GandCrab 5.2 virus Removal Guide
What is GandCrab 5.2 ransomware?
GandCrab 5.2 ransomware – a decryptable malware variant
A ransom note explains users that they need to pay $500 in order to restore the locked data GandCrab 5.2 is the cryptovirus that was released quickly after the security researchers presented the decryptor for its all previous variants, including one of the most prevalent one 5.1. The virus has been one of the most prominent threats in the wild, infecting users by using phishing emails, exploit kits, fake updates, and other distribution methods.
The virus employs a secure encryption algorithm to lock files and then demands a ransom to be paid in their return. The personal data that is marked with .[random] file extension is also accompanied by a ransom note [random]-DECRYPT.txt file, that is populated into each of the affected folders. This version of the virus appears to have changed slightly, with minor differences in ransom size ($550 in Dash or BTC) and payment instructions via the Tor browser.
|Extension||Random 5-10 characters|
|Ransom size||$550 in Dash or BTC (might vary)|
|Distribution||Spam email attachments, exploit kits, brute-force attacks, etc.|
|Decryption||Decryption tool is available for this virus version|
|Elimination & system fix||We recommend performing ransomware removal using anti-malware software and then clean the virus damage with ReimageIntego|
Within the few days of GandCrab 5.2 discovery, malware researchers reported more than ten samples uploaded by victims. Despite the newest malware strain being actively distributed, researchers noticed that V5.1 is still being delivered with the help of Fallout EK. For a long time, there was no decryption tool for the 5.2 version. However, Bitdefender has finally released a decrypter for this version also.
It appears that ransomware developers were focusing on releasing the new version as soon as possible, so all the previously known features were kept in development of the V5.2 variant:
- the file extension placed at the end of encrypted data is formed from 5-10 random characters;
- the ransom message gets delivered after the encryption process and appears on the Desktop wallpaper;
- the note reveals payment methods and is also named according to the file appendix;
- [random]-DECRYPT.txt ransom note encourages victims to pay up using TOR browser links, so there are no contact emails.
[random]-DECRYPT.txt is the pattern of a ransom note which is delivered by ransomware after a successful file locking process and reads the following:
—= GANDCRAB V5.2 =—
UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED
FAILING TO DO SO WIL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS
All your files, documents, photos, databases and other important files are encrypted and have the extension:
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
| 0. Download Tor browser – https://www.torproject.org/
| 1. Install Tor Browser
| 2. Open Tor Browser
| 3. Open link in TOR browser http://gandcrabmfe6mnef.onion/ b6314679c4ba3647/
| 4. Follow the instructions on this page
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW
—BEGIN GANDCRAB KEY—
—END GANDCRAB KEY—
—BEGIN PC DATA—
—END PC DATA—
GandCrab 5.2 ransomware is the most recent version in the notorious Gandcrab family that has all features of the previous virus.
The newest 5.2 release was discovered by Tamas Boczan – malware researcher who reported about it on Twitter and included ten malware samples and his analysis.
Experts recommend using automatic malware removal tools and employ ReimageIntego for the job, although other tools like SpyHunter 5Combo Cleaner can be used as well. This variant of malware is detected under various names, including:
- Ransom.GandCrab, etc.
According to the text file, you should go to the TOR browser and launch the payment website. When this is done, you will be able to view a browser window containing instructions and the ransom size. As previous members in this family, the 5.2 version demands to pay in DASH or Bitcoin cryptocurrency.
5.2 version of the notorious virus can be decrypted with the help of Bitdefender decryptor
However, the amount may differ according to the number of encrypted files, victim origin, and other factors. The demanded payment can reach $2,400, although some users reported that this version asks for $550. Although cybercriminals promise free decryption of one file and even guarantee the full data decryption, later on, these people are cybercriminals and cannot be trusted regardless. The main focus of virus developers is your money.
Make sure that you remove GandCrab 5.2 instead of paying the ransom or contacting these criminals because it is not advisable, especially, when cybercriminals are known for their malicious behavior for a while. Your concern about the encrypted data is understandable, but you need to focus on the malware termination first as locked files can only be restored after the cyber threat is terminated from the infected Windows computer system.
Spam email attachments hide infected files that execute ransomware payload
While browsing the internet, you will get alerts when you encounter phishing or malware-laden sites if you have reputable anti-malware employed. However, when it comes to spam email, you cannot be sure that the email is not safe without checking it manually. It is possible to scan the attached file before opening the document on the system and make sure that its purpose is not malicious.
Unfortunately, when you are not doing so, you can easily get malware infections from the PDF or Word attachment when you download and open the file on your device without checking. These emails often include names of well-known services or companies to trick people more. When the malicious script gets triggered direct ransomware payload, or other malicious programs get on your system without any interruption.
Clear the system from GandCrab 5.2
You need to start ransomware removal as soon as you notice the activity of this virus or any other suspicious behavior. It can be done easily if you use professional anti-malware programs. These automatic tools can perform a full system scan and indicate possibly malicious programs immediately.
Security software can easily stop even the newest versions of the virus
After the thorough system scan, ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes suggests methods to remove the virus and clean the PC. You should follow those steps and terminate the virus including virus damage. Repeat the scan with another similar program and double-check before entering an external device with backups or installing the data recovery software.
5.2 is the most recent version in this particular family, and there was no official decryption tool developed for a long time until now. Check the data recovery methods that are provided at the end of this article and you will also find the Bitdefender's decrypter that has been released not so long ago.
Getting rid of GandCrab 5.2 virus. Follow these steps
Manual removal using Safe Mode
Make sure to remove ransomware using reputable antivirus tools and try rebooting the device in Safe Mode with Networking before doing so. This step allows the anti-malware program to work without interruption
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
- Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
After you are finished, reboot the PC in normal mode.
Remove GandCrab 5.2 using System Restore
Try System Restore feature as this method allows restoring the previous state of your device
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of GandCrab 5.2. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your dataGuide which is presented above is supposed to help you remove GandCrab 5.2 from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.
If your files are encrypted by GandCrab 5.2, you can use several methods to restore them:
Data Recovery Pro is the variant of file restoring software that can replace file backups
Use Data Recovery Pro when you need the alternative for data backups, or your files got accidentally deleted or encrypted
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by GandCrab 5.2 ransomware;
- Restore them.
Windows previous Versions feature is helpful for file recovery after a ransomware attack
When System Restore gets enabled, you can use Windows Previous Versions feature
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
ShadowExplorer is the method for data recovery
When ransomware is not affecting Shadow Volume Copies, you can restore data using ShadowExplorer
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Use a decryption tool
GandCrab 5.2 decryptor can be found here.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from GandCrab 5.2 and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Access your website securely from any location
When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.
If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.
Recover files after data-affecting malware attacks
While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.
Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection.