Severity scale:  
  (99/100)

Remove GandCrab ransomware (Removal Guide) - updated Sep 2019

removal by Julie Splinters - - | Type: Ransomware

GandCrab is one of the most prolific ransomware viruses worldwide, but most of its versions can be decrypted now

GandCrab ransomware
GandCrab ransomware - notorious cryptovirus which has been spreading since the beginning of 2018

Questions about GandCrab ransomware

GandCrab ransomware is an infamous family of cryptoviruses that was first introduced in early 2018. Within a year, it has earned a name as one of the most destructive cyber infections in the world. The family consists of numerous variants, such as GDCB, KRABCRAB virus, GandCrab 2, GandCrab 3, GandCrab 4, and GandCrab 5. All these versions are using RSA 2048 and AES 256 algorithms to encode data and are appending a random and unique file extension to mark doomed victim's data. At the moment of writing, the most aggressive versions are Gandcrab 5.0.4 and GandCrab 5.1 virus. The ransomware has been using an array of various distribution methods, including RIG, GradSoft, Magnitude, and Fallout exploit kits,[1] cracks, keygens, and fake updates. While the malware is one of the most devastating threats currently, Bitdefender research team, while working with Europol and Romanian police, managed to create the 3rd GandCrab decryptor that works for versions 1, 4, 5.0.1 through 5.1.[2]

Name GandCrab
Type of malware Ransomware
Discovered January 30, 2018
Systems affected Windows
Detected as Ransom.GandCrab 
Versions 
The extension added to infected files .gdcb, .crab, .krab, .KRAB, .lock, .[random_characters]
Ransom note GDCB-DECRYPT.txt; KRAB-DECRYPT.txt; krab-decrypt.txt, [randomly_generated_extension]-DECRYPT.html, [victim's ID]-DECRYPT.txt, [victim's ID]-DECRYPT.html
TOR ID used ransomware@sj.ms
Amount of ransom Might vary depending on a version
Decryptable? Yes. Download GandCrab decryptor from Bitdefender here. Additionally, you can also try an alternative tool.
Elimination Use Reimage for ransomware removal

In the beginning, after two months of active distribution, the first versions of ransomware were defeated by the Romanian police, experts from Bitdefender, and Europol. After revealing the flaw in the ransomware code, authorities hacked cybercriminals and Bitdefender created a free GandCrab decryptor which is available on NoMoreRansom project.[3]

However, it seems that virus developers are not likely to give up. During the first months of 2019, they presented several new versions that are demanding the 2000 USD ransom in Dash or Bitcoin in exchange for the decryption key. The improved versions Gandcrab 5.0.4 and GandCrab 5.1 haven't been decrypted because hackers patched the critical flaw within 24 hours after the Bitdefender decryptor was released.

At the moment, the virus is appending .[random characters] file extension. Additionally, the victim is given a Tor address to buy the so-called Gandcrab Decryptor from virus creators. However, you should be careful when dealing with hackers because making a payment does not guarantee that you will get a key that you need. The quote from one of the latest victims reveals that you can be left with nothing:

Our outsourced IT, Protek Support, received a ransomware on their master server affecting all their 80 clients including us yesterday morning. They’ve paid the ransom this morning about 7 am, but we are still waiting to get our files decrypted and it’s already 4:45 pm.

If you have even the slightest suspicion that you can be infected, make sure you take care of GandCrab removal by using such tools as Reimage. Additionally, try free decrypters given in the table above. If you none of them helps, delete the virus to prevent additional data loss. Then, keep your files somewhere in the safe location until the decryptor for your version is released.

Actions proceeded by Gandcrab ransomware after infecting the system

GandCrab
GandCrab is a dangerous cyber threat which accepts Bitcoins or DASH cryptocurrencies for recovering victim's files. Some virus versions are already decryptable. However, Gandcrab 5.1 is still undecryptable

Following the infiltration, ransomware starts collecting information about its victim, including user name, PC name, OS, and similar data. Additionally, the virus creates a unique ransom ID and starts encrypting files stored on the system. As a result, the user is no longer able to access encrypted files without a key which is saved in C&C servers and can't be obtained without a ransom.

The entire situation, explaining what happened and what has to be done to recover files, is described in the ransom note which is saved in every folder with the encrypted data. The file can be named as GDCB-DECRYPT.txt, KRAB-DECRYPT.txt or [victim's ID]-DECRYPT.txt, and should never be deleted if you are willing to buy Gandcrab decryptor. That's because it should be uploaded to the TOR site of Gandcrab. 

The first versions of Gandcrab were using such message:

—= GANDCRAB =—

Attention!
All your files documents, photos, databases and other important files are encrypted and have the extension: . 
The only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
1. Download Tor browser – https://www.torproject.org/
2. Install Tor browser
3. Open Tor Browser
4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/[id]
5. Follow the instructions on this page

On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.

DANGEROUS!
Do not try to modify files or use your own private key – this will result in the loss of your data forever!

Newer variants as displaying the following message to their victims. As you can see, you can't :

—= GANDCRAB V5.1 =—

***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED***********************

*****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS*****

Attention!

All your files, documents, photos, databases and other important files are encrypted and have the extension: 

The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.

The server with your key is in a closed network TOR. You can get there by the following ways:

—————————————————————————————-

| 0. Download Tor browser – https://www.torproject.org/

| 1. Install Tor browser 
| 2. Open Tor Browser 
| 3. Open link in TOR browser: [link]
| 4. Follow the instructions on this page

—————————————————————————————-

On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.

ATTENTION!

IN ORDER TO PREVENT DATA DAMAGE:

* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW

—BEGIN GANDCRAB KEY—
******
—END GANDCRAB KEY—

—BEGIN PC DATA—
******
—END PC DATA—

Once the victim downloads the Tor browser and clicks the link provided in the ransom note, he/she is led to the attacker's website selling GandCrab decryptor. Here, the popup titled “GandCrab authentication” shows up which starts the procedure by requesting to upload the ransom note at first. That's why cybercriminals are claiming in their ransom note: “Under no circumstances do not delete this file.”

Additionally, the official site is “unlocked” and presents payment instructions, the amount of the ransom (approximately $1200), services which can be used to exchange the money to bitcoin or DASH cryptocurrency, the address where the money should be sent to and a possibility to upload one file for free decryption. According to hackers, postponing the payment can double the ransom amount.

We should add that the site is well-designed and unique, filled with cartoons and such features as chat support. However, it seems that you can be banned from the assistance for using harsh language.

GandCrab virus
GandCrab encrypts files and promises to provide all proofs of decryption availability to convince the victim to pay the ransom. However, its ability to recover encrypted data is highly questionable

It is worth mentioning that ransomware identifies a specific period which should be obeyed to make the transaction or the amount of the payment will double. However, this is merely an attempt to intimidate the victims and force them to pay the ransom without evaluating other options. 

Therefore, we strongly advise you not to follow the rules of the criminals since there are alternative ways how you can get back the access to your files or use the decryptor developed by the experts. For that, you must remove GandCrab first.

Experts from NoVirus.uk[4] have already warned affected users that this is a highly dangerous computer virus and should be eliminated with the help of the professional or using a robust antivirus. Our top pick for GandCrab removal would be Reimage or SpyHunter 5Combo Cleaner. You can find detailed instructions on how to start the elimination procedure at the end of this article.

Additionally, do NOT try to get rid of the virus by yourself. Such complex ransomware-type infections are designed to hide their presence and disguise as legitimate computer processes. Terminating crucial system files might lead to permanent computer damage and re-appearance of the crypto-malware. Thus, we recommend using the elimination guide below.

Exploit kits have been actively used in virus distribution

GandCrab file extension
Gandcrab ransomware is appending numerous extensions, including .gdcb, .crab. .krab, .lock. The recent versions are using random characters to mark encrypted files

Hackers have employed numerous tactics to infiltrate computers with ransomware. However, exploit kits are considered the most sophisticated ones as they can successfully detect and identify system vulnerabilities and then misuse these holes for the attack. Experts note that GandCrab ransomware has been distributed via the following exploit kits[5]:

  • Rig EK;
  • GrandSoft EK;
  • Magnitude EK;[6]
  • Fallout EK.

The Magnitude Exploit Kit, previously used to spread Magniber ransomware, has mainly been used to spread GandCrab ransomware version 2. The EK renders a fileless technique used to execute the virus which is encoded using VBScript.Encode/JScript.Encode scrip and injected into a memory. When the payload is being executed, the ransomware roots into the explorer.exe file and forces PC's reboot. After that, it enables the encryptor and locks files with the unique file extension. 

GandCrab has also been distributed via malvertising[7] campaign known as Seamless. With its help, victims are lead to yet another exploit kit called RIG EK. After detecting system vulnerabilities, it exploits them to infect the targeted system with a file-encrypting virus or another dangerous computer virus.

Additionally, the Fallout exploit kit has been used to distribute Vidar data stealer which additionally drops GandCrab 5.0.4 payload via its command and control server. This function can be configured by the administrator when configuring the malware initially. Upon further inspection, it seems that malware is distributed via malvertising campaigns, and even sold as a product online.

Finally, the virus has also been distributed as a Ransomware-as-a-Service (Raas) on the Russian black web. According to the Check Point, hackers have already collected more than 600,000 USD ransom due to the innovative GandCrab Affiliate Program. Ransomware developers have been paying the participants from 60% to 70% of ransomware revenue in exchange for 24/7 tech support.

According to researchers, this crypto-malware has almost 100 active affiliates, 80 of these participants have successfully dispersed 700 different samples of the malware. More than 70% of infected PCs are located in the UK and US, so it's dedicated to English-speaking PC users. However, the recent version is providing several languages to choose from, including German, Italian, French or Japanese languages.

Other methods used for infecting systems with Gandcrab

GandCrab distribution
GandCrab distribution relies on numerous techniques, including exploit kits, Love spam, fake updates, cracks, keygens, and similar techniques

It is worth knowing that exploit kits are not the only way how ransomware is distributed. Criminals might take advantage of credulous people and use deceptive spam emails with malicious attachments. Usually, these emails are disguising themselves as shopping receipts, invoices or similar documents from well-known brands and companies. Likewise, naive users open the infected attachments and let the cyber threat in.

The first campaigns relied on “Receipt Feb-21310 [random numbers]” attachment which was using @cdkconstruction.org suffix. This spam email does not have much information, except points out that “DOC attached” which should never be downloaded to the system. Otherwise, the .doc file subsequently runs a PowerShell script and creates an exploit file (sct5.txt), which currently affects a 64-bit system. As pointed out by various crypto-malware researchers, the sct5.txt file does not run the ultimate payload of the virus, but executes an exploit and runs as a medium for malware to get inside.

The latest Gandcrab 5.1 virus has been actively relying on emergenсy exit maр spam which reads and includes an attachment named as “Emergencyexitmap.doc:”

Hi All,
Please find bеlow the Uр tо date еmеrgency exit maр.

Please see Emergency exit map in the attachment..

Thаnks,
Rоsie L. Ashton,
Еstаtе Mаnаgemеnt

If you happen to receive such an email, the most important thing is not to enable macros that are typically disabled by software makers. Make sure that the Protected view is enabled and ignore emails from unknown senders.

In January 2019, a new malspam campaign “Love You”[8] was noticed by security researchers that targeted users in Japan. It includes the name of a popular Japanese show business star, along with an emoji presented in the subject line. The phishing email contains an attachment PICo-[9 digit number]2019-jpg.zip that administers the payload. In addition to GandCrab 5.1, the “Love You” campaign also distributes various other payloads, including XMRig mining malware and Phorpiex worm.

New variants of the GandCrab are detected almost every month. Find your version

GandCrab malware
GandCrab is using RSA and AES encryption algorithms to encrypt victim's files and make them unusable. The only way to recover these files is to enter a special key which is saved in hackers' private servers

GDCB file extension virus 

GDCB file extension virus is one of the first versions of the GandCrab virus was detected in January 2018. It showed up a couple of weeks after the release of the original version. Just like its predecessor, it spreads via infected spam email attachments and runs a payload once the attachment is opened. The virus has been targeting the most popular files, including but not limited to .doc, .txt, .jpg, .png, .audio, .video, etc. and appending .GDCB file extension to each of them. It creates a GDCB-DECRYPT.txt file on the victim's desktop, which urges to download Tor browser and transmit 1.54 DASH ransom. The amount of the ransom increases if the victim is late to pay it. 

GandCrab v2

GandCrab 2 is the second version of an infamous virus. The files are encrypted with the help of AES-256 (CBC mode) + RSA-2048 algorithms and can no longer be accessed. Before releasing this new variant, crooks patched the severe encryption flaw that has been detected by cybersecurity experts at the beginning of March and helped them to release the decryptor for this ransomware. The virus has been distributed via Seamless malvertising campaign leading victims to RIG exploit kit. However, unlike its predecessor, it can also reach its victims via HoeflerText Font Update scam. 

GandCrab v3

GandCrab 3 ransomware is the third cyber threat of this family using .crab extension, and CRAB-DECRYPT.txt ransom note to scare its victims. The main difference for the victims who got encrypted by GandCrab 3 is that DASH cryptocurrency is no longer acceptable. People now are asked to pay the ransom in Bitcoins. However, please, do not pay the transaction and check alternative decryption methods below.

GandCrab v4

GandCrab 4  was noticed at the start of July 2018. This ransomware is still using AES-256 (CBC mode) and RSA-2048 encryption algorithm. However, the file extension was changed to .KRAB and the victim receives one of two different ransom notes: CRAB-DECRYPT.txt or KRAB-DECRYPT.txt. Each of these text files contains more information about the attack and instructions on how to create cryptocurrency wallet. 

GandCrab 4.1

GandCrab v4.1 ransomware showed up shortly after the fourth version. This version is slightly different and is using the .krab file extension. The new thing added – network communications feature used instead of C&C server. This version can spread without Internet connection. There have been many reports on this version because of the possible SMB exploit feature used in its distribution. However, it was denied, but the MS17-010 patch was required to prevent malware's infiltration. 

GandCrab 4.2

GandCrab 4.2 ransomware was discovered on July 17, when the Vaccine app was created, and shared online. The vaccine only works on this version by creating a special file on the computer that ransomware checks before the encryption and tricking the virus into thinking that the data is already encrypted. That file also shows if a computer is already infected or not. 

Gandcrab 5.0.4

GandCrab 5.0.4 showed up in September 2018 together with Gandcrab 5.0.1, Gandcrab 5.0.2, Gandcrab 5.0.3Gandcrab 5.0.5 and Gandcrab 5.0.9 versions. They are the latest variants of malware. Unlike its previous versions, they do not use predetermined file extension but generate the one from random characters which consist of five letters. The ransom note is also different and looks as follows: [randomly_generated_extension]-DECRYPT.html. 

Researchers think that this version is not using any exploit kits for distribution but instead relies on infected installers that are located on malicious websites. Hackers can redirect victims and trick them to download and install malicious payload, as well as use a drive-by install technique. 

Security researchers from Bitdefender released a free decryption tool that should help victims who are affected by versions 1, 4 and 5 (up to 5.4).[9] Thus, there is no need to pay crooks large sums of money if you are encrypted with these variants of cyber infections.

Gandcrab 5.1

GandCrab v5.1 is the newest variant of the GandCrab family. This version of the virus follows the path of GandCrab 5, using a similar scheme for encrypting files (random character file extension), and the ransom note including victim's ID ([random characters]-DECRYPT.txt). Malware also swaps the wallpaper which consists of a brief summary and a black background.

Hackers direct users to a particular site via the TOR browser which then discloses the amount of money they have to pay for the decryptor. This variant of the virus was spotted being distributed with the help of data-stealing malware and the new malspam campaign that pretends to be an “Up to datе еmеrgеnсy еxit map.” The sender's name is Rosie L. Ashton, and the malicious MS Word document is called Emergencyexitmap.doc. Once opened, users are asked to enable macros which then run a PowerShell script to download and install GandCrab v5.1.

Get GandCrab decryptor for free

GandCrab Decryptor

Cybersecurity experts at NoMoreRansom.org have already presented GandCrab decryptor for v1, v4, and v5. People who got infected with this cyber threat and find the following extensions can install a free tool to recover their encrypted files without paying the ransom: .GDCB, .CRAB, .KRAB, .UKCZA, .YIAQDG, .CQXGPMKNR, .HHFEHIOL. You can download it by clicking this link. Additionally, you can download the tool from Raj Samani security expert. However, having in mind that this virus family has numerous versions, sometimes these decryptors can fail to recover your files.

Before you rush with this procedure, note that the experts recommend installing and using the decryption tool only after you get rid of GandCrab first. Otherwise, the ransomware will continue to encrypt data on the victimized computer over and over again. Use only professional security tools to delete ransomware from the system. We strongly advise you use ones which are provided at the end of this article.

If you are unable to regain access to the compromised information with the official GandCrab decryptor, there are alternative methods which might help. For example, only some of the virus versions are designed to delete Shadow Volume Copies, so you can use ShadowExplorer or similar third-party tools to recover at least some of the files. Additionally, you can fully recover files without paying the ransom by using backups. If you do not have them, you should check our prepared alternative data recovery methods at the end of the article and try the decryptor as well.

Also, note that GandCrab 4.1.2 and Gandcrab 5.1 have two different vaccine apps that can trick the virus into thinking it has already encrypted files on the computer. These apps typically create the special file in advance and, this way, make the ransomware to think it has already encrypted this data.

To protect yourself from GandCrab 4.1.2, get this tool here. However, the virus hasn't been active during the latest period. At the moment of writing, the most active virus is Gandcrab 5.1 which has been relying on numerous techniques to get into the system. To protect yourself from this threat, download the vaccine created by Valthek. (direct link)

GandCrab ransomware family
Gandcrab family is consisting of numerous versions. The latest one, GandCrab 5.1, has already become the most dangerous cryptovirus of 2019

Before you proceed to data recovery, get rid of GandCrab

If you want to recover compromised files, you must remove GandCrab first. Unfortunately, there are not many options how you can do that. In fact, only one — you must download a professional malware removal software and let it scan your PC files thoroughly. 

To fix the system, download a professional security software as soon as you notice encrypted files on your computer. We recommend using Reimage or SpyHunter 5Combo Cleaner for GandCrab removal which has been used while testing the virus. After installing one of these apps, run a full system scan and let it terminate this file-encrypting virus. Unfortunately, these programs have nothing to do with the decryption of encrypted files. 

Note that you might not be able to install the malware removal tool at first. For that, you must reboot your computer into Safe Mode with Networking or rely on System Restore. You can find a step-by-step guide on how to do that and get rid of GandCrab at the end of this article. Additionally, our experts have prepared alternative methods to help you disable this malware and recover files encrypted by ransomware. 

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with SpyHunter 5.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove GandCrab virus, follow these steps:

Remove GandCrab using Safe Mode with Networking

Rebooting your computer to Safe Mode with Networking is the first step in ransomware elimination procedure.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove GandCrab

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete GandCrab removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove GandCrab using System Restore

To get rid of this ransomware with the help of System Restore, follow these steps:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of GandCrab. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that GandCrab removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove GandCrab from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by GandCrab, you can use several methods to restore them:

Data Recovery Pro can help you get back the compromised data

This is a great tool for data recovery since it does not require any additional functions enabled on the system. Note that is is also useful if you have lost your files due to a system crash.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by GandCrab ransomware;
  • Restore them.

Windows Previous Versions Feature helps to recover encrypted files

You can travel back in time with Windows Previous Versions if you have System Restore function enabled before ransomware attack.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

GandCrab decryptor is available right now

Experts have designed a unique decryption software for GandCrab ransomware. You can get it here. In case it doesn't decrypt specific malware versions, feel free to try alternative recovery methods above.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from GandCrab and other ransomwares, use a reputable anti-spyware, such as Reimage, SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions

References

Removal guides in other languages


Your opinion regarding GandCrab ransomware