Severity scale:  

Remove GandCrab 5.2 ransomware (Bonus: Decryption Steps) - updated Sep 2020

removal by Linas Kiguolis - - | Type: Ransomware

GandCrab 5.2 is the ransomware that came out quickly after Bitdefender's decryptor for previous versions was released

Questions about GandCrab 5.2 ransomware

GandCrab 5.2GandCrab 5.2 is the ransomware that appears in the wild after recent decryptor release for the previous version. GandCrab 5.2 is the cryptovirus that was released quickly after the security researchers presented the decryptor for its all previous variants,[1] including one of the most prevalent one GandCrab 5.1. The virus has been one of the most prominent threats in the wild, infecting users by using phishing emails, exploit kits, fake updates, and other distribution methods. GandCrab 5.2 employs a secure encryption algorithm to lock files and then demands a ransom to be paid in their return. The personal data that is marked with .[random] file extension is also accompanied by a ransom note [random]-DECRYPT.txt file, that is populated into each of the affected folders. This version of the virus appears to have changed slightly, with minor differences in ransom size ($550 in Dash or BTC) and payment instructions via the Tor browser.

Name GandCrab 5.2
Type  Cryptovirus/ransomware
Family  GandCrab
Extension  Random 5-10 characters
Ransom size $550 in Dash or BTC (might vary)
Ransom note  [random]-DECRYPT.txt
Distribution  Spam email attachments, exploit kits, brute-force attacks, etc.
Decryption Decryption tool already developed for GandCrab 5.2 ransomware
Elimination We recommend performing GandCrab 5.2 ransomware removal using anti-malware software and then clean the virus damage with Reimage Reimage Cleaner Intego 

Within the few days of GandCrab 5.2 discovery, malware researchers reported more than ten samples uploaded by victims[2]. Despite the newest GandCrab strain being actively distributed, researchers noticed that V5.1 is still being delivered with the help of Fallout EK. A long time there was no decryption tool for GandCrab 5.2, however, Bitdefender has finally released a decrypter for this version also.

It appears that GandCrab 5.2 developers were focusing on releasing the new version as soon as possible, so all the previously known features were kept in development of the V5.2 variant:

  • the file extension placed at the end of encrypted data is formed from 5-10 random characters;
  • the ransom message gets delivered after the encryption process and appears on the Desktop wallpaper;
  • the note reveals payment methods and is also named according to the file appendix;
  • [random]-DECRYPT.txt ransom note encourages victims to pay up using TOR browser links, so there are no contact emails.

[random]-DECRYPT.txt is the pattern of a ransom note which gets delivered by GandCrab 5.2 ransomware after successful file locking process and reads the following:

—= GANDCRAB V5.2 =—



All your files, documents, photos, databases and other important files are encrypted and have the extension:

The only method of recovering files is to purchase an unique private key. Only we can give you this key and only and only we can recover your files.

The server with your key is in a closed network TOR. You can get there by the following ways:


| 0. Download Tor browser –

| 1. Install Tor Browser
| 2. Open Tor Browser
| 3. Open link in TOR browser http://gandcrabmfe6mnef.onion/ b6314679c4ba3647/
| 4. Follow the instructions on this page


On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.






GandCrab 5.2 ransomwareGandCrab 5.2 ransomware is the most recent version in the notorious Gandcrab family that has all features of the previous virus.

GandCrab V5.2 developers are known for their notorious cryptovirus family. This is the newest release that was discovered by Tamas Boczan – malware researcher who reported about it on Twitter and included ten malware samples and his analysis.[3]

Experts[4] recommend using automatic GandCrab 5.2 removal tools and employ Reimage Reimage Cleaner Intego for the job, although other tools like SpyHunter 5Combo Cleaner can be used as well. This variant of malware is detected under various names, including TR/AD.GandCrab.tvnwv, Win32:Malware-gen, RDN/Generic.grp, Trojan:Win32/Dynamer!rfn, Ransom.GandCrab, etc.

According to the text file, you should go to the TOR browser[5] and launch the payment website. When this is done, you will be able to view a browser window containing instructions and the ransom size. As previous members in this family, GandCrab 5.2 ransomware demands to pay in DASH or Bitcoin cryptocurrency.

Gandcrab 5.2 threatGandcrab 5.2 is a ransomware infection that has received the original decrypter from Bitdefender recently

However, the amount may differ according to the number of encrypted files, victim origin, and other factors. The demanded payment can reach $2,400, although some users reported that this version asks for $550. Although GandCrab 5.2 developers promise free decryption of one file and even guarantee the full data decryption, later on, these people are cybercriminals and cannot be trusted regardless. The main focus of virus developers is your money.

Make sure that you remove GandCrab 5.2 instead of paying the ransom or contacting these criminals because it is not advisable, especially, when cybercriminals are known for their malicious behavior for a while. Your concern about the encrypted data is understandable, but you need to focus on the malware termination first as locked files can only be restored after the cyber threat is terminated from the infected Windows computer system.

Spam email attachments hide infected files that execute ransomware payload

While browsing the internet, you will get alerts when you encounter phishing or malware-laden sites if you have reputable anti-malware employed. However, when it comes to spam email, you cannot be sure that the email is not safe without checking it manually. It is possible to scan the attached file before opening the document on the system and make sure that its purpose is not malicious.

Unfortunately, when you are not doing so, you can easily get malware infections from the PDF or Word attachment when you download and open the file on your device without checking. These emails often include names of well-known services or companies to trick people more. When the malicious script gets triggered direct ransomware payload, or other malicious programs get on your system without any interruption.

Clear the system from GandCrab 5.2 without waiting for more losses on the system

You need to proceed with GandCrab 5.2 removal as soon as you notice the activity of this virus or any other suspicious behavior. It can be done easily if you use professional anti-malware programs. These automatic tools can perform a full system scan and indicate possibly malicious programs immediately.

Gandcrab 5.2 virus

After the thorough system scan, Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes suggests methods to remove GandCrab 5.2 and clean the PC. You should follow those steps and terminate the virus including virus damage. Repeat the scan with another similar program and double-check before entering an external device with backups or installing the data recovery software.

GandCrab 5.2 ransomware virus is the most recent version in this particular GandCrab family, and there was no official decryption tool developed for a long time until now. Check the data recovery methods that are provided at the end of this article and you will also find the Bitdefender's decrypter that has been released not so long ago.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove GandCrab 5.2 virus, follow these steps:

Remove GandCrab 5.2 using Safe Mode with Networking

Make sure to remove GandCrab 5.2 ransomware using reputable antivirus tools and try rebooting the device in Safe Mode with Networking before doing so. This step allows the anti-malware program to work without interruption

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove GandCrab 5.2

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete GandCrab 5.2 removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove GandCrab 5.2 using System Restore

Try System Restore feature as this method allows restoring the previous state of your device

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of GandCrab 5.2. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that GandCrab 5.2 removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove GandCrab 5.2 from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by GandCrab 5.2, you can use several methods to restore them:

Data Recovery Pro is the variant of file restoring software that can replace file backups

Use Data Recovery Pro when you need the alternative for data backups, or your files got accidentally deleted or encrypted

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by GandCrab 5.2 ransomware;
  • Restore them.

Windows previous Versions feature is helpful for file recovery after GandCrab 5.2 attack

When System Restore gets enabled, you can use Windows Previous Versions feature

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer is the method for data recovery

When ransomware is not affecting Shadow Volume Copies, you can restore data using ShadowExplorer

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

GandCrab 5.2 decryptor can be found here.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from GandCrab 5.2 and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Linas Kiguolis
Linas Kiguolis - Expert in social media

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Linas Kiguolis
About the company Esolutions

Removal guides in other languages

Your opinion regarding GandCrab 5.2 ransomware