Severity scale:  

GandCrab ransomware. How to remove? (Uninstall guide)

removal by Julie Splinters - - | Type: Ransomware

GandCrab ransomware — a cryptovirus that distributes with the help of other malware like data stealers and releases new versions one after the other

GandCrab installed via Magnitude EK
GandCrab ransomware - notorious cryptovirus which has been spreading since the beginning of 2018.

Questions about GandCrab ransomware

GandCrab ransomware is a virus that has many versions and more recent ones have been distributed using exploit kits and other malware. This wide-spread cryptovirus has been targeting users from all around the world since January 2018. During these years of activity, the malware already reappeared with multiple aggressive variants, including GDCB, KRAB ransomware, CRAB virus, GandCrab 2, GandCrab 3, GandCrab 4, GandCrab v4.1, GanCrab v4.1.2, and GanCrab v5. Recently, the 5th virus version has been split into numerous variants: Gandcrab 5.1, GandCrab 5.0.1, GandCrab 5.0.2, GandCrab 5.0.3, GandCrab 5.0.4, and six more. All these versions are using Salsa20 and RSA-2048 to encode data and append .gdcb, .crab, .KRAB, .lock, and [random_5_letters] file extension used by the latest version. The malware has been propagated with the help of infected executables, such as cracks (“Universal crack for merging Image to PDF”) and fake updates. Also, GandCrab was actively spread with the help of exploit kits, such as RIG, GradSoft, Magnitude, and, most recently, Fallout.[1] More recently, the version of this virus came to the wild with the help of Vidar stealer malware that can be altered to distribute direct ransomware payload.

Name GandCrab
Type of malware Ransomware
Discovered January 30, 2018
Systems affected Windows
The extension added to infected files .gdcb, .crab, .krab, .KRAB, .lock, [random_5_letters]
Ransom note GDCB-DECRYPT.txt; KRAB-DECRYPT.txt; krab-decrypt.txt, [randomly_generated_extension]-DECRYPT.html, [victim's ID]-DECRYPT.txt, [victim's ID]-DECRYPT.html
Amount of ransom Might vary depending on a version
Decryptable Yes. Some versions are decryptable. The tool is linked below
Elimination Use Reimage for ransomware removal

In the beginning, after two months of active distribution, the ransomware seemed to be defeated by the Romanian police, Bitdefender's experts, and Europol. After revealing the flaw in the ransomware code, finally hacked cybercriminals. As a result, Bitdefender created a free GandCrab decryptor which is available in the NoMoreRansom.[2]

However, it seems that the virus is not going to stop in 2019. its next versions, which were found several months ago, keep demanding the 1.54 DASH payment in exchange for the decryption key. The improved version dubbed as GandCrab 2 hasn't been decrypted because hackers patched the critical encryption flaw making a free decryptor useless. At the moment, the virus is appending .CRAB file extension. If you have even the slightest suspicion that you can be infected, make sure you remove GandCrab ransomware with Reimage.

GandCrab virus appening .crab file extension
GandCrab has been using different extensions to mark encrypted data, including .CRAB, .KRAB, .gdcb, .lock file extensions

Hackers are using different tactics to distribute GandCrab 

Ransomware researchers have reported several methods used by hackers to spread the ransomware. At first, the virus was found spreading around via spam. According to PC security experts,[3] GandCrab was using the subject “Receipt Feb-21310 [random numbers].” The name of the sender may vary, but the second part of the email address is always The spam message also contains a PDF attachment and “DOC attached” as the message body.

GandCrab relies on a .doc file which is downloaded to the system once the victim clicks on the malicious attachment. The .doc file subsequently runs a PowerShell script and creates an exploit file (sct5.txt), which currently affects a 64-bit system. As pointed out by various crypto-malware researchers, the sct5.txt file does not run the ultimate payload of the virus, but executes an exploit and runs as a medium for malware to get inside.

Additionally, experts reported about the Magnitude Exploit Kit used in the distribution of the cryptovirus. Previously used to spread Magniber ransomware and infect countries in South Korea, the exploit kit is currently attacking Scandinavia and other countries.

The Exploit kit renders a fileless technique used to execute GandCrab which is encoded using VBScript.Encode/JScript.Encode scrip and injected into a memory. When the payload is being executed, the ransomware roots into the explorer.exe file and forces PC's reboot. After that, it enables the encryptor and locks files with .CRAB file extension. It seems that the Magnitude EK is mainly used to spread GandCrab ransomware version 2.

GandCrab has also been distributed via malvertising[4] campaign known as Seamless. With its help, victims are lead to yet another exploit kit called RIG EK. After detecting system vulnerabilities, it exploits them to infect the targeted system with a file-encrypting virus or another dangerous computer virus.

Finally, the virus has also been distributed as a Ransomware-as-a-Service (Raas) on the Russian black web. According to the Check Point, hackers have already collected more than 600,000 USD ransom due to innovative GandCrab Affiliate Program. Ransomware developers have been paying the participants from 60% to 70% of ransomware revenue in exchange for 24/7 tech support.

According to researchers, this crypto-malware has almost 100 active affiliates, 80 of these participants have successfully dispersed 700 different samples of the malware. More than 70% of infected PCs are located in the UK and US, so it's dedicated to English-speaking PC users. However, the recent version is providing several languages to choose from, including German, Italian, French or Japanese languages.

GandCrab 2019 comeback with Vidar stealer collaboration

Malware campaign using Fallout exploit kit to distribute Vidar data-stealing malware was investigated and this research revealed that secondary infiltration involves GandCrab ransomware payload. The main functionality that Vidar displays is the stealer function but secondary payload was noticed. 

Upon further inspection, it appears that GandCrab ransomware compromises the targeted system after the Vidar infection. This malware can be distributed via malvertising campaigns, exploit kits or even sold as a product online and it focuses on stealing various data the developer wants to obtain that include passwords, credit card numbers or wiping digital wallets.

Vidar installs GandCrab ransomware via its command and control server and the feature called loader. This function can be configured by the administrator when configuring the malware initially. Not every version of the Vidar stealer has this function and direct URL containing the malicious payload.

When it does, the initial Vidar stealer infiltration is immediately followed by the encryption and GandCrab ransomware attack. The particular version of the ransom note that gets displayed as wallpaper on the infected device is GandCrab 5.0.4. As the message suggests victims should follow the instructions delivered in MQMFC-DECRYPT.txt on every folder with encrypted files. However, paying is not the best solution. 

Additional actions proceeded by ransomware

Following the infiltration, GandCrab ransomware starts encrypting the most valuable data stored on the system. Afterward, users are no longer able to access their files and are informed about the ransomware attack in the ransom-demanding message in GDCB-DECRYPT.txt or similar file:


All your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB
The only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
1. Download Tor browser –
2. Install Tor browser
3. Open Tor Browser
4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/[id]
5. Follow the instructions on this page

On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.

Do not try to modify files or use your own private key – this will result in the loss of your data forever!

Once the victim downloads the Tor browser and clicks the link provided in the ransom note, he/she is led to the hackers' website selling GandCrab decryptor. Here, the popup titled “GandCrab authentication” shows up which starts the procedure by requesting to upload the ransom note at first. That's why cybercriminals are claiming in their ransom note: “Under no circumstances do not delete this file.”

Additionally, the official site is “unlocked” and presents payment instructions, the amount of the ransom (approximately $1200), services which can be used to exchange the money to bitcoin or DASH cryptocurrency, the address where the money should be sent to and a possibility to upload one file for free decryption. According to hackers, postponing the payment can double the ransom amount.

GandCrab2 variant. An example of a ransom note
Gandcrab family is consisting of six different versions. The latest one, GandCrab v4.1.2, can be prevented with the help of a Vaccine app.

It is worth mentioning that ransomware identifies a specific period which should be obeyed to make the transaction or the amount of the payment will double. However, this is merely an attempt to intimidate the victims and forced to pay the ransom without clearly evaluating other possibilities. 

Therefore, we strongly advise you not to follow the rules of the criminals since there are alternative ways how you can get back the access to your files or use the decryptor developed by the experts. For that, you must remove GandCrab first. Experts from[5] have already warned affected users that this is a highly dangerous computer virus and should be eliminated with the help of the professional or using a robust antivirus.

Our top pick for GandCrab removal would be Reimage or Malwarebytes MalwarebytesCombo Cleaner. Although, it is possible to use other reputable anti-malware software to terminate this file-encrypting virus. You can find detailed instructions on how to start the elimination procedure at the end of this article.

Additionally, do NOT try to get rid of the virus by yourself. Such complex ransomware-type infections are designed to hide their presence and disguise as legitimate computer processes. Terminating crucial system files might lead to permanent computer damage and re-appearance of the crypto-malware. Thus, we recommend using the elimination guide below.

GandCrab ransomnote

New variants of the GandCrab

.GDCB file extension virusThis version of the GandCrab virus has been detected a couple of weeks after the release of the original version. Just like its predecessor, it spreads via infected spam email attachments and runs a payload once the attachment is opened. 

It targets the most popular files, including but not limited to .doc, .txt, .jpg, .png, .audio, .video, etc. and appends .GDCB file extension to each of them. It creates a GDCB-DECRYPT.txt file on the victim's desktop, which urges to download Tor browser and transmit 1.54 DASH ransom. The amount of the ransom increases if the victim is late to pay it. 

The image of GandCrab ransomware
GDCB ransomware is yet another version of Gandcrab.

GandCrab 2. The second ransomware's version is currently not decryptable. Before releasing this new variant, crooks patched the severe encryption flaw that has been detected by cybersecurity experts at the beginning of March. 

GandCrab2 is distributed via Seamless malvertising campaign leading victims to RIG exploit kit. However, unlike its predecessor, it can also reach its victims via HoeflerText Font Update scam. 

GandCrab 3 ransomware is the third cyber threat of this family. The files are encrypted with the help of AES-256 (CBC mode) + RSA-2048 algorithms and can no longer be accessed. Additionally, the filenames are marked with .crab extension, and CRAB-DECRYPT.txt ransom note is dropped. 

The main difference for the victims whose files are encrypted by GandCrab 3 is that DASH cryptocurrency is no longer acceptable. People now are asked to pay the ransom in Bitcoins. However, please, do not pay the transaction and check alternative decryption methods below.

GandCrab v4 ransomware version was noticed at the start of July 2018. This ransomware also uses AES-256 (CBC mode) and RSA-2048 encryption algorithm. This was the first version using .KRAB file extension and ransom note might be in two differently named files. CRAB-DECRYPT.txt or KRAB-DECRYPT.txt text files contain more information about the attack and instructions on how to create cryptocurrency wallet. 

GandCrab v4.1 ransomware showed up shortly after the fourth version. This version is slightly different and is using the .krab file extension. The new thing – network communications feature used instead of C&C server. This version can spread without the Internet connection. There have been many reports on this version because of the possible SMB exploit feature used in its distribution. However, it was denied, but the MS17-010 patch was required to prevent malware's infiltration. 

GandCrab v4.1.2 ransomware (GandCrab v4.1.x) was discovered on July 17, when the Vaccine app was created, and shared online. The vaccine only works on this version by creating a special file on the computer that ransomware checks before the encryption and tricking the virus into thinking that the data is already encrypted. That file also shows if a computer is already infected or not. 

GanCrab v5 ransomware showed up in September 2018 together with 5.0.1, 5.0.2, and 5.0.4 versions. They are the latest variants of malware. Unlike its previous versions, they do not use predetermined file extension but generate the one from random characters which consists of five letters. The new ransom note is also different and looks as follows: [randomly_generated_extension]-DECRYPT.html. 

Researchers think that the newest version is not using any exploit kits for distribution but instead relies on infected installers that are located on malicious websites. Hackers can redirect victims and trick them to download and install malicious payload, as well as use a drive-by install technique. 

Unfortunately, GandCrab v5 is not decryptable yet. However, victims should not pay the demanded ransom of $800-2400 in Dash or Bitcoin and eliminate the malware instead. Backups and third-party software can be used for file recovery.

Get GandCrab decryptor for free

GandCrab decryptor
GandCrab Decryptor was presented by Bitdefender company. Unfortunately, only the first version of this malware is decryptable.

Recently, cybersecurity experts at have presented GandCrab decryptor for v1, v4, and v5. People whose computers got infected with this cyber threat and can find .GDCB, .CRAB, .KRAB, .UKCZA, .YIAQDG, .CQXGPMKNR, and .HHFEHIOL file extensions, can install a free tool to recover their encrypted files without paying the ransom. You can download it by clicking this link.

However, before you rush with this procedure, note that the experts recommend installing and using the decryption tool only after you get rid of GandCrab first. Otherwise, the ransomware will continue to encrypt data on the victimized computer over and over again. 

They also recommend using professional security tools to uninstall ransomware from the system. We strongly advise you use ones which are provided at the end of this article. If you are unable to regain access to the compromised information with the official GandCrab decryptor, there are alternative methods which might help.

For example, only some of the virus versions are designed to delete Shadow Volume Copies, so you can use ShadowExplorer or similar third-party tools to recover at least some of the files. Additionally, you can fully recover files without paying the ransom by using backups. If you do not have them, you should check our prepared alternative data recovery methods at the end of the article and try the decryptor as well.

GandCrab v4.1.2 ransomware has vaccine app that tricks the virus into thinking it has already encrypted files on the computer. AhnLab from South Korea released an app that blocks this ransomware version from locking users' files. A unique ID is generated based on the computer's information on the root drive, and a custom Salsa20 streaming algorithm is formed. Ransomware before the encryption creates a file to know if the computer was infected already or not. This way users are not executing ransomware twice. 

This app can create this file in advance, before any infection and this way ransomware thinks it has already encrypted this data. Current vaccine blocks GandCrab v4.1.2, but it may be that in the future this app would work on older versions of GandCrab ransomware. Older versions used a bit simpler method for creating an encryption file. You can get this tool here.

Exploit kits and other malware are considered the most common distribution methods

Hackers have employed numerous tactics to infiltrate computers with ransomware. However, exploit kits are considered the most sophisticated ones. These programs can successfully detect and identify system vulnerabilities and then misuse them for the attack. Experts note that GandCrab ransomware is distributed via the following exploit kits[6]:

  • Rig exploit kit;
  • GrandSoft exploit kit;
  • Magnitude exploit kit[7].

Additionally, it is worth knowing that exploit kits are not the only way how ransomware is distributed. Criminals might take advantage of credulous people and use deceptive spam emails with malicious attachments. Usually, letters disguise as shopping receipts, invoices or similar documents from well-known brands and companies. Likewise, naive users open the infected attachments and let the cyber threat in.

As we have pointed out in the previous paragraph, the developer of this ransomware is actively spreading spam email. The subject of the message is always the same Receipt Feb-21310 [ random numbered], except that the name of the sender may slightly differ. Nevertheless, the suffix of the sender's email is This spam email does not have much information, except points out that “DOC attached.”

Therefore, we suggest you be extremely cautious when browsing on the Internet or monitoring your emails. It is essential to pay close attention when opening letters — you can identify a malicious email by minor spelling mistakes or urges to open the attachment “for further details.” Please do not open attachments of suspicious emails, especially if you see JS, .EXE, .COM, .PIF, .SCR, .HTA, .vbs, .wsf, .jse, .jar, and other doubtful file extensions. Also, avoid visiting suspicious websites since they might be managed by cybercriminals and used to distribute high-risk computer infections.

GandCrab spreads via fake Hoefler text font updates
GandCrab has been actively distributed using Exploit Kits, spam, and as a Ransomware-as-a-Service.

Get rid of GandCrab virus and proceed to data recovery

If you want to recover compromised files, you must remove GandCrab first. Unfortunately, there are not many options how you can do that. In fact, only one — you must download a professional malware removal software and let it scan your PC files thoroughly. 

To fix the system, download a professional security software as soon as you notice encrypted files on your computer. We recommend using Reimage or Malwarebytes MalwarebytesCombo Cleaner for GandCrab removal which has been used while testing the virus. After installing one of these apps, run a full system scan and let it terminate this file-encrypting virus. Unfortunately, these programs have nothing to do with the decryption of encrypted files. 

Note that you might not be able to install the malware removal tool at first. For that, you must reboot your computer into Safe Mode with Networking or rely on System Restore. You can find a step-by-step guide on how to do that and get rid of GandCrab at the end of this article. Additionally, our experts have prepared alternative methods to help you disable this malware and recover files encrypted by ransomware. 

do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.
GandCrab ransomware snapshot
GandCrab virus picture

To remove GandCrab virus, follow these steps:

Remove GandCrab using Safe Mode with Networking

Rebooting your computer to Safe Mode with Networking is the first step in ransomware elimination procedure.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove GandCrab

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete GandCrab removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove GandCrab using System Restore

To get rid of this ransomware with the help of System Restore, follow these steps:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of GandCrab. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that GandCrab removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove GandCrab from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by GandCrab, you can use several methods to restore them:

Data Recovery Pro can help you get back the compromised data

This is a great tool for data recovery since it does not require any additional functions enabled on the system. Note that is is also useful if you have lost your files due to a system crash.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by GandCrab ransomware;
  • Restore them.

Windows Previous Versions Feature helps to recover encrypted files

You can travel back in time with Windows Previous Versions if you have System Restore function enabled before ransomware attack.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

GandCrab decryptor is available right now

Experts have designed a unique decryption software for GandCrab ransomware. You can get it here. In case it doesn't decrypt specific malware versions, feel free to try alternative recovery methods above.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from GandCrab and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions


Removal guides in other languages