GDCB – a ransomware that is now decryptable, though new versions emerge
Questions about .GDCB file extension virus
GDCB virus is a ransomware that has been circulating the world wide web since January 2018. It is a version of GandCrab ransomware. Initially, it was distributed with the help of well-known Rig and GrandSoft exploit kits; however, a large number of victims got infected via malicious email attachments. The original virus infected over 50,000 users and extorted around $300,000-$600,000.
|Versions||GDCB and CRAB|
|File extensions||.GDCB and .CRAB|
|Ransom notes||GDCB-DECRYPT.txt (v1) and CRAB-DECRYPT.txt (v2 and v3)|
|Decryption||v1 – yes, v2 and v3 – no|
|Main dangers||Permanent loss of data, compromised computer, etc.|
|Elimination||Download and install ReimageIntego or Malwarebytes|
Once the ransomware executable is opened, the virus locks personal files (.doc, .txt, .jpg, .png, .audio, .video, etc.) with a sophisticated AES cryptography and appends .GDCB file extension to each of them. Upon successful encryption procedure, the user of an infected PC can no longer access his or her personal files. Up until now, the only way to decrypt files locked by this malicious ransomware was to pay the ransom.
However, since the end of February 2018, people don't have to give away their money to cyber crooks because a free .GDCB file extension decryptor has been released. Bitdefender, along with Romanian Police, the Directorate for Investigating Organized Crime and Terrorism (DIICOT) and Europol initiated a special operation and cracked GandCrab encryption code. The official decryptor is offered as a part of No More Ransom project for free and can also be downloaded from the official Bitdefender's website.
While there were some reports that the free GDCB decryptor doesn't work, it's a must to run a decryptor on a folder, which contains more than five files locked by this ransomware. Otherwise, it will fail to work.
In early March 2018, security researchers discovered a second version of .GDCB virus, dubbed GandCrab 2.0. The virus ads .CRAB file extension and drops CRAB-DECRYPT.txt ransom note. The virus is not decryptable currently.
In late April 2018, the newest version of .GDCB virus has been released – GandCrab 3. Just as second variant, the virus appends .CRAB extension after encryption and drops a ransom note called CRAB-DECRYPT.txt. GandCrab 3 is not decryptable as of this moment.
When GDCB ransomware finishes file encryption, it creates a GDCB-DECRYPT.txt file on the desktop and all folders that contain at least one encrypted data. This so-called, ransom note instructs the victim to do the following steps:
1. Download Tor browser – https://www.torproject.org/
2. Install Tor browser
3. Open Tor Browser
4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/[id]
5. Follow the instructions on this page
According to extortionists, initiating these steps and transferring the ransom is the only way to decrypt files encrypted by .GDCB file virus. Criminals require paying 1.54 DASH for the GandCrab decrypter, which is equal to 1200 USD. If the data locked by this virus is significant to you, then you may consider transferring the ransom.
.GDCB file extension virus is a variant of GandCrab virus, which spreads via exploit kits and spam attachments with an intention to encrypt files and demand for 1.54 DASH ransom.
However, cybersecurity experts recommend refraining from doing that because any deal with crooks can lead to other problems. No one can guarantee that decrypter that is promoted by GandCrab ransomware developers will remove GDCB virus from your computer.
Instead of paying the ransom, you should remove GDCB with ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes or another powerful anti-virus program and recover your files using professional data recovery tools or Shadow Volume Copies. At the moment, it seems that virus fails to remove them. You can find more data recovery options at the end of this article.
GDCB virus returns with with new extension variant
GDCB authors do not take part in malicious campaigns. They merely develop the malware and sell it on the Dark Web. Therefore, they can focus all their attention on improving the virus. According to experts, the very first version “full of bugs and mistakes from a developer’s standpoint.” However, as long as authors will have clients who are willing to use their creation – they will continue to remedy these flaws.
Thus, it did not take long for GDCB authors to create two new version of the virus. Both of the variants are not decryptable and add .CRAB extension to each of the affected files. For example, picture.jpg would be turned into picture.jpg.CRAB after encryption.
.CRAB virus drops CRAB-DECRYPT.txt ransom note demanding between $400 and $1000 for file decryption. Both GandCrab v2 and GandCrab v3 are not decryptable currently.
Be attentive while opening your emails and avoid ransomware infections
The developers of this ransomware virus employ three distribution strategies – Rig exploits kit, GrandSoft exploit kit and malvertising. The first two methods are initiated via system's vulnerabilities that allow the SQL server to run malicious code. In case of success, extortionists can execute malicious programs onto the system and lock personal files remotely. Unfortunately, protection from exploit kits is a difficult task, though possible. All you have to do is to update both your OS and anti-virus regularly, but that won't ensure a hundred percent protection.
Apart from exploit kits, ransomware developers prefer spreading email letters with malicious attachments. Such emails feature doubtful subjects, for example, Receipt Feb-21310 [ random numbered] and have no body text. Besides, the sender should be unknown and contain some grammar or typo mistakes. The latest known version of GandCrab ransomware virus has been disseminated via @cdkconstruction.org email address (the first part always differs). In all of the cases, the letter contains a .doc file attached. Most ransomware virus uses such malspam schema. Therefore, experts recommend avoiding any interaction with suspicious emails. Double-check each message and report it as spam if it turns out to be suspicious.
GDCB ransomware should be deleted using robust security software
If you found gdcb-decrypt.txt file on your PC, you have a serious virus on your computer. Typically, it provides a limited amount of time to think whether to pay the ransom or not. As for now, there's no free GDCB decryptor available, so the only way to get it is to transfer the set amount of DASH coins and wait for the criminals to send you a paid decryptor.
However, you should think twice because GDCB virus removal is a better way out. Although all encrypted files will be removed along with the virus, you will have many changes to decrypt them using alternative data recovery methods (listed below).
To remove GDCB ransomware from the system, you will have to use a professional anti-malware program because even IT specialists can hardly eradicate such intricate infections from the system without leaving their footprints.
To remove .GDCB virus, follow these steps:
Manual .GDCB removal using Safe Mode
To get rid of .GDCB file extension virus with Safe Mode with Networking, follow the guide given below. This will help you launch antivirus and run a full scan.
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
- Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
After you are finished, reboot the PC in normal mode.
Remove .GDCB using System Restore
Steps given below will explain how to use System Restore to eliminate ransomware from the system.
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of .GDCB. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your dataGuide which is presented above is supposed to help you remove .GDCB from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.
If your files are encrypted by .GDCB, you can use several methods to restore them:
Data Recovery Pro can help you recover your encrypted files
Data Recovery Pro is a free software utility that can help you to recover files locked by .GDCB file extension virus and other ransomware even if it's initial purpose is to recover accidentally deleted files. Use the guide below to unlock them.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by .GDCB ransomware;
- Restore them.
Previous Windows Version can help to recover individual files
This option can also help you decrypt files encrypted by ransomware. However, unlike the previous method, Previous Windows Version will recover your files only if Windows Previous Versions feature was enabled on your computer.
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
Download ShadowExplorer to start using your encrypted files
If GandCrab ransomware didn't delete Volume Shadow Copies, you should try to remove .GDCB file extension from personal files by following these steps:
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Use an official GDCB decrypter
Cybersecurity researchers managed to crack GDCB virus code and stopped it after two months of hegemony. Anyone who want to try this tool can download it from two sources – official Bitdefender's website or No More Ransom! Project.
- All you have to do is to click the Download button and download the BDGandCrabDecryptTool.exe.
- Double-click on the .exe file to run it.
- Read Licence Terms and click I Agree button to continue.
- Now either copy the path to the location where encrypted files are stored or browse for it.
IMPORTANT: make sure that the location contain not less than five encrypted files. Otherwise it will fail to work.
- Once done, click Scan.
Unfortunately, the .CRAB decryptor does not exist yet.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from .GDCB and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes
Protect your privacy – employ a VPN
There are several ways how to make your online time more private – you can access an incognito tab. However, there is no secret that even in this mode, you are tracked for advertising purposes. There is a way to add an extra layer of protection and create a completely anonymous web browsing practice with the help of Private Internet Access VPN. This software reroutes traffic through different servers, thus leaving your IP address and geolocation in disguise. Besides, it is based on a strict no-log policy, meaning that no data will be recorded, leaked, and available for both first and third parties. The combination of a secure web browser and Private Internet Access VPN will let you browse the Internet without a feeling of being spied or targeted by criminals.
No backups? No problem. Use a data recovery tool
If you wonder how data loss can occur, you should not look any further for answers – human errors, malware attacks, hardware failures, power cuts, natural disasters, or even simple negligence. In some cases, lost files are extremely important, and many straight out panic when such an unfortunate course of events happen. Due to this, you should always ensure that you prepare proper data backups on a regular basis.
If you were caught by surprise and did not have any backups to restore your files from, not everything is lost. Data Recovery Pro is one of the leading file recovery solutions you can find on the market – it is likely to restore even lost emails or data located on an external device.