Remove GandCrab Ransomware (with Decryption Tool)

GandCrab is a ransomware virus that affixes .crab extension to all encrypted files. Its author demands victims to pay ransom money in Bitcoins or in Dash cryptocurrencies in order to recover their files.

GandCrab is a ransom virus that packs files with sophisticated encryption algorithm. Same with other ransomware, this malware aims to hold back on your files to be able to earn money. Ransomware such as GandCrab scans the system for important files and encrypts them so that it remains useless. Affected files are easy to identify due to unique string appended to its extensions. Obviously, the ransomware demands victims to pay certain amount (price depends on each versions) of Bitcoins or Dash in order to receive decryption key that is required to restore the files to original format.

When GandCrab is executed, registry entries and several files are dropped into the computer. This ensures that the virus regularly loads on Windows boot up. Next, the virus will modify files on the computer like documents, images, video, and audio. Associated programs may not execute neither run the file and errors will appear on the screen if executed.

It is apparent that money is the root on the existence of GandCrab. As long as authors keep on receiving payment from thousands of victims, this activity will never stop. If this kind of malware begins to bug your PC, we highly suggest scanning the computer with tools provided on this page.

Below are the differences between various versions of GandCrab ransom virus.

GANDCRAB V3

This version was released in April 2018. It is now capable of changing the infected computer’s wallpaper to a ransom note. Another addition to GandCrab V3 is the addition of RunOnce registry entry that runs the code automatically on victim’s computer. File of ransom note is still CRAB-DECRYPT.txt and it appends .CRAB extension to infected files. Part of GandCrab V3 ransom note includes the following statement:

—= GANDCRAB V3 =—
Attention!
All your files documents, photos, databases and other important files are encrypted and have the extension: .CRAB
The only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
0. Download Tor browser – (URL Removed)
1. Install Tor browser
2. Open Tor browser
3. Open link in TOR browser: (URL Removed)
4. Follow the instructions on this page
If Tor/Tor browser is locked in your country or you cannot install it, open one of the following links in your regular browser:

ATTENTION! Use regular browser only to contact us. Buy decryptor only through TOR browser link or Jabber Bot!
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
The alternative way to contact us is to use Habber messenger. Read how to:
0. Download Psi-Plus Jabber Client: (URL Removed)
1. Register new account: (URL Removed)
0) Enter “username”:
1) Enter “password”: your password
2. Add new account in Psi
3. Add and write Jabber ID: (Email Removed) any message
4. Follow instruction bot
It is a bot! It’s fully automated artificial system without human control!
To contact us use TOR links. We can provide you all required proofs of decryption availability anytime. We are open to conversations.
You can read instructions how to install and use jabber here (URL Removed)
DANGEROUS!
Do not try to modify files or use your own private key – this will result in the loss of your data forever!

GandCrab Version 3

GANDCRAB V4

This 4th generation of GandCrab was released into the wild on July of 2018. It includes assortment of major updates with new sets of algorithmic encryption (Tiny Encryption Algorithm). GandCrab V4 also appends infected files with .KRAB extension instead of the traditional .CRAB.

GandCrab V4

GANDCRAB V5.0

Random five characters extension (.udvjs) appended on the encrypted file and a ransom note with filename [extension]-DECRYPT.html and [EXTENSION]-DECRYPT.txt is the new signature to identify GrandCrab V5 infection. It also demands $800 USD as ransom payment to be paid in DASH cryptocurrency. Ransom note contains the following messages:

—= GANDCRAB V5.0 =—
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: .VSVDV
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:

Download Tor browser – (URL Removed)
Install Tor browser
Open Tor Browser
Open link in TOR browser: (URL Removed)
Follow the instructions on this page

On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW

GandCrab V5ersion 5.0

Ways to recover files encrypted by GandCrab Ransomware

GandCrab Decryption Tool by Bitdefender Labs is available free on their official website. This tool will only work for GandCrab version 1 to 5.0.3.

Alternative Solution:

If your PC is running on Windows Vista and Windows 7, there is a feature called ‘Previous Versions’. Although this function only works if restore point was saved prior to GandCrab infection or if System Protection is enabled on the computer. Use Previous Versions to recover files without having to pay for the private key.

GandCrab is a dangerous piece of software out to extract money from unsuspecting users. Please follow the directions on this site to stop this ransomware virus.

'GandCrab' Removal Procedures

Systematic procedures to get rid of the threat are presented on this section. Make sure to scan the computer with suggested tools and scanners.

Option 1 : Please use this recommended tool to remove the virus.

First thing you should do is reboot the computer in Safe Mode with Networking to avoid Remove GandCrab Ransomware (with Decryption Tool) from loading at start-up.

NOTE: You will need to PRINT or BOOKMARK this procedure, as we have to restart the computer during the removal process.

To start Windows in Safe Mode with Networking, please do the following:

1 Remove all media such as Memory Card, cd, dvd, and USB devices. Then, restart the computer.

Boot in Safe Mode with Networking on Windows XP, Windows Vista, and Windows 7 system
a) Before Windows begins to load, press F8 on your keyboard.
b) It will display the Advanced Boot Options menu. Select Safe Mode with Networking.

Start computer in Safe Mode with Networking using Windows 8
a) Before Windows begins to load, press Shift and F8 on your keyboard.
b) On Recovery interface, click on 'See advanced repair options'.
c) Next, click on Troubleshoot option.
d) Then, select Advanced options from the list.
e) Lastly, please choose Windows Startup Settings and click on Restart. When Windows restarts, you will be send to a familiar Advanced Boot Options screen.
f) Select Safe Mode with Networking from the selections menu.

SafeMode

2 Once the computer boots into Safe Mode with Networking, download the Removal Tool and save it on your Desktop or any location on your PC.

Download Tool

3 When finished downloading, locate and double-click on the file to install the application. Windows' User Account Control will prompt at this point, please click Yes to continue installing the program.

4 Follow the prompts and install with default configuration.

5 Before the installation completes, check prompts that software will run and update on itself.

6 Click Finish. Program will run automatically and you will be prompted to update the program before doing a scan. Please download needed update.

7 When finished updating, the tool will run. Select Perform full scan on main screen to check your computer thoroughly.

8 Scanning may take a while. When done, click on Show Results.

9 Make sure that all detected threats are checked, click on Remove Selected. This will delete all files and registry entries that belongs to GandCrab.

10 Finally, restart your computer.

Note: If GandCrab prevents mbam-setup.exe from downloading. Download the software from another computer. Renaming it to something like 'anything.exe' can help elude the malware. You may skip Option 2 and proceed to Additional Scans below if you see that the steps above have totally removed the malware.

Option 2 : Remove GandCrab instantly with this Rescue Disk

This procedure requires a tool from Kasperky. Thus, it requires Internet access to download the files. If the virus blocks your Internet access, you have no other choice but to execute this guide from another computer.

Download Kaspersky Rescue Disk

1 Download the ISO image of Kaspersky Rescue Disk 18 (krd.iso) from official web page.

2 Download the Rufus tool as provided by Kasperky.

Follow the procedures to create a bootable USB drive for Kaspersky Rescue Disk using the Rufus tool.

Boot The Computer From The USB Kaspersky Rescue Disk 10

3 Since GandCrab uses a rootkit Trojan that controls Windows boot functions, we need to reboot the computer and select the newly created Kaspersky USB Rescue Disk as first boot option. On most computers, it will allow you to enter the boot menu and select which device or drives you wanted to start the PC. Refer to your computer manual.

4 If you successfully enters the boot menu, choose the USB flash drive. This will boot the system on Kaspersky Rescue Disk. Press any key to enter the menu.

5 If it prompts for desired language, use arrow keys to select and then press Enter on your keyboard.

6 It will display End User License Agreement. You need to accept this term to be able to use Kaspersky Rescue Disk 10. Press 1 to accept.

7 The tool will prompt for various start-up methods. We highly encourage you to choose Kaspersky Rescue Disk Graphic Mode.

Remove GandCrab Using Windows Unlocker

8 Once the tool is running, you need to run WindowsUnlocker in order to delete registry that belongs to GandCrab. On start menu located at bottom left corner of your screen, select the K icon or select WindowsUnlocker if it is present on the Menu.

9 Select Terminal from the list. A command prompt will open.

Run Terminal on Rescue Disc

10 Type windowsunlocker and press Enter on your keyboard.

Command for Windows Unlocker

11 From the selection, choose 1 - Unlock Windows to remove GandCrab. Use up/down arrow on keyboard to select and press Enter.

Windows Unlocker

12 This utility will start removing any components that blocking you from accessing the computer. It will display a log file containing actions performed on the infected computer like deleted infected file and removed registry entries.

13 After removing components of GandCrab. You need to scan the system using the same tool. On start menu, select Kaspersky Rescue Disk.

Kaspersky Rescue Disk Scanner

14 Be sure to update the program by going to My Update Center tab. Click on Start update.

15 After the update, go to Object Scan tab and thoroughly scan the computer to locate other files that belong to GandCrab.

16 Restart the computer normally when done.

Additional anti-virus and anti-rootkit scans (Optional)

Ensure that no more files of GandCrab are left inside the computer

1 Click on the button below to download Norton Power Eraser from official web site. Save it to your desktop or any location of your choice.

NPE Download

2 Once the file is downloaded, navigate its location and double-click on the icon (NPE.exe) to launch the program.

3 Norton Power Eraser will run. If it prompts for End User License Agreement, please click on Accept.

4 On NPE main window, click on Advanced. We will attempt to remove GandCrab components without restarting the computer.

Advance Scan

5 On next window, select System Scan and click on Scan now to perform standard scan on your computer.

Scan the System

6 NPE will proceed with the scan. It will search for Trojans, viruses, and malware like GandCrab. This may take some time, depending on the number of files currently stored on the computer.

7 When scan is complete. All detected risks are listed. Remove them and restart Windows if necessary.

Remove the Rootkit Trojan that installs GandCrab

For automatic removal of rootkit Trojan using a free tool, you can refer to this guide. Download the tool and carefully follow the instruction.

1 Click on the button below to download the file FixZeroAccess.exe from official web site. A new window or tab will open containing the download link.

ZeroAccess Fix Tool

2 Close all running programs and remove any disc drives and USB devices on the computer.

3 Temporarily Disable System Restore if you are running on Windows XP). [how to]

4 Browse for the location of the file FixZeroAccess.exe.

5 Double-click on the file to run it. If User Account Control prompts for a security warning and ask if you want to run the file, please choose Run.

6 It will open a Zero Access Fix Tool End User License Agreement (EULA). You must accept this license agreement in order to proceed with rootkit removal. Please click I Accept.

7 It will display a message and prepares the computer to restart. Please click on Proceed.

FixTool

8 When it shows a message about 'Restarting System' please click on OK button.

9 After restarting the computer, the tool will display information about the identified threats. Please continue running the tool by following the prompts.

10 When it reaches the final step, the tool will show the scan result containing deleted components of GandCrab and other identified virus.

Alternative Removal Procedure for GandCrab

Use Windows System Restore to return Windows to previous state

During an infection, Remove GandCrab Ransomware (with Decryption Tool) drops various files and registry entries. The threat intentionally hides system files by setting options in the registry. With these rigid changes, the best solution is to return Windows to previous working state is through System Restore.

To verify if System Restore is active on your computer, please follow the instructions below to access this feature.

Access System Restore on Windows XP, Windows Vista, and Windows 7

a) Go to Start Menu, then under 'Run' or 'Search Program and Files' field, type rstrui.
b) Then, press Enter on the keyboard to open System Restore Settings.

rstrui-win7

Open System Restore on Windows 8 and Windows 10

a) Hover your mouse cursor to the lower left corner of the screen and wait for the Start icon to appear.
b) Right-click on the icon and select Run from the list. This will open a Run dialog box.
c) Type rstrui on the 'Open' field and click on OK to initiate the command.

rstrui-win8

If previous restore point is saved, you may proceed with Windows System Restore. Click here to see the full procedure.

Leave a Comment

Your email address will not be published. Required fields are marked *