Imagine booting up your PC and being greeted by this message on your desktop:
This would probably one of the worst nightmares any computer user can have. When you see this message, or you see a file on your computer with this message written inside, then your computer is most likely infected with the GandCrab cryptovirus.
GandCrab is a file-encrypting ransomware that encrypts all the files and documents of the infected computer. The ransomware uses RSA-2048 key or Salsa2.0 stream cipher encryption algorithm for the file encryption, and leaves a ransom message to the owner of the device. The message offers to decrypt the files for a fee. The amount is not the same for every case; some attackers ask for $500 while others require up to $2,400 in payment for the decrypting process.
The attacker will even increase the sense of urgency by threatening to double the price after a certain period of time. The instructions are left on a txt or html file with a series of gibberish characters for its filename, such as DEKSTFDERT-DECRYPT.txt OR DEKSTFDERT-DECRYPT.html.
What You Need to Know About GandCrab Cryptovirus
The GandCrab ransom virus has come a long way after it was first discovered in January 2018. In the first six months after the virus has spread, it has infected more than 50,000 devices and generated of $600,000 in ransom payments from victims.
GandCrab is considered one of the most active and widespread ransomware of the year and has released five versions of the ransom virus to date. Its latest version is GandCrab v5.0.4, and although there isn’t any obvious difference between this version and the previous one, the ransom virus has been constantly evolving to avoid the decryptors created by online security companies. In fact, the most notable change that happened to the GandCrab virus is the switch from the RSA-2048 encryption algorithm to the faster Salsa2.0 stream cipher.
How GandCrab v5.0.4 Ransomware Spreads
GandCrab uses several entry points to infect computers. It is often spread through spam emails, exploit kits, and other malware campaigns. Let’s look at each of these spreading vectors one at a time.
Spam emails have been known to be carriers of all types of viruses and malware since time immemorial. Users are usually tricked into opening a spam email with a juicy headline and the ZIP file attached to it. The ZIP file contains the script that downloads the cryptovirus to the computer and executes it.
Another way of getting the GandCrab cryptovirus is via exploit kits. GrandSoft and RIG are some of the most widely used exploit kits for the distribution of Grancrab. However, the version 5.0 of the ransomware was initially reported to be delivered by the Fallout exploit kit, which is now associated with the distribution of the Kraken ransomware instead.
Other entry vectors include remote desktop connections with weak security, Trojan-infected programs, PowerShell scripts, and Bonnets such as Phorpiex.
What Does GandCrab Do?
The goal of GandCrab, as with all other ransomware out there, is to encrypt all the files of the infected system and demand a payment for decrypting them. The payment is usually made using cryptocurrencies such as Dash or Bitcoin because these are difficult to track.
The GandCrab v5.0.4 ransomware infects all versions of the Windows system, including Windows 10/11, Windows 7, and Windows 8.1. Once the ransomware has been installed, it scans the system for data files to encrypt. Documents with file extensions such as .doc, .docx, .xls, and .pdf are some of the most common targets. Once these files have been located, the ransom virus changes the file extension of these files so that they can no longer be opened.
After the files have been encrypted, GandCrab leaves a ransom note with instructions on what the device owner should do, particularly how to make the payment. Paying the ransom fee is highly discouraged because it will only give confidence to the attackers and encourage them to spread the virus further.
If your device is infected with GandCrab v5.0.4 ransomware, follow the steps below to completely remove it from your system and to hopefully retrieve some of your files.
How to Remove GandCrab V5.0.4 Ransomware
Unfortunately, there is no decryptor available yet for GandCrab V5.0.4. Bitdefender was able to create a decryption program for the first version of the ransomware, but it was rendered useless when the authors upgraded GandCrab to version 2.0. Other security companies have also tried to release their own decryptors, but none of them work so far.
So if your computer unfortunately contains GandCrab V5.0.4, here are the things that you should do:
Step 1. Create a Copy of All infected Files.
This allows you to save all encrypted data and keep them safe until a free decryption program is developed in the future. It is much better if you can create an image of the entire hard drive because you will also be able to save everything related to the ransomware, including encrypted files, ransom message, key data files, and registry entries.
Step 2. Remove GandCrab V5.0.4 From Your Computer.
What you need to do is try to remove first the ransomware from your system before it creates more damage. To delete the ransomware from Windows, follow the steps below:
- Boot into Safe Mode by clicking the Start menu.
- Click the Power button, hold down Shift, then click on Restart.
- Your computer will reboot and a blue menu will appear. Choose Troubleshoot from this window.
- In the Troubleshoot menu, choose Advanced Options > Startup Settings > Restart.
- Choose any of the three Safe Mode options available.
- While on Safe Mode, search for the infected files by typing in fileextension: in the search box, followed by the type of extension you are looking for.
- Delete all infected files and clear your Recycle Bin afterwards. You can use a tool like Outbyte PC Repair to make sure all junk files are removed and that no infected files are left on your system.
- Run your antivirus or anti-malware tool to totally get rid of the infection.
Step 3: Try to Recover Your Encrypted Files.
Since there is no official decryptor available for GandCrab V5.0.4, you can try your luck with third-party decrypting software and maybe one of them works for you. You can also try restoring your files with a file recovery software, although there is no guarantee that the files will actually be restored. Some users who have tried this method reported that most of the files have been returned corrupted.
Another option would be to roll your system back to a previous restore point before the infection happened. This is probably the best option for you right now.
Follow these steps to roll back the changes on your PC using a restore point:
- Click Start and type in Create a restore point in the search box.
- Click System Properties from the results.
- Click System Restore > Next, then choose the most recent working restore point before the infection happened.
- Click Scan for affected programs to remove apps and processes that have been installed after the restore point was created.
- Click Close > Next > Finish.
Your device will now go back in time to when the restore point was made and everything was working correctly.
Seeing your computer infected with the GandCrab V5.0.4 ransomware can be panic-inducing at first glance — all your files are encrypted and there’s no way to decrypt them as of the moment. Some users are tempted to pay the ransom, thinking that it’s the easiest way to resolve the problem and get their files back. But can you really trust these criminals to do their part once the money has been transferred? Most probably, no. They don’t care about you or your files; they only care about the money you’re willing to give them.
So if your computer is infected with GandCrab V5.0.4 ransomware, don’t go running to the attackers with your cash. Try the step-by-step guide above to remove the infected files from your computer and recover your data by other means. Besides, you probably don’t have to wait long for an official decrypting program to be released to counter these attacks.