What is GandCrab V5? Security researchers discovered a new variant of the GandCrab ransomware which named GandCrab V5. It appends a random 5 character extension to encrypted file names. This blog post will provide you a brief summary of information related to this new virus and how to restore all encrypted files for free.
The GandCrab V5 is a malicious software that created in order to encrypt documents, photos and music. It hijack a whole PC system or its data and demand a ransom in order to unlock (decrypt) them. The makers of the GandCrab V5 ransomware have a strong financial motive to infect as many personal computers as possible. The files that will be encrypted include the following file extensions:
.bar, .css, .webp, .iwd, .wps, .1, .d3dbsp, .crw, .snx, .wsh, .w3x, .wm, .wp6, .xls, .fsh, .wdb, .sav, .dazip, .hplg, .rtf, .dcr, .xbdoc, .mpqge, .wmf, .sidn, .txt, .fpk, .cer, .wmv, .dba, .ztmp, .2bp, .qdf, .png, .wbd, .wcf, .ysp, .zif, .crt, .p12, wallet, .wpa, .xml, .yml, .m4a, .raf, .wma, .gho, .ibank, .z3d, .wbz, .mp4, .mrwref, .pptx, .wmo, .xy3, .psk, .rofl, .itl, .hvpl, .kf, .xmmap, .mddata, .lbf, .wpt, .flv, .lvl, .y, .pdd, .wsc, .big, .pak, .nrw, .jpg, .t12, .cfr, .odc, .accdb, .xwp, .js, .0, .bc6, .xll, .wpd, .ff, .mcmeta, .itdb, .desc, .upk, .ntl, .epk, .x3f, .yal, .itm, .wsd, .lrf, .forge, .wbmp, .wbk, .py, .webdoc, .sum, .xlgc, .arw, .bkf, .orf, .db0, .t13, .wp7, .x, .ybk, .srf, .bsa, .mef, .zi, .docm, .das, .pst, .sb, .rar, .rim, .pdf, .wpw, .rwl, .arch00, .xlsm, .odm, .zip, .kdb, .ppt, .xld, .dng, .cr2, .3dm, .pem, .mdb, .wri, .wpd, .sis, .csv, .psd, .xx, .ws, .jpe, .vpk, .xlsb, .pkpass, .bik, .bkp, .xlsx, .wmv, .r3d, .wp5, .wpl, .asset, .xyp, .raw, .zabw, .icxs, .xpm, .wbc, .mdf, .ptx, .odp, .wps, .xmind, .wpg, .fos, .3fr, .layout, .zip, .re4, .jpeg, .tor, .wp, .mdbackup, .xdb, .avi, .vcf, .1st, .mlx, .wotreplay, .vfs0, .xlsm, .wdp, .wb2, .map, .litemod, .rw2, .zdc, .x3d, .slm, .xls, .sie, .wma, .dxg, .sql, .odt, .p7b, .doc, .gdb, .vpp_pc, .wp4, .wav, .esm, .mov, .menu, .xbplate, .der, .svg, .x3f, .ltx, .ai, .wpe, .xlk, .qic, .m3u, .cas, .docx, .7z, .bc7, .vdf, .3ds, .wgz, .srw, .sidd, .sid, .m2, .xf, .wot, .hkdb, .ods, .hkx, .rgss3a, .iwi, .wire, .syncdb, .pfx, .bay, .zdb, .zw, .kdc, .eps, .sr2, .indd, .p7c, .xdl, .blob, .dwg, .xxx, .wmd, .ncf, .erf, .xyw, .wbm, .wn, .cdr, .pptm, .dbf, .wpb, .vtf, .xlsx, .pef, .tax, .rb, .odb, .z, .xar, .apk, .dmp
When encrypting a file it will add a random extension to each encrypted file name to identify that the file has been encrypted. For example, a file named
sample.doc would be encrypted and renamed to
sample.doc.tfbna. Once the process is finished, it will create a file named ‘[EXT]-DECRYPT.html’ with ransom demanding message. It includes instructions on how to purchase GandCrab V5 Decryptor to decrypt all personal files. You can see an one of the variants of the ransom note below:
—= GANDCRAB V5.0 =—
All your files, documents, photos, databases and other important files are encrypted and have the extension:
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:>
• Download Tor browser – https://www.torproject.org/
• Install Tor browser
• Open Tor Browser
• Open link in TOR browser: http://gandcrabmfe6mnef.onion/
• Follow the instructions on this page
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW
The ransom note encourages victim to contact GandCrab V5’s developers in order to decrypt all photos, documents and music. These persons will require to pay a ransom (usually demand for $1200 in Bitcoins). We don’t recommend paying a ransom for GandCrab V5 Decryptor, as there is no guarantee that you will be able to decrypt your photos, documents and music. Especially since you have a chance to restore your files for free using free tools like ShadowExplorer and PhotoRec.
Unfortunately, at this time, victims of the GandCrab V5 ransomware cannot decrypt encrypted documents, photos and music without the actual encryption key. But you can use our guidance below to find out and remove GandCrab V5 virus from your computer as well as restore encrypted photos, documents and music for free.
Table of contents
- GandCrab V5 Decryptor
- How to remove GandCrab V5 ransomware virus
- Restoring files encrypted with GandCrab V5 ransomware
- How to prevent your system from becoming infected by GandCrab V5 ransomware?
- Finish words
GandCrab V5 Decryptor
Currently there is no available way to download the GandCrab V5 Decryptor for free, but you have a chance to restore encrypted files for free. If your files have been locked by the GandCrab V5 ransomware virus, We suggests: do not to pay the ransom. If this malicious software make money for its developers, then your payment will only increase attacks against you. Of course, decryption without the GandCrab V5 Decryptor is not feasible, but that does not mean that this virus must seriously disrupt your live. The free utilities listed below has the ability to search for and remove GandCrab V5 ransomware and prevent any further damage. After that you can recover encrypted photos, documents and music from their Shadow Copies or using file restore utility.
How to remove GandCrab V5 ransomware virus
There are not many good free anti-malware applications with high detection ratio. The effectiveness of malware removal utilities depends on various factors, mostly on how often their virus/malware signatures DB are updated in order to effectively detect modern malicious software, adware, ransomware and other unwanted programs. We recommend to use several programs, not just one. These applications which listed below will allow you get rid of all components of the GandCrab V5 virus from your disk and Windows registry.
How to remove GandCrab V5 with Zemana Anti-malware
Zemana Anti-malware is a utility that can get rid of ransomware viruses, adware, PUPs, browser hijackers and other malicious software from your PC easily and for free. Zemana Anti-malware is compatible with most antivirus software. It works under Windows (10 – XP, 32 and 64 bit) and uses minimum of machine resources.
Now you can set up and use Zemana to delete GandCrab V5 virus from your internet browser by following the steps below:
Click the following link to download Zemana Free install package named Zemana.AntiMalware.Setup on your PC. Save it to your Desktop so that you can access the file easily.
Author: Zemana Ltd
Category: Security tools
Update: February 14, 2019
Start the installer after it has been downloaded successfully and then follow the prompts to set up this tool on your personal computer.
During install you can change certain settings, but we advise you don’t make any changes to default settings.
When installation is done, this malware removal tool will automatically start and update itself. You will see its main window like below.
Now click the “Scan” button . Zemana AntiMalware (ZAM) program will scan through the whole system for the GandCrab V5 ransomware and other security threats. Depending on your computer, the scan can take anywhere from a few minutes to close to an hour. When a threat is detected, the count of the security threats will change accordingly.
When the system scan is finished, the results are displayed in the scan report. When you’re ready, press “Next” button.
The Zemana Anti-Malware will remove GandCrab V5 ransomware and other kinds of potential threats such as malicious software and PUPs. Once finished, you can be prompted to reboot your computer to make the change take effect.
Run Malwarebytes to remove GandCrab V5 ransomware virus
Delete GandCrab V5 ransomware virus manually is difficult and often the ransomware virus is not completely removed. Therefore, we advise you to run the Malwarebytes Free that are completely clean your computer. Moreover, the free program will help you to get rid of malware, PUPs, toolbars and ad-supported software that your computer can be infected too.
Download MalwareBytes Free by clicking on the link below.
Category: Security tools
Update: February 5, 2019
Once downloading is done, run it and follow the prompts. Once installed, the MalwareBytes Free will try to update itself and when this process is done, click the “Scan Now” button for checking your personal computer for the GandCrab V5 ransomware and other kinds of potential threats such as malware and potentially unwanted software. This procedure can take some time, so please be patient. Once you have selected what you wish to get rid of from your personal computer click “Quarantine Selected” button.
The MalwareBytes Anti Malware is a free program that you can use to delete all detected folders, files, services, registry entries and so on. To learn more about this malware removal tool, we suggest you to read and follow the step-by-step tutorial or the video guide below.
If the problem with GandCrab V5 virus is still remained
KVRT is a free portable program that scans your computer for adware, PUPs and ransomware such as the GandCrab V5 and allows delete them easily. Moreover, it will also help you get rid of any harmful web browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) by clicking on the following link. Save it directly to your MS Windows Desktop.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When the download is done, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is finished, you’ll see the Kaspersky virus removal tool screen as on the image below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button to perform a system scan with this tool for the GandCrab V5 virus and other known infections. Depending on your PC, the scan can take anywhere from a few minutes to close to an hour. During the scan KVRT will find threats present on your personal computer.
When that process is done, a list of all items detected is created as shown on the screen below.
Next, you need to click on Continue to start a cleaning process.
Restoring files encrypted with GandCrab V5 ransomware
In some cases, you can restore encrypted files without the use of the GandCrab V5 Decryptor. Try both methods listed below. Important to understand that we cannot guarantee that you will be able to restore all your photos, documents and music encrypted by the GandCrab V5.
Use shadow copies to restore files encrypted by GandCrab V5
In order to restore your photos, documents and music encrypted by the GandCrab V5 ransomware from Shadow Volume Copies you can run a utility named ShadowExplorer. We suggest to use this way as it is easier to find and restore the previous versions of the encrypted files you need in an easy-to-use interface.
Download ShadowExplorer on your MS Windows Desktop from the following link.
Category: Security tools
Update: February 27, 2018
When the downloading process is complete, extract the saved file to a directory on your machine. This will create the necessary files as on the image below.
Launch the ShadowExplorerPortable program. Now choose the date (2) that you want to restore from and the drive (1) you want to restore files (folders) from as on the image below.
On right panel navigate to the file (folder) you want to restore. Right-click to the file or folder and click the Export button as shown in the figure below.
And finally, specify a directory (your Desktop) to save the shadow copy of encrypted file and press ‘OK’ button.
Restore files encrypted by GandCrab V5 with PhotoRec
Before a file is encrypted, the GandCrab V5 virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your files using file restore software such as the PhotoRec.
Download PhotoRec on your Windows Desktop from the following link.
Category: Security tools
Update: March 1, 2018
Once the download is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the following example.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will show a screen as shown in the following example.
Select a drive to recover as displayed below.
You will see a list of available partitions. Select a partition that holds encrypted personal files like below.
Press File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is finished, press OK button.
Next, click Browse button to select where restored personal files should be written, then press Search.
Count of restored files is updated in real time. All recovered documents, photos and music are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is done, click on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as on the image below.
All recovered personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to prevent your system from becoming infected by GandCrab V5 ransomware?
Most antivirus programs already have built-in protection system against the ransomware. Therefore, if your computer does not have an antivirus application, make sure you install it. As an extra protection, use the CryptoPrevent.
Run CryptoPrevent to protect your system from GandCrab V5 ransomware
Download CryptoPrevent on your Windows Desktop from the link below.
Run it and follow the setup wizard. Once the setup is finished, you will be displayed a window where you can select a level of protection, as shown on the screen below.
Now click the Apply button to activate the protection.
Now your computer should be clean of the GandCrab V5 ransomware virus. Uninstall MalwareBytes Anti Malware (MBAM) and KVRT. We suggest that you keep Zemana Free (to periodically scan your system for new malicious software). Make sure that you have all the Critical Updates recommended for MS Windows operating system. Without regular updates you WILL NOT be protected when new ransomware, malicious software and adware are released.
If you are still having problems while trying to remove GandCrab V5 virus from your PC, then ask for help here.