How to remove GandCrab ransomware and recover encrypted files

Complete tips to delete GandCrab ransomware and decrypt data

GandCrab ransomware is a cryptovirus observed first time back in year 2018. During that time, it earned the name of the most destructive malware in the word. The malware has numerous variants released on time to time. GDCB, KRB AND CRAB are some of them and also the dangerous Gandcrab 5.0.4 and GandCrab 5.1 belong to this malware category.

The malware is distributed using various distribution practices. These are RIG, GradSoft, Magnitude and Fullout exploit kits, cracks, keygens and fake updates. The good news for you is that Bitdefender research team, with the collaboration with Europol and Romania police, managed to create the decryption of the GandCrab ransomware– the third decryptor that works for versions 1, 4, 5.0.1 through 5.1.

Romanian police defeated the first version of the ransomware within the two week of its activation. The then Bitfender created a free GandCrab decryptor on NoMoreRansom Project. However, during the year 2019, the threat actors presented several new versions that demand 2000 USD in Dash or Bitcoin for fully files decryption. The improved versions have not been decrypted as the crooks fully patch the critical flaw within 24 hours the Bitdenfeder was released.

At present, the malware is appending a random character to the filenames of the encrypted files. It instructs users to purchase the GandCrab decryptor from the malicious actors through a Tor address. Users should require being careful when dealing with hackers as making a payment will not guarantee that they will provide the decryption tool that you require.

Action performed by virus after the infiltration

Rightly after the successful intrusion, the malware collects the data like username, PC name, OS and similar ones needed to design a unique ID number. After that, it starts the files encryption process and makes all stored files inaccessible. The encoding of the files means locking them with a particular keys/ character which is saved in C&C server belongs to the crooks. For explaining the entire situation that how to recover the files in a ransom demanding message which can be found on each encrypted file containing folder.

The encrypted files will also be renamed. The extension used could be GDCB-DECRYPT.txt, KRAB-DECRYPT.txt or [victim’s ID]-DECRYPT.txt. The ransom note provides the information on how to recover the files and makes them inaccessible once again. This is the message that the older GandCrab ransomware variants shows in ransom demanding file:

—= GANDCRAB =—

Attention!

All your files documents, photos, databases and other important files are encrypted and have the extension: .

The only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.

The server with your key is in a closed network TOR. You can get there by the following ways:

1. Download Tor browser – https://www.torproject.org/
2. Install Tor browser
3. Open Tor Browser
4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/[id]
5. Follow the instructions on this page

On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.

DANGEROUS!

Do not try to modify files or use your own private key – this will result in the loss of your data forever!

The newer variants show the following ransom demanding message:

—= GANDCRAB V5.1 =—

***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED***********************

*****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS*****

Attention!

All your files, documents, photos, databases and other important files are encrypted and have the extension:

The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.

The server with your key is in a closed network TOR. You can get there by the following ways:

—————————————————————————————-

| 0. Download Tor browser – https://www.torproject.org/

| 1. Install Tor browser

| 2. Open Tor Browser

| 3. Open link in TOR browser: [link]

| 4. Follow the instructions on this page

—————————————————————————————-

On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.

ATTENTION!

IN ORDER TO PREVENT DATA DAMAGE:

* DO NOT MODIFY ENCRYPTED FILES

* DO NOT CHANGE DATA BELOW

—BEGIN GANDCRAB KEY—

******

—END GANDCRAB KEY—

—BEGIN PC DATA—

******

—END PC DATA—

When the victims download the Tor browser and click on the provided link in the ransom note, they get directed to the attackers’ website. There, the users are requested to upload their ransom note. This is why the crooks are telling not to delete the ransom note in any circumstances. The website opened presents the payment instructions. The amount of the ransom money asked from the users is $1200. The money is often asked in Bitcoin or DASH cryptocurrency. The hackers warn the users that postponing the plan of the payment can double the price of the demanded sum.

We strongly advise you not to follow the rules of the cyber-criminals. They will never provide the decryption tool under any circumstances. The best option to deal with this situation is to remove GandCrab ransomware and recover the files using backups you have. If there is no backup, check our data recovery section below, where you will find more than two methods for the files recovery with their complete stepwise guide. There, you will also find the easy step-by-step guide to remove GandCrab ransomware from the system.

Exploit kits are often used in the virus distribution

Hackers use different techniques to distribute their malicious creations. However, using exploit kit has been commonly observed being practiced for the distribution of this malware. Exploit kits are considered as the most sophisticated ones as they often detect and identity system vulnerabilities and then misuse these holes to infiltrate malware. As per the experts, common exploit kits used for this malware distribution are Rig EK, GrandSoft Ek, Magnitude EK and Fallout Ek.

 It is worth knowing that the exploit kits are not the only way through which the ransomware is distributed. The crooks may use deceptive spam emails with infectious attachments. Such attachments are often disguised as are shopping recipients, invoices or similar documents from well known brands and companies. Users open the malicious file and let the cyber-threat in. To protect the system, you should require never clicking on any attachments whose senders’ addresses are suspicious. Also, keep the system and installed apps updated so that the system has no vulnerability to get exploited.

Antimalware Details And User Guide

Click Here For Windows

Click Here For Mac

Step 1: Remove GandCrab ransomware through “Safe Mode with Networking”

Step 2: Delete GandCrab ransomware using “System Restore”

Step 1: Remove GandCrab ransomware through “Safe Mode with Networking”

For Windows XP and Windows 7 users: Boot the PC in “Safe Mode”. Click on “Start” option and continuously press on F8 during the start process until the “Windows Advanced Option” menu appears on the screen. Choose “Safe Mode with Networking” from the list.

Now, a windows homescreen appears on the desktop and work-station is now working on “Safe mode with networking”.

For Windows 8 Users: Go to the “Start Screen”. In the search results select settings, type “Advanced”. In the “General PC Settings” option, choose “Advanced startup” option. Again, click on the “Restart Now” option. The work-station boots to “Advanced Startup Option Menu”. Press on “Troubleshoot” and then “Advanced options” button.  In the “Advanced Option Screen”, press on “Startup Settings”. Again, click on “Restart” button. The work-station will now restart in to the “Startup Setting” screen. Next is to press F5 to boot in Safe Mode in Networking.

For Windows 10 Users: Press on Windows logo and on the “Power” icon. In the newly opened menu, choose “Restart” while continuously holding “Shift” button on the keyboard. In the new open “Choose an option” window, click on “Troubleshoot” and then on the “Advanced Options”. Select “Startup Settings” and press on “Restart”. In the next window, click on “F5” button on the key-board.

Step 2: Delete GandCrab ransomware using “System Restore”

Log-in to the account infected with GandCrab ransomware. Open the browser and download a legitimate anti-malware tool. Do a full System scanning. Remove all the malicious detected entries.

In case if you cannot start the PC in “Safe Mode with Networking”, Try using “System Restore”

• During the “Startup”, continuously press on F8 key until the “Advanced Option” menu appears. From the list, choose “Safe Mode with Command Prompt” and then press “Enter”

• In the new opened command prompt, enter “cd restore” and then press “Enter”.

• Type: rstrui.exe and Press “ENTER”

• Click “Next” on the new windows

• Choose any of the “Restore Points” and click on “Next”. (This step will restore the work-station to its earlier time and date prior to GandCrab ransomware infiltration in the PC.

• In the newly opened windows, press on “Yes”.

Once your PC gets restored to its previous date and time, download the recommended anti-malware tool and perform a deep scanning in order to remove GandCrab ransomware files if they left in the work-station.

In order to restore the each (separate) file by this ransomware, use “Windows Previous Version” feature. This method is effective when “System Restore Function” is enabled in the work-station.

Important Note: Some variants of GandCrab ransomware delete the “Shadow Volume Copies” as well hence this feature may not work all the time and is applicable for selective computers only.

How to Restore Individual Encrypted File:

In order to restore a single file, right click on it and go to “Properties”. Select “Previous Version” tab. Select a “Restore Point” and click on “Restore” option.

In order to access the files encrypted by GandCrab ransomware, you can also try using “Shadow Explorer”. In order to get more information on this application, press here.

Important: Data Encryption Ransomware are highly dangerous and it is always better that you take precautions to avoid its attack on your work-station. It is advised to use a powerful anti-malware tool in order to get protection in real-time. With this help of “SpyHunter”, “group policy objects” are implanted in the registries in order to block harmful infections like GandCrab ransomware.

Also, In Windows 10, you get a very unique feature called “Fall Creators Update” that offer “Controlled Folder Access” feature in order to block any kind of encryption to the files. With the help of this feature, any files stored in the locations such as “Documents”, “Pictures”, “Music”, “Videos”, “Favorites” and “Desktop” folders are safe by default.

It is very important that you install this “Windows 10 Fall Creators Update” in your PC to protect your important files and data from ransomware encryption. The more information on how to get this update and add an additional protection form rnasomware attack has been discussed here.

How to Recover the Files Encrypted by GandCrab ransomware?

Till now, you would have understood that what had happed to your personal files that got encrypted and how you can remove the scripts and payloads associated with GandCrab ransomware in order to protect your personal files that has not been damaged or encrypted until now. In order to retrieve the locked files, the depth information related to “System Restore” and “Shadow Volume Copies” has already been discussed earlier. However, in case if you are still unable to access the encrypted files then you can try using a data recovery tool.

Use of Data Recovery Tool

This step is for all those victims who have already tries all the above mentioned process but didn’t find any solution. Also it is important that you are able to access the PC and can install any software. The data recovery tool works on the basis of System scanning and recovery algorithm. It searches the System partitions in order to locate the original files which were deleted, corrupted or damaged by the malware. Remember that you must not re-install the Windows OS otherwise the “previous” copies will get deleted permanently. You have to clean the work-station at first and remove GandCrab ransomware infection. Leave the locked files as it is and follow the steps mentioned below.

Step1: Download the software in the work-station by clicking on the “Download” button below.

Step2: Execute the installer by clicking on downloaded files.

Step3: A license agreement page appears on the screen. Click on “Accept” to agree with its terms and use. Follow the on-screen instruction as mentioned and click on “Finish” button.

Step4: Once the installation gets completed, the program gets executed automatically. In the newly opened interface, select the file types that you want to recover and click on “Next”.

Step5: You can select the “Drives” on which you want the software to run and execute the recovery process. Next is to click on the “Scan” button.

Step6: Based on drive you select for scanning, the restore process begins. The whole process may take time depending on the volume of the selected drive and number of files. Once the process gets completed, a data explorer appears on the screen with preview of that data that is to be recovered. Select the files that you want to restore.

Step7. Next is to locate the location where you want to saver the recovered files.