GandCrab2 ransomware (Removal Guide) - Jul 2018 update
GandCrab2 virus Removal Guide
What is GandCrab2 ransomware?
GandCrab v2 – the second version of the notorious ransomware virus which is asking 500 USD to recover victim's files
GandCrab2 virus - dangerous ransomware which is asking $500 for the special decryption key which is needed to recover encrypted files.
GandCrab v2 ransomware is a cryptovirus which has been developed soon after the GandCrab – one of the most aggressive forms of ransomware. Just like its predecessor, the new version is distributed via Seamless malvertising campaign leading victims to RIG exploit kit. Nevertheless, it can also be disguised under HoeflerText Font Update scam pop-ups. Upon successful infiltration, ransomware appends .CRAB file extension to each locked file and generates a CRAB-DECRYPT.txt ransom note.
|The predecessor||Gandcrab ransomware|
|Ransom amount||500 USD|
|Elimination||Use RestoroIntego to get rid of Gandcrab or any its versions|
The malware redirects its victims to TOR site, which contains instructs the victim what they have to do to decrypt locked files. While the original variant of GandCrab2 demanded 1200 USD in Dash coins, the new version detected at the beginning of March 2018 asks for 500 USD in Dash coins.
However, specialists mock the attempt of GandCrab2 virus developers to maximize profit since the virus can be decrypted using a free GandCrab decryptor available at NoMoreRansom. However, crooks provide a link to a decryption tutorial on NoMoreRansom and scare people by falsely claiming that the tool won't decrypt files. Contrary, it will make data undecryptable. Nevertheless, experts point out that the GandCrab2 (version 1.0.0r) and the GandCrab (v2.3.*) belong to the same group and can be decrypted in the same way.
To protect yourself from GandCrab2 ransomware attack, be careful with .doc file email attachments. Despite the fact that such spam emails can be sent by official authorities or other pretend-to-be legitimate sources, by opening a .doc file attached to a suspicious email can run a PowerShell script, which creates a sct5.txt or 128384.txt file, which connects to the remote server and download the ultimate GandCrab2 ransomware payload. In case of HoeflerText Font Update scam attack, the system gets infected with Font_Update.exe file, which subsequently downloads a g.js scrip and remote access tool known as NetSupport Manager remote access utility, which executes the ransomware completely.
Those whose files have already been encrypted by .CRAB file extension virus should immediately remove GandCrab2 virus. For this purpose, we recommend using RestoroIntego, SpyHunter 5Combo Cleaner or Malwarebytes tool as they are powerful enough to detect and neutralize all related components. Following successful GandCrab2 removal, you should download a free decryptor provided in NoMoreRansom and decrypt your files with it.
The first sign that your PC has been infected with GandCrab2 virus is .CRAB file extension attached to personal files
Cybercrooks distribute viruses via malspam campaigns and fake updates
The developers of malicious cyber infections are accustomed to the use of exploit kits. Their purpose is to detect the vulnerabilities on the targeted system and open the back door for the cyber infections to enter the system quickly. This particular ransomware relies on the combination of two exploit kits – RIG and GrandSoft.
Typically, people are exposed to the exploit kits by sending them malicious emails with infected .doc file attachments. Spam emails are developed in a way to mimic well-known brands or official institutions. In this particular case, people get an email message with the subject Receipt Feb-21310 [ random numbered] sent by [ransom name ]@cdkconstruction.org. Most of the victims reported that such email does not expatiate on the subject, but only indicate the fact that “DOC attached.” Beware that the type of the attached file might also differ, but usually, the file extension is somewhat suspicious ( .EXE, .COM, .PIF, .SCR, .HTA, etc.).
Apart from malspam, people can end up with this ransomware after downloading a fake “Chrome Font Pack” on hacked websites. People can be exposed to compromised domains by mistyping domain's name or after clicking on infected ads. The hacked website displays a scrambled text by default and generates a notification saying that “The “HoeflerText” font wasn't found” and urges people to install the fake font pack to see the content of the website normally.
GandCrab2 removal tutorial
Manual GandCrab2 removal is not possible. In general, ransomware virus cannot be eliminated manually as they inject multiple files, corrupt registries, change startup settings, and initiate other system's changes to evade easy detection and removal.
To remove GandCrab2 virus and get back the data, experts from senzavirus.it recommend people to download RestoroIntego, SpyHunter 5Combo Cleaner, Malwarebytes or another reputable anti-malware tool. If you are currently using one, make sure to update its definitions before running a scan.
Don't fall into a panic if you cannot launch your anti-virus. The gandcrab2 virus can use helper objects that block any security-related tool. In this case, you should try to boot the system into Safe Mode with Networking or a couple of other methods to bypass ransomware's code. You can learn how to create safe environment on your computer before you start the removal of GandCrab v2 below. After you recover the data by following the step-by-step instructions below.
Getting rid of GandCrab2 virus. Follow these steps
Manual removal using Safe Mode
If ransomware block anti-virus tools, try to restart the system into Safe Mode with Networking and re-try to launch it in this mode:
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
- Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
After you are finished, reboot the PC in normal mode.
Remove GandCrab2 using System Restore
In case the first removal method failed to work, you should follow these steps:
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of GandCrab2. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your dataGuide which is presented above is supposed to help you remove GandCrab2 from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.
If your files are encrypted by GandCrab2, you can use several methods to restore them:
Data Recovery Pro – a software that can recover files encrypted by any ransomware
Originally Data Recovery Pro tool has been developed to recover files that were deleted accidentally or lost due to fatal system's crash. Nevertheless, the powerful search engine and recovery feature makes Data Recovery Pro capable of decrypting files locked by ransomware viruses.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by GandCrab2 ransomware;
- Restore them.
Windows Previous Versions feature – alternative data recovery method
If you create System Restore Points regularly, then you must have one created before GandCrab2 malware attack. Enabling the previous version of the system can help you to decrypt locked files.
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
Recover data from Shadow Volume Copies
Although most ransomware virus delete Shadow Volume Copies, some of them fail to do so. However, there's no other way to check that except as to download ShadowExplorer and try to recover encrypted files using it.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Use free GandCrab2 decryptor
GandCrab2 virus can be decrypted with the help of free GandCrab decryptor that can be downloaded from NoMoreRansom.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from GandCrab2 and other ransomwares, use a reputable anti-spyware, such as RestoroIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Choose a proper web browser and improve your safety with a VPN tool
Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.
Lost your files? Use data recovery software
While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.
To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.
- ^ GandCrab, Saturn, and Data Keeper: 3 New Ransomware-as-a-Service Platforms Gaining Steam. Barkly Blog.
- ^ Linas Kiguolis. Fake HoeflerText font update delivers GandCrab ransomware. 2-Spyware. The largest sources of security and tech-related information.
- ^ Jeff Kauflin. Dash Is Up 8,000% In 2017. Is This 'Darkcoin' A Better Version Of Bitcoin?. Forbes. A global media company.
- ^ Danny Palmer. Ransomware crooks test a new way to spread their malware. ZDNet. 24/7 news coverage and analysis on the trends, technologies and opportunities.
- ^ Senzavirus. Senzavirus. Virus and Spyware news.