Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · May 2018

How to remove .GDCB file extension virus

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Gabriel E. Hall · Passionate web researcher

GDCB – a ransomware that is now decryptable, though new versions emerge 

An example of files locked by .GDCB file extension virus

GDCB virus is a ransomware that has been circulating the world wide web since January 2018. It is a version of GandCrab ransomware. Initially, it was distributed with the help of well-known Rig and GrandSoft exploit kits[1]; however, a large number of victims got infected via malicious email attachments. The original virus infected over 50,000 users and extorted around $300,000-$600,000.

SUMMARY
Name GDCB virus
Type Ransomware
Versions GDCB and CRAB
File extensions .GDCB and .CRAB
Ransom notes GDCB-DECRYPT.txt (v1) and CRAB-DECRYPT.txt (v2 and v3)
Decryption v1 – yes, v2 and v3 – no
Main dangers Permanent loss of data, compromised computer, etc.
Elimination Download and install FortectIntego or MalwarebytesMalwarebytes

Once the ransomware executable is opened, the virus locks personal files (.doc, .txt, .jpg, .png, .audio, .video, etc.) with a sophisticated AES[2] cryptography and appends .GDCB file extension to each of them. Upon successful encryption procedure, the user of an infected PC can no longer access his or her personal files. Up until now, the only way to decrypt files locked by this malicious ransomware was to pay the ransom. 

However, since the end of February 2018, people don't have to give away their money to cyber crooks because a free .GDCB file extension decryptor[3] has been released. Bitdefender, along with Romanian Police, the Directorate for Investigating Organized Crime and Terrorism (DIICOT) and Europol initiated a special operation and cracked GandCrab encryption code. The official decryptor is offered as a part of No More Ransom project for free and can also be downloaded from the official Bitdefender's website. 

While there were some reports that the free GDCB decryptor doesn't work, it's a must to run a decryptor on a folder, which contains more than five files locked by this ransomware. Otherwise, it will fail to work. 

In early March 2018, security researchers discovered a second version of .GDCB virus, dubbed GandCrab 2.0. The virus ads .CRAB file extension and drops CRAB-DECRYPT.txt ransom note. The virus is not decryptable currently.

In late April 2018, the newest version of .GDCB virus has been released – GandCrab 3. Just as second variant, the virus appends .CRAB extension after encryption and drops a ransom note called CRAB-DECRYPT.txt. GandCrab 3 is not decryptable as of this moment.

When GDCB ransomware finishes file encryption, it creates a GDCB-DECRYPT.txt file on the desktop and all folders that contain at least one encrypted data. This so-called, ransom note instructs the victim to do the following steps:

1. Download Tor browser – https://www.torproject.org/
2. Install Tor browser
3. Open Tor Browser
4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/[id]
5. Follow the instructions on this page

According to extortionists, initiating these steps and transferring the ransom is the only way to decrypt files encrypted by .GDCB file virus. Criminals require paying 1.54 DASH[4] for the GandCrab decrypter, which is equal to 1200 USD. If the data locked by this virus is significant to you, then you may consider transferring the ransom.

Showing.GDCB file extension ransomware

However, cybersecurity experts recommend refraining from doing that because any deal with crooks can lead to other problems. No one can guarantee that decrypter that is promoted by GandCrab ransomware developers will remove GDCB virus from your computer.

Instead of paying the ransom, you should remove GDCB with FortectIntego, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes or another powerful anti-virus program and recover your files using professional data recovery tools or Shadow Volume Copies. At the moment, it seems that virus fails to remove them. You can find more data recovery options at the end of this article.

GDCB virus returns with with new extension variant

GDCB authors do not take part in malicious campaigns. They merely develop the malware and sell it on the Dark Web. Therefore, they can focus all their attention on improving the virus. According to experts, the very first version “full of bugs and mistakes from a developer’s standpoint.”[5] However, as long as authors will have clients who are willing to use their creation – they will continue to remedy these flaws.

Thus, it did not take long for GDCB authors to create two new version of the virus. Both of the variants are not decryptable and add .CRAB extension to each of the affected files. For example, picture.jpg would be turned into picture.jpg.CRAB after encryption.

.CRAB virus drops CRAB-DECRYPT.txt ransom note demanding between $400 and $1000 for file decryption. Both GandCrab v2 and GandCrab v3 are not decryptable currently.

GDCB ransomware

Be attentive while opening your emails and avoid ransomware infections

The developers of this ransomware virus employ three distribution strategies – Rig exploits kit, GrandSoft exploit kit and malvertising. The first two methods are initiated via system's vulnerabilities that allow the SQL server to run malicious code. In case of success, extortionists can execute malicious programs onto the system and lock personal files remotely. Unfortunately, protection from exploit kits is a difficult task, though possible. All you have to do is to update both your OS and anti-virus regularly, but that won't ensure a hundred percent protection.

Apart from exploit kits, ransomware developers prefer spreading email letters with malicious attachments. Such emails feature doubtful subjects, for example, Receipt Feb-21310 [ random numbered] and have no body text. Besides, the sender should be unknown and contain some grammar or typo mistakes. The latest known version of GandCrab ransomware virus has been disseminated via @cdkconstruction.org email address (the first part always differs). In all of the cases, the letter contains a .doc file attached. Most ransomware virus uses such malspam schema. Therefore, experts[6] recommend avoiding any interaction with suspicious emails. Double-check each message and report it as spam if it turns out to be suspicious.

GDCB ransomware should be deleted using robust security software

If you found gdcb-decrypt.txt file on your PC, you have a serious virus on your computer. Typically, it provides a limited amount of time to think whether to pay the ransom or not. As for now, there's no free GDCB decryptor available, so the only way to get it is to transfer the set amount of DASH coins and wait for the criminals to send you a paid decryptor.

However, you should think twice because GDCB virus removal is a better way out. Although all encrypted files will be removed along with the virus, you will have many changes to decrypt them using alternative data recovery methods (listed below).

GDCB virus

To remove GDCB ransomware from the system, you will have to use a professional anti-malware program because even IT specialists can hardly eradicate such intricate infections from the system without leaving their footprints.

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.