A new variant of GandCrab ransomware virus has been discovered by security researchers. It appends the CRAB extension to encrypted files. This ransomware targets computers running Microsoft Windows through the use of spam emails and malware.
The GandCrab2 is a ransomware virus, that developed to encrypt the photos, documents and music found on infected PC using very strong hybrid encryption with a large key, adding the CRAB extension to all encrypted personal files. It can encrypt almost types of files, including the following:
.wpa, .dng, .wpw, .png, .wbk, .dxg, .xml, .odc, .eps, .raw, .accdb, .pef, .r3d, .docx, .fsh, .xlsm, .mpqge, .wsh, .vfs0, .vtf, .mdf, .sidd, .qdf, .xbdoc, .csv, .srw, .ws, .ysp, .hkdb, .snx, .m3u, .wmf, .bc6, .wpd, .wbm, .erf, .fos, .wdp, .wm, .wn, .xyw, .y, .cfr, .odp, .xwp, .w3x, .wp4, .wp6, .css, .xxx, .zi, .bay, .p7c, .d3dbsp, .vpk, .map, .ppt, .x3d, .dba, .itl, .js, .pptx, .wgz, .ztmp, .tax, .zabw, .rw2, .0, .wpd, .m4a, .xyp, .sr2, .ptx, .wot, .ybk, .xmind, .ncf, .indd, .sis, .py, .xll, .wmv, .qic, .wpt, .itm, .pfx, .wri, .mdbackup, .rar, .yml, .upk, .p12, .jpg, .xlk, .xf, .pkpass, .lbf, .cdr, .bkf, .wmo, .sie, .xdb, .ff, .wpb, .xlsx, .xy3, .xpm, .wb2, .docm, .lvl, .rtf, .wp7, .blob, .wdb, .xlsm, .pak, .iwd, .xx, .pdf, .re4, .jpeg, .dazip, .gdb, .wcf, .der, .rb, .odm, .1st, .sb, .3dm, .sidn, .xar, .mef, .ntl, .x3f, .7z, .zif, .wotreplay, .icxs, .syncdb, .jpe, .sav, .pem, .wp, .t12, .wp5, .bik, .mdb, .dcr, .avi, .webp, .vcf, .t13, .kf, .wps, .svg, .wps, .yal, .x3f, .desc, .asset, .odb, .psd, .z3d, .itdb, .layout, .wmv, .wpg, .db0, .wmd, .webdoc, .m2, .z, .rwl, wallet, .hkx, .pdd, .dwg, .dbf, .xlsx, .wma, .tor, .hvpl, .wbc, .lrf, .fpk, .mddata, .dmp, .epk, .bc7, .big
When the virus encrypts a file, it will add the CRAB extension to each encrypted file. Once the ransomware finished enciphering of all files, it will create a file called CRAB-Decrypt.txt with ransomnote on how to decrypt all photos, documents and music. An example of the ransomnote is:
—= GANDCRAB =—
All your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB
The only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
1. Download Tor browser – https://www.torproject.org/
2. Install Tor browser
3. Open Tor Browser
4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/[id]
5. Follow the instructions on this page
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
If you can’t download TOR and use it, or in your country TOR blocked, read it:
1. Visit https://tox.chat/download.html
2. Download and install qTOX on your PC.
3. Open it, click “New Profile” and create profile.
4. Search our contact – 6C5AD4057E594E090E0C987B3089F74335DA75F04B7403E0575663C26134956917D193B195A5
5. In message please write your ID and wait our answer: 6361f798c4ba3647
Do not try to modify files or use your own private key – this will result in the loss of your data forever!
If your photos, documents and music have been locked by the GandCrab2 ransomware, We suggests: do not to pay the ransom. If this malware make money for its makers, then your payment will only increase attacks against you. Of course, decryption without the private key is not feasible, but that does not mean that the GandCrab2 virus must seriously disrupt your live. The free tools listed below has the ability to find and get rid of this ransomware and prevent any further damage. After that you can restore .CRAB files include encrypted photos, documents and music from their Shadow Copies or using file recover tool.
Unfortunately, at this time, victims of the GandCrab2 ransomware virus cannot decrypt encrypted personal files without the actual encryption key. But you can follow our tutorial below to search for and remove GandCrab2 ransomware virus from your machine as well as recover encrypted files for free.
Table of contents
- What is GandCrab2 ransomware
- How to decrypt .CRAB files
- How to remove GandCrab2 virus
- Recovering files encrypted by GandCrab2 virus
- How to prevent your machine from becoming infected by GandCrab2 virus?
- Finish words
How to decrypt .CRAB files
Currently there is no available method to decrypt CRAB files, but you have a chance to recover encrypted documents, photos and music for free. The ransomware repeatedly tells the victim that uses very strong hybrid encryption with a large key. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a way because of the big length of the key. Therefore, unfortunately, the only payment to the developers of the GandCrab2 ransomware virus entire amount requested – the only way to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the authors of the GandCrab2 ransomware, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
How to remove GandCrab2 virus
The GandCrab2 ransomware virus can hide its components which are difficult for you to find out and remove completely. This can lead to the fact that after some time, the ransomware again infect your machine and encrypt your photos, documents and music. Moreover, I want to note that it is not always safe to remove virus manually, if you don’t have much experience in setting up and configuring the MS Windows operating system. The best way to scan for and get rid of GandCrab2 virus is to use free malicious software removal applications that are listed below.
How to automatically remove GandCrab2 with Zemana Anti-malware
We advise using the Zemana Anti-malware. You may download and install Zemana Anti-malware to look for and delete GandCrab2 ransomware virus from your PC system. When installed and updated, the malicious software remover will automatically scan and detect all threats present on the computer.
Now you can install and run Zemana Anti-Malware (ZAM) to remove GandCrab2 virus from your browser by following the steps below:
Visit the page linked below to download Zemana Free install package called Zemana.AntiMalware.Setup on your machine. Save it to your Desktop.
Author: Zemana Ltd
Category: Security tools
Update: February 14, 2019
Start the setup file after it has been downloaded successfully and then follow the prompts to set up this utility on your PC.
During setup you can change certain settings, but we recommend you don’t make any changes to default settings.
When install is finished, this malicious software removal utility will automatically start and update itself. You will see its main window as shown on the image below.
Now click the “Scan” button for scanning your machine for the GandCrab2 ransomware and other security threats. Depending on your personal computer, the scan can take anywhere from a few minutes to close to an hour. While the Zemana Free program is checking, you can see how many objects it has identified as threat.
When Zemana Free has finished scanning your system, Zemana Anti Malware (ZAM) will show a screen which contains a list of malware that has been found. Once you have selected what you want to remove from your computer press “Next” button.
The Zemana Free will get rid of GandCrab2 ransomware and other kinds of potential threats like malware and PUPs. Once the procedure is complete, you may be prompted to reboot your PC system to make the change take effect.
How to automatically delete GandCrab2 with Malwarebytes
We recommend using the Malwarebytes Free which are completely clean your computer of the virus. The free tool is an advanced malicious software removal program created by (c) Malwarebytes lab. This program uses the world’s most popular anti malware technology. It’s able to help you delete ransomware viruss, PUPs, malware, adware, toolbars, ransomware and other security threats from your machine for free.
Visit the following page to download the latest version of MalwareBytes Free for Windows. Save it on your Microsoft Windows desktop.
Category: Security tools
Update: February 5, 2019
Once downloading is complete, run it and follow the prompts. Once installed, the MalwareBytes AntiMalware (MBAM) will try to update itself and when this process is finished, click the “Scan Now” button to perform a system scan for the GandCrab2 virus related files, folders and registry keys. This process can take some time, so please be patient. While the MalwareBytes AntiMalware is checking, you can see how many objects it has identified either as being malicious software. In order to remove all items, simply click “Quarantine Selected” button.
The MalwareBytes Anti-Malware (MBAM) is a free program that you can use to get rid of all detected folders, files, services, registry entries and so on. To learn more about this malware removal utility, we recommend you to read and follow the guide or the video guide below.
Scan and clean your system of ransomware with KVRT
KVRT is a free removal tool that can be downloaded and use to remove ransomware viruss, adware, malicious software, PUPs, toolbars and other threats from your PC. You may use this utility to scan for threats even if you have an antivirus or any other security application.
Download Kaspersky virus removal tool (KVRT) by clicking on the following link. Save it on your Desktop.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the download is finished, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is complete, you will see the KVRT screen as displayed in the figure below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button for checking your machine for the GandCrab2 ransomware virus and other malware. Depending on your PC, the scan can take anywhere from a few minutes to close to an hour. When a threat is detected, the number of the security threats will change accordingly. Wait until the the checking is complete.
When finished, Kaspersky virus removal tool will display a list of detected threats as displayed on the image below.
When you’re ready, press on Continue to start a cleaning procedure.
Recovering files encrypted by GandCrab2 virus
In some cases, you can recover files encrypted by GandCrab2 ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted personal files.
Recover .CRAB encrypted files using Shadow Explorer
An alternative is to restore .CRAB files from their Shadow Copies. The Shadow Volume Copies are copies of files and folders that Windows 10 (8, 7 and Vista) automatically saved as part of system protection. This feature is fantastic at rescuing personal files that were damaged by GandCrab2 ransomware. The instructions below will give you all the details.
Download ShadowExplorer on your PC from the following link.
Category: Security tools
Update: February 27, 2018
When the download is finished, extract the downloaded file to a directory on your PC. This will create the necessary files as displayed below.
Start the ShadowExplorerPortable program. Now select the date (2) that you want to recover from and the drive (1) you want to recover files (folders) from as displayed on the image below.
On right panel navigate to the file (folder) you wish to restore. Right-click to the file or folder and press the Export button as shown in the following example.
And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Restore .CRAB files with PhotoRec
Before a file is encrypted, the GandCrab2 virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your documents, photos and music using file restore software like PhotoRec.
Download PhotoRec on your computer from the link below.
Category: Security tools
Update: March 1, 2018
When downloading is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll open a screen like below.
Choose a drive to recover as on the image below.
You will see a list of available partitions. Select a partition that holds encrypted documents, photos and music as displayed in the figure below.
Press File Formats button and select file types to recover. You can to enable or disable the restore of certain file types. When this is done, press OK button.
Next, click Browse button to choose where restored photos, documents and music should be written, then click Search.
Count of recovered files is updated in real time. All restored photos, documents and music are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the restore is done, click on Quit button. Next, open the directory where recovered personal files are stored. You will see a contents like below.
All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to prevent your machine from becoming infected by GandCrab2 virus?
Most antivirus applications already have built-in protection system against the ransomware virus. Therefore, if your system does not have an antivirus program, make sure you install it. As an extra protection, run the CryptoPrevent.
Use CryptoPrevent to protect your personal computer from GandCrab2 ransomware
Download CryptoPrevent by clicking on the following link. Save it on your Desktop.
Run it and follow the setup wizard. Once the install is finished, you will be shown a window where you can select a level of protection, as displayed on the image below.
Now click the Apply button to activate the protection.
Now your PC system should be free of the GandCrab2 ransomware. Remove Malwarebytes and KVRT. We recommend that you keep Zemana Anti Malware (to periodically scan your system for new malware). Moreover, to prevent ransomware virus, please stay clear of unknown and third party apps, make sure that your antivirus program, turn on the option to stop or search for ransomware.
If you need more help with GandCrab2 virus related issues, go to our Spyware/Malware removal forum.