GandCrab v4 ransomware (Removal Instructions) - updated Nov 2018
GandCrab v4 virus Removal Guide
What is GandCrab v4 ransomware?
GandCrab v4 ransomware – the dangerous file locking virus that came back with its 4th version
GandCrab v4 is the 4th version of the infamous GandCrab ransomware
GandCrab v4 ransomware is the newest variant of the GandCrab family and was first noticed by security experts at the start of July 2018. This crypto-virus uses AES-256 (CBC mode) and RSA-2048 encryption algorithm to encrypt data and then adds .KRAB appendix to each of the affected files. As a result, this version has been dubbed as KRAB ransomware. Soon after the encryption is finished, the malware drops a ransom note CRAB-DECRYPT.txt or KRAB-DECRYPT.txt which explains to users that the only way to recover data is to pay cybercriminals in Bitcoin cryptocurrency. Security experts found evidence that Romanian-born hackers created the newest variant of the virus.
|Associated with||GandCrab family|
|Encryption algorithm||AES-256 and RSA-2048|
|Ransom note||CRAB-DECRYPT.txt or KRAB-DECRYPT.txt|
|Elimination||Automatic only – use RestoroIntego, SpyHunter 5Combo Cleaner or Malwarebytes|
|Decryption||Use a free GandCrab v4 decryptor by Bitdefender|
Although crooks behind previous versions of malware were stopped and file-decrypting tool was created, it is still not the case with GandCrab v4 virus. As the cyber threat showed up in summer 2018, security researchers from Bitdefender have already developed the free decryptor for this threat which you can find in our data recovery guide. Nevertheless, the first step to normal computer operation is GandCrab v4 ransomware removal.
The crypto-malware usually infiltrates machines via contaminated file attachments in spam e-mails, breaks in through a poorly protected RDP, using software vulnerabilities or via executables found on malicious websites (such as file-sharing or torrent sites). As soon as GandCrab v4 virus enters, it performs a full system scans, looking for files to encrypt. After that, it appends the .KRAB extension to all video, audio, photo, database, image files. Therefore, a picture.jpg is modified to picture.jpg.KRAB and becomes inaccessible.
The key that could unlock files is located on a server which is only reachable to GandCrab v4 cybercrooks. The worst part is that each of the keys is generated separately for each of the infected computers, making it impossible to re-use it. Nevertheless, security researchers do not recommend paying ransom under any circumstances.
Hackers are known to ignore victims and never send the promised key. Additionally, the bad actors could instead send more malware which could inflict further damage to your machine. Therefore, do not panic if KRAB extension locks your files. Simply download and install RestoroIntego, SpyHunter 5Combo Cleaner, Malwarebytes or any other reputable security software and run a full system scan. This will help you to remove GandCrab v4 ransomware effectively.
Only after elimination procedure, you can attempt file recovery. Unfortunately, the only safe way to get your files back is by using backups (either by using cloud services or a physical external storage device, such as USB stick or an external HDD). Thus, even if you do not think that you could get infected, still back-up your data regularly, as it can save your precious files from destruction.
GandCrab v4 is a non-decryptable crypto-virus that locks up all personal files on the computer and demands ransom in Bitcoins for its release
Avoid opening emails that look or feel suspicious
Contaminated attachments in phishing emails are usually the main culprit of the ransomware infection. Hackers often abuse the fact that users are careless when it comes to computer safety and employ bots to send out thousands of spam emails that may look very believable. As soon as the victim clicks on the malicious attachment, the payload of the virus is executed, and all files are locked. To avoid that, carefully examine emails and do not click any links or on the attachments if you are not 100% sure that they are legitimate.
Other ways dangerous malware can be injected into the machine include:
- Exploit kits;
- Unprotected RDP;
- Using botnets;
- Infected executable files on file-sharing sites and P2P networks;
- Cracked or re-packed software;
- Fake updates, etc.
Remove GandCrab v4 using reputable security software
To remove GandCrab V4 virus safely, you need to employ anti-malware software. Having a reputable security tool installed is mandatory if you want to protect yourself from dangers online. However, if you are still not using any protection, your computer is in imminent danger. Thus, download RestoroIntego, SpyHunter 5Combo Cleaner or Malwarebytes and bring it up to date. If malware is preventing from proper anti-virus program operation, enter Safe Mode with Networking, as explained below.
Only after full GandCrab v4 removal, you can attempt to recover your files. Otherwise, they will get encrypted again. Therefore, if you own a backup of your data, DO NOT CONNECT the device (external drive or similar) before the virus is eliminated. If you do not have a backup, you can try recovering your files by using decryption software provided below.
A video below explains how to create a safe environment before you start deleting GandCrab. Keep in mind that the virus is capable of disabling legitimate security software to prevent its removal from the system. To prevent serious consequences hailing from such ability, you should perform these steps:
Getting rid of GandCrab v4 virus. Follow these steps
Manual removal using Safe Mode
To get rid of GandCrab V4 virus safely, enter Safe Mode with Networking the following way:
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
- Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
After you are finished, reboot the PC in normal mode.
Remove GandCrab v4 using System Restore
You can try to eliminate the malware using System Restore:
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of GandCrab v4. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your dataGuide which is presented above is supposed to help you remove GandCrab v4 from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.
Although for some paying the ransom seems like a good idea, we do not recommend doing that. Not only can you lose your money but also damage your PC even further. Besides, you will be funding cybercriminals and their malicious acts. Instead, try some alternative solutions be present below.
If your files are encrypted by GandCrab v4, you can use several methods to restore them:
Use Data Recovery Pro
Data Recovery Pro can be a useful tool when it comes to ransomware-infected files. Although there is a chance it won't work, you should try using it.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by GandCrab v4 ransomware;
- Restore them.
Recover your files using Windows Previous Versions Feature
This method can only function if you had System Restore feature enabled before the ransomware locked up your files. Besides, only one file at the time can be recovered. Thus, getting back a large amount of data might be impossible.
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
You can try ShadowExplorer
ShadowExplorer can only be useful if the virus left Shadow Volume Copies intact.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Use official GandCrab decryptor
If infected with the fourth virus version, download Gandcrab 4 decryptor to recover your files.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from GandCrab v4 and other ransomwares, use a reputable anti-spyware, such as RestoroIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Do not let government spy on you
The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet.
You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.
Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.
Backup files for the later use, in case of the malware attack
Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.
When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.
- ^ MalwareHunterTeam. Twitter. Social Network.
- ^ RDP brute force attacks: 5 tips to keep your business safe. EmiSoft. Secuiry researchers.
- ^ Viruset. Viruset. Norwegian security articles.