Severity scale:  

Remove .GDCB file extension virus (Removal Guide) - updated May 2018

removal by Gabriel E. Hall - - | Type: Ransomware

GDCB – a ransomware that is now decryptable, though new versions emerge 

An example of files locked by .GDCB file extension virus

Questions about .GDCB file extension virus

GDCB virus is a ransomware that has been circulating the world wide web since January 2018. It is a version of GandCrab ransomware. Initially, it was distributed with the help of well-known Rig and GrandSoft exploit kits[1]; however, a large number of victims got infected via malicious email attachments. The original virus infected over 50,000 users and extorted around $300,000-$600,000.

Name GDCB virus
Type Ransomware
Versions GDCB and CRAB
File extensions .GDCB and .CRAB
Ransom notes GDCB-DECRYPT.txt (v1) and CRAB-DECRYPT.txt (v2 and v3)
Decryption v1 – yes, v2 and v3 – no
Main dangers Permanent loss of data, compromised computer, etc.
Elimination Download and install Reimage Reimage Cleaner Intego or Malwarebytes

Once the ransomware executable is opened, the virus locks personal files (.doc, .txt, .jpg, .png, .audio, .video, etc.) with a sophisticated AES[2] cryptography and appends .GDCB file extension to each of them. Upon successful encryption procedure, the user of an infected PC can no longer access his or her personal files. Up until now, the only way to decrypt files locked by this malicious ransomware was to pay the ransom. 

However, since the end of February 2018, people don't have to give away their money to cyber crooks because a free .GDCB file extension decryptor[3] has been released. Bitdefender, along with Romanian Police, the Directorate for Investigating Organized Crime and Terrorism (DIICOT) and Europol initiated a special operation and cracked GandCrab encryption code. The official decryptor is offered as a part of No More Ransom project for free and can also be downloaded from the official Bitdefender's website. 

While there were some reports that the free GDCB decryptor doesn't work, it's a must to run a decryptor on a folder, which contains more than five files locked by this ransomware. Otherwise, it will fail to work. 

In early March 2018, security researchers discovered a second version of .GDCB virus, dubbed GandCrab 2.0. The virus ads .CRAB file extension and drops CRAB-DECRYPT.txt ransom note. The virus is not decryptable currently.

In late April 2018, the newest version of .GDCB virus has been released – GandCrab 3. Just as second variant, the virus appends .CRAB extension after encryption and drops a ransom note called CRAB-DECRYPT.txt. GandCrab 3 is not decryptable as of this moment.

When GDCB ransomware finishes file encryption, it creates a GDCB-DECRYPT.txt file on the desktop and all folders that contain at least one encrypted data. This so-called, ransom note instructs the victim to do the following steps:

1. Download Tor browser –
2. Install Tor browser
3. Open Tor Browser
4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/[id]
5. Follow the instructions on this page

According to extortionists, initiating these steps and transferring the ransom is the only way to decrypt files encrypted by .GDCB file virus. Criminals require paying 1.54 DASH[4] for the GandCrab decrypter, which is equal to 1200 USD. If the data locked by this virus is significant to you, then you may consider transferring the ransom.

Showing.GDCB file extension ransomware.GDCB file extension virus is a variant of GandCrab virus, which spreads via exploit kits and spam attachments with an intention to encrypt files and demand for 1.54 DASH ransom.

However, cybersecurity experts recommend refraining from doing that because any deal with crooks can lead to other problems. No one can guarantee that decrypter that is promoted by GandCrab ransomware developers will remove GDCB virus from your computer.

Instead of paying the ransom, you should remove GDCB with Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes or another powerful anti-virus program and recover your files using professional data recovery tools or Shadow Volume Copies. At the moment, it seems that virus fails to remove them. You can find more data recovery options at the end of this article.

GDCB virus returns with with new extension variant

GDCB authors do not take part in malicious campaigns. They merely develop the malware and sell it on the Dark Web. Therefore, they can focus all their attention on improving the virus. According to experts, the very first version “full of bugs and mistakes from a developer’s standpoint.”[5] However, as long as authors will have clients who are willing to use their creation – they will continue to remedy these flaws.

Thus, it did not take long for GDCB authors to create two new version of the virus. Both of the variants are not decryptable and add .CRAB extension to each of the affected files. For example, picture.jpg would be turned into picture.jpg.CRAB after encryption.

.CRAB virus drops CRAB-DECRYPT.txt ransom note demanding between $400 and $1000 for file decryption. Both GandCrab v2 and GandCrab v3 are not decryptable currently.

GDCB ransomware

Be attentive while opening your emails and avoid ransomware infections

The developers of this ransomware virus employ three distribution strategies – Rig exploits kit, GrandSoft exploit kit and malvertising. The first two methods are initiated via system's vulnerabilities that allow the SQL server to run malicious code. In case of success, extortionists can execute malicious programs onto the system and lock personal files remotely. Unfortunately, protection from exploit kits is a difficult task, though possible. All you have to do is to update both your OS and anti-virus regularly, but that won't ensure a hundred percent protection.

Apart from exploit kits, ransomware developers prefer spreading email letters with malicious attachments. Such emails feature doubtful subjects, for example, Receipt Feb-21310 [ random numbered] and have no body text. Besides, the sender should be unknown and contain some grammar or typo mistakes. The latest known version of GandCrab ransomware virus has been disseminated via email address (the first part always differs). In all of the cases, the letter contains a .doc file attached. Most ransomware virus uses such malspam schema. Therefore, experts[6] recommend avoiding any interaction with suspicious emails. Double-check each message and report it as spam if it turns out to be suspicious.

GDCB ransomware should be deleted using robust security software

If you found gdcb-decrypt.txt file on your PC, you have a serious virus on your computer. Typically, it provides a limited amount of time to think whether to pay the ransom or not. As for now, there's no free GDCB decryptor available, so the only way to get it is to transfer the set amount of DASH coins and wait for the criminals to send you a paid decryptor.

However, you should think twice because GDCB virus removal is a better way out. Although all encrypted files will be removed along with the virus, you will have many changes to decrypt them using alternative data recovery methods (listed below).

GDCB virus

To remove GDCB ransomware from the system, you will have to use a professional anti-malware program because even IT specialists can hardly eradicate such intricate infections from the system without leaving their footprints.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove .GDCB virus, follow these steps:

Remove .GDCB using Safe Mode with Networking

To get rid of .GDCB file extension virus with Safe Mode with Networking, follow the guide given below. This will help you launch antivirus and run a full scan.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove .GDCB

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete .GDCB removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove .GDCB using System Restore

Steps given below will explain how to use System Restore to eliminate ransomware from the system.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of .GDCB. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that .GDCB removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove .GDCB from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by .GDCB, you can use several methods to restore them:

Data Recovery Pro can help you recover your encrypted files

Data Recovery Pro is a free software utility that can help you to recover files locked by .GDCB file extension virus and other ransomware even if it's initial purpose is to recover accidentally deleted files. Use the guide below to unlock them.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by .GDCB ransomware;
  • Restore them.

Previous Windows Version can help to recover individual files

This option can also help you decrypt files encrypted by ransomware. However, unlike the previous method, Previous Windows Version will recover your files only if Windows Previous Versions feature was enabled on your computer.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Download ShadowExplorer to start using your encrypted files

If GandCrab ransomware didn't delete Volume Shadow Copies, you should try to remove .GDCB file extension from personal files by following these steps:

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Use an official GDCB decrypter

Cybersecurity researchers managed to crack GDCB virus code and stopped it after two months of hegemony. Anyone who want to try this tool can download it from two sources – official Bitdefender's website or No More Ransom! Project. 

  • All you have to do is to click the Download button and download the BDGandCrabDecryptTool.exe
  • Double-click on the .exe file to run it. 
  • Read Licence Terms and click I Agree button to continue. 
  • Now either copy the path to the location where encrypted files are stored or browse for it. 
    IMPORTANT: make sure that the location contain not less than five encrypted files. Otherwise it will fail to work. 
  • Once done, click Scan.

Unfortunately, the .CRAB decryptor does not exist yet.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from .GDCB and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Backup files for the later use, in case of the malware attack

Computer users can suffer various losses due to cyber infections or their own faulty doings. Software issues created by malware or direct data loss due to encryption can lead to problems with your device or permanent damage. When you have proper up-to-date backups, you can easily recover after such an incident and get back to work.

It is crucial to create updates to your backups after any changes on the device, so you can get back to the point you were working on when malware changes anything or issues with the device causes data or performance corruption. Rely on such behavior and make file backup your daily or weekly habit.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware occurs out of nowhere. Use Data Recovery Pro for the system restoring purpose.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions

Removal guides in other languages

Your opinion regarding .GDCB file extension virus