryption is not possible for this most recent variant in the ransomware family dubbed GandCrab. 

It appears that GandCrab 5.2 developers were focusing on releasing the new version as soon as possible, so all the previously known features were kept in development of the V5.2 variant:

  • the file extension placed at the end of encrypted data is formed from 5-10 random characters;
  • the ransom message gets delivered after the encryption process and appears on the Desktop wallpaper;
  • the note reveals payment methods and is also named according to the file appendix;
  • [random]-DECRYPT.txt ransom note encourages victims to pay up using TOR browser links, so there are no contact emails.

[random]-DECRYPT.txt is the pattern of a ransom note which gets delivered by GandCrab 5.2 ransomware after successful file locking process and reads the following:

—= GANDCRAB V5.2 =—

UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED
FAILING TO DO SO WIL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS

Attention!

All your files, documents, photos, databases and other important files are encrypted and have the extension:

The only method of recovering files is to purchase an unique private key. Only we can give you this key and only and only we can recover your files.

The server with your key is in a closed network TOR. You can get there by the following ways:

—————————————————————————————–

| 0. Download Tor browser – https://www.torproject.org/

| 1. Install Tor Browser
| 2. Open Tor Browser
| 3. Open link in TOR browser http://gandcrabmfe6mnef.onion/ b6314679c4ba3647/
| 4. Follow the instructions on this page

—————————————————————————————–

On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.

ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW

—BEGIN GANDCRAB KEY—

—END GANDCRAB KEY—

—BEGIN PC DATA—

—END PC DATA—

GandCrab V5.2 developers are known for their notorious cryptovirus family. This is the newest release that was discovered by Tamas Boczan – malware researcher who reported about it on Twitter and included ten malware samples and his analysis.[3]

Experts[4] recommend using automatic GandCrab 5.2 removal tools and employ Reimage for the job, although other tools like Malwarebytes MalwarebytesCombo Cleaner can be used as well. This variant of malware is detected under various names, including TR/AD.GandCrab.tvnwv, Win32:Malware-gen, RDN/Generic.grp, Trojan:Win32/Dynamer!rfn, Ransom.GandCrab, etc.

According to the text file, you should go to the TOR browser and launch the payment website. When this is done, you will be able to view a browser window containing instructions and the ransom size. As previous members in this family, GandCrab 5.2 ransomware demands to pay in DASH or Bitcoin cryptocurrency. However, the amount may differ according to the number of encrypted files, victim origin, and other factors. The demanded payment can reach $2,400, although some users reported that this version asks for $550.

Although GandCrab 5.2 developers promise free decryption of one file and even guarantees the full data decryption, later on, these people are cybercriminals and cannot be trusted regardless. The main focus of virus developers is your money.

Make sure that you remove GandCrab 5.2 instead of paying the ransom or contacting these criminals because it is not advisable especially when cybercriminals are known for their malicious behavior for a while. Your concern about the encrypted data is understandable, but you need to focus on the malware termination and then restore data using file backups or data recovery software.

Spam email attachments hide infected files that execute ransomware payload

While browsing the internet, you will get alerts when you encounter phishing or malware-laden sites if you have reputable anti-malware employed. However, when it comes to spam email, you cannot be sure that the email is not safe without checking it manually. It is possible to scan the attached file before opening the document on the system and make sure that its purpose is not malicious.

Unfortunately, when you are not doing so, you can easily get malware infections from the PDF or Word attachment when you download and open the file on your device without checking. These emails often include names of well-known services or companies to trick people more. When the malicious script gets triggered direct ransomware payload, or other malicious programs get on your system without any interruption.

Clear the system from GandCrab 5.2 without waiting for more losses on the system

You need to proceed with GandCrab 5.2 removal as soon as you notice the activity of this virus or any other suspicious behavior. It can be done easily if you use professional anti-malware programs. These automatic tools can perform a full system scan and indicate possibly malicious programs immediately.

Gandcrab 5.2 virus
While Gandcrab 5.2 ransomware cannot be decrypted currently, its detection rate is pretty high. So make sure you download powerful AV engine to terminate the infection.

After the thorough system scan, Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes suggests methods to remove GandCrab 5.2 and clean the PC. You should follow those steps and terminate the virus including virus damage. Repeat the scan with another similar program and double-check before entering an external device with backups or installing data recovery software.

GandCrab 5.2 ransomware virus is the more recent version in this particular GandCrab family, and there are no official decryption tools developed for this particular variant. However, you may get the previously discovered threats that have similar functionalities, so check articles about older versions' removal.

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove GandCrab 5.2 virus, follow these steps:

Remove GandCrab 5.2 using Safe Mode with Networking

Make sure to remove GandCrab 5.2 ransomware using reputable antivirus tools and try rebooting the device in Safe Mode with Networking before doing so. This step allows the anti-malware program to work without interruption

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove GandCrab 5.2

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete GandCrab 5.2 removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove GandCrab 5.2 using System Restore

Try System Restore feature as this method allows restoring the previous state of your device

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of GandCrab 5.2. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that GandCrab 5.2 removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove GandCrab 5.2 from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by GandCrab 5.2, you can use several methods to restore them:

Data Recovery Pro is the variant of file restoring software that can replace file backups

Use Data Recovery Pro when you need the alternative for data backups, or your files got accidentally deleted or encrypted

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by GandCrab 5.2 ransomware;
  • Restore them.

Windows previous Versions feature is helpful for file recovery after GandCrab 5.2 attack

When System Restore gets enabled, you can use Windows Previous Versions feature

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer is the method for data recovery

When ransomware is not affecting Shadow Volume Copies, you can restore data using ShadowExplorer

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

GandCrab 5.2 decryptor hasn't been developed

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from GandCrab 5.2 and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Linas Kiguolis
Linas Kiguolis - Expert in social media

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Linas Kiguolis
About the company Esolutions

References

Removal guides in other languages