GandCrab v5 ransomware (Virus Removal Guide) - Jan 2019 update
GandCrab v5 virus Removal Guide
What is GandCrab v5 ransomware?
GandCrab v5 – the fifth variant of an infamous ransomware family that employs sophisticated encryption to lock up files and demand ransom
GandCrab v5 ransomware is the newest variant of the GandCrab which has been relying on exploit kits to proliferate computers of victims worldwide since January 2018. It is believed to be of Romanian or Russian origin, and mainly targets Scandinavian and English speaking countries. Researchers noted[1] that this version vastly differs from its predecessors, including randomly generated file extensions, as well as new HTML ransom note. Additionally, in the distribution of Gandcrab 5, hackers employ recently discovered exploit kit called Fallout, as well as Task Scheduler ALPC and Adobe Flash vulnerabilities. Ransomware is using Salsa20 and RSA-2048 encryption methods to encode files and appends a combination of 5 random characters to each file, for example, .glrta file extension. As soon the virus completes the encryption procedure, it contacts its C&C server[2] and drops ransom note called [random_characters]-DECRYPT.html as well as changes the wallpaper of the computer.
SUMMARY | |
Name | GandCrab v5 |
Type | Ransomware |
Variants |
|
First spotted | September 2018 |
Related | GandCrab, GandCrab 2, GandCrab 3, GandCrab 4 |
Cipher used | Salsa20 and RSA-2048 |
File extension | Randomly generated extension that consists of 5 letters |
Distribution | Fallout exploit, Task Scheduler ALPC vulnerability, Adobe Flash vulnerability, CVE-2018-8120 vulnerability |
Decryptable? | Yes |
Elimination | Use security software that can detect the latest version – FortectIntego, SpyHunter 5Combo Cleaner or other AV engines |
This variant of malware is now decryptable and users can refer to decryption section for more details. However, you should focus on virus elimination for now. According to Virus Total,[3] 44 AV scanners detect the malicious file and would succeed with GandCrab v5 ransomware removal. We advise using FortectIntego or SpyHunter 5Combo Cleaner. For those extremely careful ones, security experts released a vaccine that prevents the infection from entering the machine.[4]
When first discovered, researchers were unsure how GandCrab v5 ransomware is distributed. Soon after, it turned out that the malware is using Fallout exploit kit[5] which shows extreme similarities to Nuclear EK. This EK was spotted in late August and helped to distribute CoalaBot, SmokeLoader trojan, GandCrab ransomware, PUPs and SAVEfiles virus.
Additionally, researchers noted that the GandCrab v5 virus is abusing Task Scheduler ALPC vulnerability (CVE-2018-8174) to gain administrator privileges on the targeted machine. It was first spotted in late August by independent experts and was patched by Microsoft on September 13th. Therefore, make sure your system is up to date in order to avoid GandCrab v5 ransomware infection.
Finally, GandCrab v5 is also utilizing Adobe Flash player (CVE-2018-4878)[6] vulnerability. It is not surprising that hackers picked Adobe vulnerability, as its software is widely used around the world. This again proves how important patching the software and using its latest versions is.
While initial .html ransom note only explains how to install TOR, the designated .onion page includes much more information about what happened to the targeted computer and its files. As soon as victims visit the TOR address, they are greeted with a typical message seen in previous GandCrab variants:
We are sorry, but your files have been encrypted!
Don't worry, we can help you to return all of your files!
Files decryptor's price is [size_of_ransom] USD
If payment isn't made until [date] the cost of decrypting files will be doubledThe time left to double price:
[time_left]
The support page then proceeds with more detailed information, for example, that the ransom can be paid in Dash of Bitcoin cryptocurrency, and that there is a possibility to decipher one file for free in order to make sure that GandCrab v5 decryptor works.
Even if crooks might sound like nice guys (“We are sorry!”, “Don't worry!”) but it is all social engineering that tries to convince victims that paying them is a great idea – it's like a business deal. However, you should not forget that GandCrab v5 is trying to extort money out of innocent users and already succeeded in many cases. Nothing stops cybercriminals ignoring victims after payment is processed.
The variants of the virus will show up as long as bad actors responsible for it will succeed in money extortion. Therefore, do not support cybercriminals, remove GandCrab v5 ransomware instead and use backups or third-party software to recover your data.
New variants of GandCrab v5 are emerging, and hackers are not planning on stopping
GandCrab developers are not planning on stopping their malicious activities at any time soon. After v5 discovery in late September 2018, hackers already released two new variants of malware.
GandCrab v5.0.1
This version showed up just five days after the initial release. Just as the original, GandCrab v5.0.1 uses a combination of random 5 letters as a file extension. According to criminals, this method complicates the detection and prevalence of the virus, and antivirus engines struggle to recognize the malicious payload.
The main difference is that this version switched its ransom note format from .HTML to .TXT, with the name remaining the same – [random_extension]-Decrypt.txt. Additionally, the ransom note now drops in the language that is installed on the system.
GandCrab v5.0.2
The next, and the most recent, variant emerged on 1st of October and was discovered by an independent security researcher.[7] It seems like hackers will continue using the random extension for the next GandCrab versions, as is the case with v5.0.2.
Malware is distributed using Fallout exploit kit, as well as Adobe Flash and Task Scheduler ALPC vulnerabilities. According to security experts, this variant is still susceptible to a vaccine that was used for GandCrab v5.
As for the future, hackers announced on collaboration with the crypt service NTCrypt, as they claim that is the most reliable and merely the “best.”
Practice safe internet browsing and avoid ransomware infections
While no method will protect you 100% against malware attacks, safe internet browsing habits can significantly diminish the impact of the ransomware infection. System and software updates, coupled with regular backups can make a recovery after the attack particularly easy.
But of course, it is always best not to infect the machine in the first place. To minimize the possibility, please follow these simple tips from security experts:[8]
- Beware of spam emails. Phishing is often used to inject ransomware on thousands of devices worldwide. Thus, stay away from suspicious attached documents, as well as hyperlinks leading to unknown sites;
- Scan email attachments using anti-virus software or online scanning tools before opening them;
- Do not leave RDP and other similar services unprotected. Crooks can often brute-force its way in and install malware manually;
- Use strong passwords for all your accounts, and alter them regularly;
- Avoid using file-sharing and torrent sites;
- Set your software to update automatically so that you wouldn't get tricked by fake updates
Get rid of GandCrab v5 ransomware
Despite cybercrooks warnings, you should remove GandCrab v5 ransomware and attempt to recover files without malicious actors' help. Therefore, employ anti-virus software and run a full system scan. In case ransomware is blocking the startup of the application, enter Safe Mode with Networking as explained below.
Don't even try to remove GandCrab v5 virus manually, as this can only be performed by trained IT professionals since malware makes several changes within the computer, and recovering from them should be done with the help of tools like FortectIntego.
As soon as the elimination process is complete, connect the external drive with the backed up files and simply copy them to the clean computer. If you failed to back up your data before the malware struck, use third-party software that might help you with data recovery.
Getting rid of GandCrab v5 virus. Follow these steps
Manual removal using Safe Mode
To remove GandCrab v5 virus from your machine, enter Safe Mode with Networking:
Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
Downloads
Recycle Bin
Temporary files - Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
After you are finished, reboot the PC in normal mode.
Remove GandCrab v5 using System Restore
You can also immobilize malware by using System Restore:
-
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
-
Select Command Prompt from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
-
Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
-
Step 2: Restore your system files and settings
-
Once the Command Prompt window shows up, enter cd restore and click Enter.
-
Now type rstrui.exe and press Enter again..
-
When a new window shows up, click Next and select your restore point that is prior the infiltration of GandCrab v5. After doing that, click Next.
-
Now click Yes to start system restore.
-
Once the Command Prompt window shows up, enter cd restore and click Enter.
Bonus: Recover your data
Guide which is presented above is supposed to help you remove GandCrab v5 from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.If your files are encrypted by GandCrab v5, you can use several methods to restore them:
Data Recovery Pro might be able to decrypt files locked up by GandCrab v5 ransomware:
The app was originally created to recover files that got accidentally deleted. However, it can sometimes help users whose data was encrypted by ransomware.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by GandCrab v5 ransomware;
- Restore them.
Make use of Windows Previous Version feature
This method will only work if you had System Restore feature enable before the virus attack.
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
ShadowExplorer might help
ShadowExplorer is a perfect tool if ransomware failed to remove Shadow Volume Copies.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
You can use Bitdefender's decryptor for locked files
According to security researchers from Bitdefender, they created a decryption tool that works for most versions of GandCrab up to 5.4. Download it here.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from GandCrab v5 and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Protect your privacy – employ a VPN
There are several ways how to make your online time more private – you can access an incognito tab. However, there is no secret that even in this mode, you are tracked for advertising purposes. There is a way to add an extra layer of protection and create a completely anonymous web browsing practice with the help of Private Internet Access VPN. This software reroutes traffic through different servers, thus leaving your IP address and geolocation in disguise. Besides, it is based on a strict no-log policy, meaning that no data will be recorded, leaked, and available for both first and third parties. The combination of a secure web browser and Private Internet Access VPN will let you browse the Internet without a feeling of being spied or targeted by criminals.
No backups? No problem. Use a data recovery tool
If you wonder how data loss can occur, you should not look any further for answers – human errors, malware attacks, hardware failures, power cuts, natural disasters, or even simple negligence. In some cases, lost files are extremely important, and many straight out panic when such an unfortunate course of events happen. Due to this, you should always ensure that you prepare proper data backups on a regular basis.
If you were caught by surprise and did not have any backups to restore your files from, not everything is lost. Data Recovery Pro is one of the leading file recovery solutions you can find on the market – it is likely to restore even lost emails or data located on an external device.
- ^ The GandCrab Ransomware Mindset. Check point. Malware research.
- ^ Margaret Rouse. Command-and-Control server (C&C server). WhatIs. Information technology site.
- ^ d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0. Virus Total. File scanner.
- ^ REVERSING SESSIONS. Vaccine for GandCrab ransomware.
- ^ nao_sec. Hello "Fallout Exploit Kit". nao_sec. Security blog.
- ^ CVE-2018-4878 Detail. NVD. National Vulnerability Database.
- ^ Ben Hunter. GandCrab v5.0.2. Twitter Social Network.
- ^ SenzaVirus. SenzaVirus. Cybersecurity news and articles.