Severity scale:  
  (98/100)

GandCrab v5 ransomware. How to remove? (Uninstall guide)

removal by Gabriel E. Hall - - | Type: Ransomware

GandCrab v5 – fifth version of an infamous ransomware family

GandCrab v5 ransomware
GandCrab v5 is the newest variant of the infamous GandCrab virus

GandCrab v5 ransomware is the newest variant of the GandCrab which has been relying on exploit kits to proliferate computers of victims worldwide since January 2018. It is believed to be of Romanian or Russian origin, and mainly targets Scandinavian and English speaking countries. Researchers noted[1] that this version vastly differs from its predecessors, including randomly generated file extensions, as well as new HTML ransom note. Additionally, in the distribution of Gandcrab 5, hackers employ recently discovered exploit kit called Fallout, as well as Task Scheduler ALPC and Adobe Flash vulnerabilities. Ransomware is using Salsa20 and RSA-2048 encryption methods to encode files and appends a combination of 5 random characters to each file, for example, .glrta file extension. As soon the virus completes the encryption procedure, it contacts its C&C server[2] and drops ransom note called [random_characters]-DECRYPT.html as well as changes the wallpaper of the computer.

SUMMARY
Name GandCrab v5
Type Ransomware
Variants
  • GandCrab 5.0.1
  • GandCrab 5.0.2
  • Gandcrab 5.0.3
  • GandCrab 5.0.4
First spotted September 2018
Related GandCrabGandCrab  2GandCrab 3GandCrab 4
Cipher used Salsa20 and RSA-2048
File extension Randomly generated extension that consists of 5 letters
Distribution Fallout exploit, Task Scheduler ALPC vulnerability, Adobe Flash vulnerability, CVE-2018-8120 vulnerability
Elimination Use security software that can detect the latest version – Reimage, Malwarebytes MalwarebytesCombo Cleaner or other AV engines

Unfortunately, this variant of malware, just as previous ones, is not decryptable. However, according to Virus Total,[3] 44 AV scanners detect the malicious file and would succeed GandCrab v5 ransomware removal. We advise using Reimage or Malwarebytes MalwarebytesCombo Cleaner. For those extremely careful ones, security experts released a vaccine that prevents the infection from entering the machine.[4]

When first discovered, researchers were unsure how GandCrab v5 ransomware is distributed. Soon after, it turned out that the malware is using Fallout exploit kit[5] which shows extreme similarities to Nuclear EK. This EK was spotted in late August and helped to distribute CoalaBot, SmokeLoader trojan, GandCrab ransomware, PUPs and SAVEfiles virus.

Additionally, researchers noted that the GandCrab v5 virus is abusing Task Scheduler ALPC vulnerability (CVE-2018-8174) to gain administrator privileges on the targeted machine. It was first spotted in late August by independent experts and was patched by Microsoft on September 13th. Therefore, make sure your system is up to date in order to avoid GandCrab v5 ransomware infection.

Finally, GandCrab v5 is also utilizing Adobe Flash player (CVE-2018-4878)[6] vulnerability. It is not surprising that hackers picked Adobe vulnerability, as its software is widely used around the world. This again proves how important patching the software and using its latest versions is.

Fallout and Task Scheduler vulnerability
Researchers recently discovered that the virus uses Task Scheduler vulnerability, as well as Fallout Exploit kit for propagation

While initial .html ransom note only explains how to install TOR, the designated .onion page includes much more information about what happened to the targeted computer and its files. As soon as victims visit the TOR address, they are greeted with a typical message seen in previous GandCrab variants:

We are sorry, but your files have been encrypted!
Don't worry, we can help you to return all of your files!
Files decryptor's price is [size_of_ransom] USD
If payment isn't made until [date] the cost of decrypting files will be doubled

The time left to double price:
[time_left]

The support page then proceeds with more detailed information, for example, that the ransom can be paid in Dash of Bitcoin cryptocurrency, and that there is a possibility to decipher one file for free in order to make sure that GandCrab v5 decryptor works.

Even if crooks might sound like nice guys (“We are sorry!”, “Don't worry!”) but it is all social engineering that tries to convince victims that paying them is a great idea – it's like a business deal. However, you should not forget that GandCrab  v5 is trying to extort money out of innocent users and already succeeded in many cases. Nothing stops cybercriminals ignoring victims after payment is processed.

The variants of the virus will show up as long as bad actors responsible for it will succeed in money extortion. Therefore, do not support cybercriminals, remove GandCrab v5 ransomware instead and use backups or third-party software to recover your data.

GandCrab v5 virus
GandCrab v5 is a file locking virus that uses a combination of five different characters as a file extension

New variants of GandCrab v5 are emerging, and hackers are not planning on stopping

GandCrab developers are not planning on stopping their malicious activities at any time soon. After v5 discovery in late September 2018, hackers already released two new variants of malware.

GandCrab v5.0.1

This version showed up just five days after the initial release. Just as the original, GandCrab v5.0.1 uses a combination of random 5 letters as a file extension. According to criminals, this method complicates the detection and prevalence of the virus, and antivirus engines struggle to recognize the malicious payload.

The main difference is that this version switched its ransom note format from .HTML to .TXT, with the name remaining the same – [random_extension]-Decrypt.txt. Additionally, the ransom note now drops in the language that is installed on the system.

GandCrab v5.0.2

The next, and the most recent, variant emerged on 1st of October and was discovered by an independent security researcher.[7] It seems like hackers will continue using the random extension for the next GandCrab versions, as is the case with v5.0.2. 

Malware is distributed using Fallout exploit kit, as well as Adobe Flash and Task Scheduler ALPC vulnerabilities. According to security experts, this variant is still susceptible to a vaccine that was used for GandCrab v5.

As for the future, hackers announced on collaboration with the crypt service NTCrypt, as they claim that is the most reliable and merely the “best.” GandCrab v5.0.2
GandCrab v5.0.2 came soon after version 5.0.1, and is abusing software vulnerabilities and exploit kits to inject its payload

Practice safe internet browsing and avoid ransomware infections

While no method will protect you 100% against malware attacks, safe internet browsing habits can significantly diminish the impact of the ransomware infection. System and software updates, coupled with regular backups can make a recovery after the attack particularly easy.

But of course, it is always best not to infect the machine in the first place. To minimize the possibility, please follow these simple tips from security experts:[8]

  • Beware of spam emails. Phishing is often used to inject ransomware on thousands of devices worldwide. Thus, stay away from suspicious attached documents, as well as hyperlinks leading to unknown sites;
  • Scan email attachments using anti-virus software or online scanning tools before opening them;
  • Do not leave RDP and other similar services unprotected. Crooks can often brute-force its way in and install malware manually;
  • Use strong passwords for all your accounts, and alter them regularly;
  • Avoid using file-sharing and torrent sites;
  • Set your software to update automatically so that you wouldn't get tricked by fake updates

Get rid of GandCrab v5 ransomware

Despite cybercrooks warnings, you should remove GandCrab v5 ransomware and attempt to recover files without malicious actors' help. Therefore, employ anti-virus software and run a full system scan. In case ransomware is blocking the startup of the application, enter Safe Mode with Networking as explained below.

Don't even try to remove GandCrab v5 virus manually, as this can only be performed by trained IT professionals since malware makes several changes within the computer, and recovering from them should be done with the help of tools like Reimage.

As soon as the elimination process is complete, connect the external drive with the backed up files and simply copy them to the clean computer. If you failed to back up your data before the malware struck, use third-party software that might help you with data recovery.

Offer
We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.

If you decided to select another anti-spyware, uninstall Reimage from your computer.
Press mentions on Reimage
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove GandCrab v5 virus, follow these steps:

Remove GandCrab v5 using Safe Mode with Networking

To remove GandCrab v5 virus from your machine, enter Safe Mode with Networking:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove GandCrab v5

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete GandCrab v5 removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove GandCrab v5 using System Restore

You can also immobilize malware by using System Restore:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of GandCrab v5. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that GandCrab v5 removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove GandCrab v5 from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by GandCrab v5, you can use several methods to restore them:

Data Recovery Pro might be able to decrypt files locked up by GandCrab v5 ransomware:

The app was originally created to recover files that got accidentally deleted. However, it can sometimes help users whose data was encrypted by ransomware.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by GandCrab v5 ransomware;
  • Restore them.

Make use of Windows Previous Version feature

This method will only work if you had System Restore feature enable before the virus attack.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer might help

ShadowExplorer is a perfect tool if ransomware failed to remove Shadow Volume Copies.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Not decryptable yet

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from GandCrab v5 and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions

References