Severity scale:  

GandCrab ransomware. How to remove? (Uninstall guide)

removal by Julie Splinters - - | Type: Ransomware

GandCrab ransomware – crypto-virus which has been spreading with the help of Magnitude Exploit Kit

The image of GandCrab ransomware

Questions about GandCrab ransomware

GandCrab is one of the most famous ransomware-virus[1] of 2018 which has already affected more than 50,000 PCs and earned more than $600,000 for its developers. Discovered in January, it is still receiving new updates and keeps updating its distribution techniques. Initially distributed via various social engineering campaigns and malspam, at the moment it relies on Magnitude Exploit Kit (EK) which has already been used for the distribution of Magniber ransomware. Additionally, after using .gdcb file extension to mark encrypted files, GandCrab is now appending .crab file extension. 

Name GandCrab
Type of malware Ransomware
Discovered January 30, 2018
Systems affected Windows
Extension added to infected files .gdcb, .crab
Ransom note GDCB-DECRYPT.txt
Amount of ransom 1.54 DASH ($ 1126)
Decryptable Yes
Versions GandCrab v2

After two months of reign, ransomware seemed to be defeated when the team of Romanian police, Bitdefender and Europol revealed a flaw in the ransomware code and finally hacked cybercriminals. As a result, Bitdefender created a free GandCrab decryptor which is available in the NoMoreRansom.[2]

GandCrab decryptor

However, it seems that it is not going to stop hackers who are hiding behind this virus. The second version of GandCrab virus is still circulating via spam campaigns and demanding the victims to pay the 1.54 DASH in exchange for the decryption key. While victims can decrypt files encrypted by the original version, crooks released an improved version dubbed as GandCrab v2. They managed to patch the critical encryption flaw, so a free decryptor doesn't work for this version. At the moment, it appends .CRAB file extension and is often dubbed as .CRAB file extension virus.  

Ransomware has also been distributed as a Ransomware-as-aService (Raas) on the Russian black web. According to the Check Point, hackers have already collected more than 600,000 USD ransom due to innovative GandCrab Affiliate Program. Ransomware developers have also been paying the participants from 60% to 70% of ransomware revenue in exchange of 24/7 tech support. According to researchers, this crypto-malware has almost 100 active affiliates. 80 of these participants have successfully dispersed 700 different samples of the malware. More than 70% of infected PCs are located in UK and US, so it's apparently dedicated to English-speaking PC users. 

In the middle of April 2018, ransomware researchers reported that Magnitude EK has switched to GandCrab ransomware distribution. Used to spread Magniber ransomware to netizens located in South Korea, the current tandem has already been seen in Scandinavia countries. If you have even the slightest suspicion that you can be infected, make sure you remove GandCrab ransomware with Reimage.

GandCrab virus appening .crab file extension

The Exploit kit renders a fileless technique used to execute ransomware payload which is encoded using VBScript.Encode/JScript.Encode scrip and injected into a memory. When the payload is being executed, the ransomware roots into explorer.exe file and forces PC's reboot. After that, it enables the encryptor and locks files with .CRAB file extension. It seems that the Magnitude EK is mainly used to spread GandCrab 2 version which is not decryptable yet. 

GandCrab can also be distributed via malvertising[3] campaign known as Seamless. With its help, victims are lead to RIG exploit kit. Such software is designed to detect system vulnerabilities and exploit them in order to infect the targeted system with a file-encrypting virus or another dangerous computer virus.

As specified by cyber security experts,[4] GandCrab is currently spreading via spam email messages with the subject of Receipt Feb-21310 [random numbers]. The name of the sender may vary, but the second part of the email address is always The spam message used by ransomware contains a PDF attachment and “DOC attached” as the message body.

GandCrab spreads via fake Hoefler text font updates

GandCrab relies on a .doc file which is downloaded to the system once the victim clicks on the malicious attachment. The .doc file subsequently runs a PowerShell script and creates an exploit file (sct5.txt), which currently affects 64-bit system. As pointed out by various crypto-malware researchers, the sct5.txt file does not run the ultimate payload of the GandCrab virus, but executes an exploit and runs as a medium for malware to get inside.

Following the infiltration, GandCrab starts encrypting the most valuable data stored on the system. Afterwards, users are no longer able to access their files and are informed about the ransomware attack in the ransom-demanding message in GDCB-DECRYPT.txt file:


All your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB
The only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
1. Download Tor browser –
2. Install Tor browser
3. Open Tor Browser
4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/[id]
5. Follow the instructions on this page

On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.

Do not try to modify files or use your own private key – this will result in the loss of your data forever!

Once the victim follows the steps provided in the ransom note, he/she will be led to the website called GandCrab decryptor. People will be presented with the amount of the ransom (approximately $1200), a support chat, the DASH address and a possibility to upload one file for free decryption. 

It is worth mentioning that GandCrab ransomware identifies a specific time period which should be obeyed to make the transaction or the amount of the payment will double. However, this is merely an attempt to intimidate the victims and force to pay the ransom without clearly evaluating other possibilities. 

Therefore, we strongly advise you not to follow the rules of the criminals since there are alternative ways how you can get back the access to your files or use the decryptor developed by the experts. For that, you must remove GandCrab first. Experts from[5] have already warned affected users that this is a highly dangerous computer virus and should be eliminated with the help of the professional or using a robust antivirus.

Our top pick for GandCrab removal would be Reimage or Malwarebytes Anti Malware. Although, it is possible to use another anti-malware software to terminate this file-encrypting virus. You can find detailed instructions on how to start the elimination procedure at the end of this article.

Additionally, do NOT try to get rid of GandCrab virus by yourself. Such complex ransomware-type infections are designed to hide their presence and disguise as legitimate computer processes. Terminating crucial system files might lead to permanent computer damage and re-appearance of the crypto-malware. Thus, we recommend using the elimination guide below.

The list of GandCrab ransomware versions

.GDCB file extension virusThis version of the GandCrab virus has been detected a couple of weeks after the release of the original version. Just like its predecessor, it spreads via infected spam email attachments and runs a payload once the attachment is opened. 

It targets the most popular files, including but not limited to .doc, .txt, .jpg, .png, .audio, .video, etc. and appends .GDCB file extension to each of them. It creates a GDCB-DECRYPT.txt file on the victim's desktop, which urges to download Tor browser and transmit 1.54 DASH ransom. The amount of the ransom increases if the victim is late to pay it. 

GandCrab2. The second ransomware's version is currently not decryptable. Before releasing this new variant, crooks patched the severe encryption flaw that has been detected by cybersecurity experts in the beginning of March. 

GandCrab2 is distributed via Seamless malvertising campaign leading victims to RIG exploit kit. However, unlike its predecessor, it can also reach its victims via HoeflerText Font Update scam. 

It locks data with .CRAB file extension and prepares a CRAB-DECRYPT.txt ransom note. The crooks require to pay 500 USD in Dash coins via Tor browser in exchange of private decryption key. Although initially experts considered this version to be a clone of the ancestor, it seems that it has been improved to evade decryption by a free decryptor. 

GandCrab2 variant. An example of a ransom note

Experts offer a free GandCrab decryptor

IT professionals from the famous project have finally generated GandCrab decryptor. It is available to download for everyone who wants to recover files with .GDCB file extension. You can find it at the end of this article.

Although, the experts note that in order to use the decryption tool, one must get rid of GandCrab first. Otherwise, the ransomware will continue to encrypt data on the victimized computer over and over again. 

They recommend using professional security tools to uninstall ransomware from the system. We strongly advise you use ones which are provided at the end of this article. If you are unable to regain access to the compromised information with the official GandCrab decryptor, there are alternative methods which might help.

For example, nevertheless, virus is designed to delete Shadow Volume Copies; it might fail. In this case, you can use ShadowExplorer or similar third-party tools that can help to recover at least some of the files.

Additionally, you can fully recover files without paying the ransom by using backups. If you do not have them, you should check our prepared alternative data recovery methods at the end of the article and try the decryptor as well.

The cyber threat uses exploit kits to enter the system

Exploits kits are designed to detect vulnerabilities on the targeted system and help the malicious program exploit them in order to infiltrate the computer. This particular ransomware is distributed by both, Rig exploit kit, GrandSoft exploit kit,[6] and Magnitude exploit kit.[7] This sophisticated software do not need the permission of the user to install the malware on the system. 

GandCrab installed via Magnitude EK

Additionally, it is worth knowing that exploit kits are not the only way how ransomware is distributed. Criminals might take advantage of credulous people and use deceptive spam emails with malicious attachments. Usually, letters disguise as shopping receipts, invoices or similar documents from well-known brands and companies. Likewise, naive users open the infected attachments and let the cyber threat in.

As we have pointed out in the previous paragraph, the developer of this ransomware is actively spreading spam email. The subject of the message is always the same Receipt Feb-21310 [ random numbered], except that the name of the sender may slightly differ. Nevertheless, the suffix of the sender's email is This spam email does not have much information, except points out that “DOC attached.”

Therefore, we suggest you be extremely cautious when browsing on the Internet or monitoring your emails. It is essential to pay close attention when opening letters — you can identify a malicious email by minor spelling mistakes or urges to open the attachment “for further details.” Please do not open attachments of suspicious emails, especially if you see JS, .EXE, .COM, .PIF, .SCR, .HTA, .vbs, .wsf, .jse, .jar, and other doubtful file extensions. Also, avoid visiting suspicious websites since they might be managed by cybercriminals and used to distribute high-risk computer infections.

Learn how to safely uninstall GandCrab virus and get back your data

If you want to remove GandCrab ransomware and proceed to the data recovery, the only way to do that is with the help of a security software. Note that you must do it quickly in order to avoid further damage to your computer. Later, you will be able to use the new decrypted to get back the files encrypted by the ransomware.

To fix the system, download a professional security software as soon as you notice encrypted files on your computer. We recommend using Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus, or Malwarebytes Anti Malware for GandCrab removal which have been used while testing the virus. After installing one of these apps, run a full system scan and let it terminate this file-encrypting virus. Unfortunately, these programs have nothing to do with the decryption of encrypted files. 

Note that you might not be able to install the malware removal tool at first. For that, you must reboot your computer into Safe Mode with Networking or rely on System Restore. You can find a step-by-step guide on how to do that and get rid of GandCrab at the end of this article. Additionally, our experts have prepared alternative recovery methods to help you recover your encrypted files. 

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove GandCrab ransomware you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall GandCrab ransomware. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

Manual GandCrab virus Removal Guide:

Remove GandCrab using Safe Mode with Networking

Rebooting your computer to Safe Mode with Networking is the first step in ransomware elimination procedure.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove GandCrab

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete GandCrab removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove GandCrab using System Restore

To get rid of this ransomware with the help of System Restore, follow these steps:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of GandCrab. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that GandCrab removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove GandCrab from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by GandCrab, you can use several methods to restore them:

Data Recovery Pro can help you get back the compromised data

This is a great tool for data recovery since it does not require any additional functions enabled on the system. Note that is is also useful if you have lost your files due to system crash.

Windows Previous Versions Feature helps to recover encrypted files

You can travel back in time with Windows Previous Versions if you have System Restore function enabled before ransomware attack.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

GandCrab decryptor is available right now

Experts have designed a unique decryption software for GandCrab ransomware. You can get it here. In case it doesn't decrypt specific malware versions, feel free to try alternative recovery methods above.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from GandCrab and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions


Removal guides in other languages