Severity scale:  

Remove GandCrab v5 ransomware (Virus Removal Guide) - Jan 2019 update

removal by Gabriel E. Hall - - | Type: Ransomware

GandCrab v5 – the fifth variant of an infamous ransomware family that employs sophisticated encryption to lock up files and demand ransom

GandCrab v5 ransomwareGandCrab v5 is the newest variant of the infamous GandCrab virus

Questions about GandCrab v5 ransomware

GandCrab v5 ransomware is the newest variant of the GandCrab which has been relying on exploit kits to proliferate computers of victims worldwide since January 2018. It is believed to be of Romanian or Russian origin, and mainly targets Scandinavian and English speaking countries. Researchers noted[1] that this version vastly differs from its predecessors, including randomly generated file extensions, as well as new HTML ransom note. Additionally, in the distribution of Gandcrab 5, hackers employ recently discovered exploit kit called Fallout, as well as Task Scheduler ALPC and Adobe Flash vulnerabilities. Ransomware is using Salsa20 and RSA-2048 encryption methods to encode files and appends a combination of 5 random characters to each file, for example, .glrta file extension. As soon the virus completes the encryption procedure, it contacts its C&C server[2] and drops ransom note called [random_characters]-DECRYPT.html as well as changes the wallpaper of the computer.

Name GandCrab v5
Type Ransomware
  • GandCrab 5.0.1
  • GandCrab 5.0.2
  • Gandcrab 5.0.3
  • GandCrab 5.0.4
First spotted September 2018
Related GandCrabGandCrab  2GandCrab 3GandCrab 4
Cipher used Salsa20 and RSA-2048
File extension Randomly generated extension that consists of 5 letters
Distribution Fallout exploit, Task Scheduler ALPC vulnerability, Adobe Flash vulnerability, CVE-2018-8120 vulnerability
Decryptable? Yes
Elimination Use security software that can detect the latest version – Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or other AV engines

This variant of malware is now decryptable and users can refer to decryption section for more details. However, you should focus on virus elimination for now. According to Virus Total,[3] 44 AV scanners detect the malicious file and would succeed with GandCrab v5 ransomware removal. We advise using Reimage Reimage Cleaner Intego or SpyHunter 5Combo Cleaner. For those extremely careful ones, security experts released a vaccine that prevents the infection from entering the machine.[4]

When first discovered, researchers were unsure how GandCrab v5 ransomware is distributed. Soon after, it turned out that the malware is using Fallout exploit kit[5] which shows extreme similarities to Nuclear EK. This EK was spotted in late August and helped to distribute CoalaBot, SmokeLoader trojan, GandCrab ransomware, PUPs and SAVEfiles virus.

Additionally, researchers noted that the GandCrab v5 virus is abusing Task Scheduler ALPC vulnerability (CVE-2018-8174) to gain administrator privileges on the targeted machine. It was first spotted in late August by independent experts and was patched by Microsoft on September 13th. Therefore, make sure your system is up to date in order to avoid GandCrab v5 ransomware infection.

Finally, GandCrab v5 is also utilizing Adobe Flash player (CVE-2018-4878)[6] vulnerability. It is not surprising that hackers picked Adobe vulnerability, as its software is widely used around the world. This again proves how important patching the software and using its latest versions is.

Fallout and Task Scheduler vulnerabilityResearchers recently discovered that the virus uses Task Scheduler vulnerability, as well as Fallout Exploit kit for propagation

While initial .html ransom note only explains how to install TOR, the designated .onion page includes much more information about what happened to the targeted computer and its files. As soon as victims visit the TOR address, they are greeted with a typical message seen in previous GandCrab variants:

We are sorry, but your files have been encrypted!
Don't worry, we can help you to return all of your files!
Files decryptor's price is [size_of_ransom] USD
If payment isn't made until [date] the cost of decrypting files will be doubled

The time left to double price:

The support page then proceeds with more detailed information, for example, that the ransom can be paid in Dash of Bitcoin cryptocurrency, and that there is a possibility to decipher one file for free in order to make sure that GandCrab v5 decryptor works.

Even if crooks might sound like nice guys (“We are sorry!”, “Don't worry!”) but it is all social engineering that tries to convince victims that paying them is a great idea – it's like a business deal. However, you should not forget that GandCrab  v5 is trying to extort money out of innocent users and already succeeded in many cases. Nothing stops cybercriminals ignoring victims after payment is processed.

The variants of the virus will show up as long as bad actors responsible for it will succeed in money extortion. Therefore, do not support cybercriminals, remove GandCrab v5 ransomware instead and use backups or third-party software to recover your data.

GandCrab v5 virusGandCrab v5 is a file locking virus that uses a combination of five different characters as a file extension

New variants of GandCrab v5 are emerging, and hackers are not planning on stopping

GandCrab developers are not planning on stopping their malicious activities at any time soon. After v5 discovery in late September 2018, hackers already released two new variants of malware.

GandCrab v5.0.1

This version showed up just five days after the initial release. Just as the original, GandCrab v5.0.1 uses a combination of random 5 letters as a file extension. According to criminals, this method complicates the detection and prevalence of the virus, and antivirus engines struggle to recognize the malicious payload.

The main difference is that this version switched its ransom note format from .HTML to .TXT, with the name remaining the same – [random_extension]-Decrypt.txt. Additionally, the ransom note now drops in the language that is installed on the system.

GandCrab v5.0.2

The next, and the most recent, variant emerged on 1st of October and was discovered by an independent security researcher.[7] It seems like hackers will continue using the random extension for the next GandCrab versions, as is the case with v5.0.2. 

Malware is distributed using Fallout exploit kit, as well as Adobe Flash and Task Scheduler ALPC vulnerabilities. According to security experts, this variant is still susceptible to a vaccine that was used for GandCrab v5.

As for the future, hackers announced on collaboration with the crypt service NTCrypt, as they claim that is the most reliable and merely the “best.” GandCrab v5.0.2GandCrab v5.0.2 came soon after version 5.0.1, and is abusing software vulnerabilities and exploit kits to inject its payload

Practice safe internet browsing and avoid ransomware infections

While no method will protect you 100% against malware attacks, safe internet browsing habits can significantly diminish the impact of the ransomware infection. System and software updates, coupled with regular backups can make a recovery after the attack particularly easy.

But of course, it is always best not to infect the machine in the first place. To minimize the possibility, please follow these simple tips from security experts:[8]

  • Beware of spam emails. Phishing is often used to inject ransomware on thousands of devices worldwide. Thus, stay away from suspicious attached documents, as well as hyperlinks leading to unknown sites;
  • Scan email attachments using anti-virus software or online scanning tools before opening them;
  • Do not leave RDP and other similar services unprotected. Crooks can often brute-force its way in and install malware manually;
  • Use strong passwords for all your accounts, and alter them regularly;
  • Avoid using file-sharing and torrent sites;
  • Set your software to update automatically so that you wouldn't get tricked by fake updates

Get rid of GandCrab v5 ransomware

Despite cybercrooks warnings, you should remove GandCrab v5 ransomware and attempt to recover files without malicious actors' help. Therefore, employ anti-virus software and run a full system scan. In case ransomware is blocking the startup of the application, enter Safe Mode with Networking as explained below.

Don't even try to remove GandCrab v5 virus manually, as this can only be performed by trained IT professionals since malware makes several changes within the computer, and recovering from them should be done with the help of tools like Reimage Reimage Cleaner Intego.

As soon as the elimination process is complete, connect the external drive with the backed up files and simply copy them to the clean computer. If you failed to back up your data before the malware struck, use third-party software that might help you with data recovery.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove GandCrab v5 virus, follow these steps:

Remove GandCrab v5 using Safe Mode with Networking

To remove GandCrab v5 virus from your machine, enter Safe Mode with Networking:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove GandCrab v5

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete GandCrab v5 removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove GandCrab v5 using System Restore

You can also immobilize malware by using System Restore:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of GandCrab v5. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that GandCrab v5 removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove GandCrab v5 from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by GandCrab v5, you can use several methods to restore them:

Data Recovery Pro might be able to decrypt files locked up by GandCrab v5 ransomware:

The app was originally created to recover files that got accidentally deleted. However, it can sometimes help users whose data was encrypted by ransomware.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by GandCrab v5 ransomware;
  • Restore them.

Make use of Windows Previous Version feature

This method will only work if you had System Restore feature enable before the virus attack.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer might help

ShadowExplorer is a perfect tool if ransomware failed to remove Shadow Volume Copies.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

You can use Bitdefender's decryptor for locked files

According to security researchers from Bitdefender, they created a decryption tool that works for most versions of GandCrab up to 5.4. Download it here.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from GandCrab v5 and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Backup files for the later use, in case of the malware attack

Computer users can suffer various losses due to cyber infections or their own faulty doings. Software issues created by malware or direct data loss due to encryption can lead to problems with your device or permanent damage. When you have proper up-to-date backups, you can easily recover after such an incident and get back to work.

It is crucial to create updates to your backups after any changes on the device, so you can get back to the point you were working on when malware changes anything or issues with the device causes data or performance corruption. Rely on such behavior and make file backup your daily or weekly habit.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware occurs out of nowhere. Use Data Recovery Pro for the system restoring purpose.

About the author

Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions


Removal guides in other languages

Your opinion regarding GandCrab v5 ransomware