What is GANDCRAB V5.0.5? GANDCRAB V5.0.5 is a new variant of GANDCRAB ransomware, which has been discovered by IT security specialists. Once started, it will encrypt all personal files stored on computer drives and attached network drives. This post will provide you with all the things you need to know about this ransomware virus, how to remove GandCrab 5.0.5 ransomware virus from your system and how to recover all encrypted documents, photos and music for free.
The GandCrab 5.0.5 ransomware virus uses very strong hybrid encryption with a large key. The virus will encrypt almost all types of files, including common as:
.2bp, .qdf, .bay, .asset, .dng, .p12, .wri, .ysp, .qic, .x3d, .pptm, .wp4, .arch00, .pdd, .das, .p7b, .mcmeta, .ppt, .rofl, .wp5, .dazip, .py, .rim, .mdb, .ods, .p7c, .wotreplay, .wps, .xlsm, .wire, .bkf, .r3d, .yml, .zip, .zabw, .mpqge, .yal, .srf, .forge, .odp, .webp, .xpm, .epk, .docm, .mov, .re4, .sb, .wgz, .wbk, .wpw, .dcr, .3dm, .xdb, .wm, .docx, .mdbackup, .vtf, .wpb, .bsa, .ntl, .kdc, .crw, .big, .pak, .wbz, .rwl, .syncdb, .vcf, .cfr, .xy3, .xld, .pkpass, .hplg, .db0, .xdl, .rb, .d3dbsp, .bc6, .orf, .xwp, .mlx, .vpk, .xml, .ws, .xlk, .slm, .y, .sav, .cr2, .xar, .wpl, .wpd, .pem, .wps, .m4a, .jpg, .lvl, .wmo, .snx, .wma, .wbmp, .wbc, .kf, .crt, .cer, .iwi, .xbdoc, .ybk, .wot, .jpe, .wp7, .xlsx, .z, .ztmp, .apk, .ltx, .itdb, .pef, .wmf, .nrw, .zw, .bar, .zi, .wma, .ai, .icxs, .wb2, .webdoc, .der, .fsh, .itm, .xlsx, .t13, .wpt, .vdf, .mp4, .pst, .ncf, .hkdb, .arw, .xll, .esm, .css, .xyp, .wmv, .wsh, .wpg, .odb, .rar, .txt, .dxg, .wsc, .xlgc, .png, .hvpl, .wmd, .map, .erf, .rw2, .t12, .cas, .odm, .fpk, .wcf, .tax, .3fr, .xxx, .wpe, .pfx, .wav, .wpd, .mddata, .xls, .0, .xf, .indd, .sum, .wp6, .pptx, .upk, .ff, .7z, .wpa, .eps, .mef, .mrwref, .dwg, .xyw, .wmv, .cdr, .zdb, .sie, .wn, .gho, .accdb, .sidn, .3ds, .xls, .kdb, .js, .lbf, .dmp, .xx, .bik, .hkx, .psk, .gdb, .xmind, .sidd, .ibank, .litemod, .bc7, .layout, .sr2, .iwd, .1, .zdc, .ptx, .rgss3a, .x3f, .z3d, .sis, .dbf, .zip, .menu, .vfs0, .avi, .jpeg, .odc, .zif, .wp, .x3f, .pdf, .wbm, .odt, .xlsb, .doc, .xmmap, .psd, .itl, .svg, .rtf, .csv, .sid, .sql, .flv, .raf, .wsd, .blob, .1st, .m3u, .desc, .m2, .dba, .xbplate, wallet, .tor, .lrf, .x, .bkp, .mdf, .vpp_pc, .xlsm, .wdp, .wbd, .fos, .wdb, .w3x, .srw
Once the encryption process is done, it will create a ransomnote called “DECRYPT.txt” offering decrypt all users documents, photos and music if a payment is made. An example of the ransomnote is:
---= GANDCRAB V5.0.5 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: ***** The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: --------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: ***** | 4. Follow the instructions on this page ----------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY---
We recommend you to remove GandCrab 5.0.5 virus as quickly as possible, until the presence of the ransomware virus has not led to even worse consequences. You need to follow the few simple steps below that will allow you to completely remove GandCrab 5.0.5 ransomware from your PC as well as restore encrypted files, using only few free utilities.
Table of contents
- How to decrypt files (GANDCRAB V5.0.5 decryptor)
- How to remove GandCrab 5.0.5 ransomware
- How to restore files encrypted by GANDCRAB V5.0.5
- How to prevent your machine from becoming infected by GandCrab 5.0.5 ransomware?
- To sum up
How to decrypt files (GANDCRAB V5.0.5 decryptor)
If your photos, documents and music have been locked by the GandCrab 5.0.5 ransomware virus, We recommends: do not pay the ransom. You must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
Of course, decryption without the GANDCRAB V5.0.5 decryptor is not possible, but that does not mean that this ransomware virus must seriously disrupt your live. The free tools listed below can be used to find and delete this virus and prevent any further damage. After that you can restore encrypted personal files from their Shadow Copies or using file recover tool.
How to remove GandCrab 5.0.5 ransomware
There are not many good free antimalware applications with high detection ratio. The effectiveness of malware removal tools depends on various factors, mostly on how often their virus/malware signatures DB are updated in order to effectively detect modern malware, ad supported software, ransomware viruses and other potentially unwanted programs. We advise to run several applications, not just one. These programs that listed below will help you remove all components of the GandCrab 5.0.5 ransomware from your disk and Windows registry.
How to delete GandCrab 5.0.5 with Zemana Anti-malware
Zemana Anti-malware highly recommended, because it can detect security threats such GandCrab 5.0.5 virus, adware and other malware that most ‘classic’ antivirus applications fail to pick up on. Moreover, if you have any GandCrab 5.0.5 removal problems which cannot be fixed by this tool automatically, then Zemana Anti-malware provides 24X7 online assistance from the highly experienced support staff.
Download Zemana AntiMalware (ZAM) on your Windows Desktop by clicking on the following link.
Author: Zemana Ltd
Category: Security tools
Update: February 14, 2019
When the download is complete, run it and follow the prompts. Once installed, the Zemana will try to update itself and when this procedure is finished, press the “Scan” button to perform a system scan for the GandCrab 5.0.5 virus related files, folders and registry keys.
Depending on your computer, the scan can take anywhere from a few minutes to close to an hour. When the GANDCRAB V5.0.5, other malware, adware or PUPs are found, the number of the security threats will change accordingly. Wait until the the scanning is finished. When you are ready, click “Next” button.
The Zemana Anti-Malware (ZAM) will remove GandCrab 5.0.5 virus and other malicious software and PUPs.
How to remove GandCrab 5.0.5 with Malwarebytes
Manual GandCrab 5.0.5 virus removal requires some computer skills. Some files and registry entries that created by the ransomware virus can be not completely removed. We recommend that run the Malwarebytes Free that are completely free your computer of this ransomware. Moreover, the free program will help you to delete malicious software, potentially unwanted programs, adware and toolbars that your personal computer can be infected too.
Installing the MalwareBytes is simple. First you’ll need to download MalwareBytes on your Microsoft Windows Desktop from the link below.
Category: Security tools
Update: February 5, 2019
Once the download is complete, run it and follow the prompts. Once installed, the MalwareBytes AntiMalware (MBAM) will try to update itself and when this procedure is done, press the “Scan Now” button . MalwareBytes Free tool will start scanning the whole machine to find out the GandCrab 5.0.5 ransomware and other kinds of potential threats such as malicious software and potentially unwanted applications. While the utility is checking, you can see number of objects and files has already scanned. Review the results once the utility has complete the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply press “Quarantine Selected” button.
The MalwareBytes Free is a free program that you can use to remove all detected folders, files, services, registry entries and so on. To learn more about this malicious software removal tool, we suggest you to read and follow the few simple steps or the video guide below.
If the problem with GandCrab 5.0.5 virus is still remained
If MalwareBytes anti-malware or Zemana anti-malware cannot remove the GANDCRAB V5.0.5 ransomware, then we suggests to run the KVRT. KVRT is a free removal utility for ransomware viruses, ad-supported software, PUPs and toolbars.
Download Kaspersky virus removal tool (KVRT) from the following link. Save it on your Windows desktop.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the download is finished, double-click on the Kaspersky virus removal tool icon. Once initialization process is complete, you will see the Kaspersky virus removal tool screen as displayed on the screen below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button . Kaspersky virus removal tool tool will begin scanning the whole computer to find out the GandCrab 5.0.5 ransomware virus and other known infections. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your computer and the speed of your system. When a threat is detected, the count of the security threats will change accordingly. Wait until the the checking is finished.
Once the scan is finished, a list of all threats detected is prepared as on the image below.
When you’re ready, click on Continue to begin a cleaning procedure.
How to restore files encrypted by GANDCRAB V5.0.5
In some cases, you can recover files encrypted by GandCrab 5.0.5 ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted photos, documents and music.
Recover encrypted files with ShadowExplorer
A free utility called ShadowExplorer is a simple solution to use the ‘Previous Versions’ feature of MS Windows 10 (8, 7 , Vista). You can restore personal files encrypted by the GandCrab 5.0.5 ransomware virus from Shadow Copies for free.
Visit the following page to download ShadowExplorer. Save it on your Windows desktop.
Category: Security tools
Update: February 27, 2018
Once the downloading process is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown below.
Double click ShadowExplorerPortable to start it. You will see the a window as shown on the screen below.
In top left corner, choose a Drive where encrypted personal files are stored and a latest restore point as displayed on the image below (1 – drive, 2 – restore point).
On right panel look for a file that you want to restore, right click to it and select Export as on the image below.
Run PhotoRec to restore encrypted files
Before a file is encrypted, the GandCrab 5.0.5 virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your personal files using file restore applications like PhotoRec.
Download PhotoRec by clicking on the following link. Save it to your Desktop so that you can access the file easily.
Category: Security tools
Update: March 1, 2018
After the download is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed on the screen below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It will open a screen as shown on the image below.
Choose a drive to recover as shown in the following example.
You will see a list of available partitions. Select a partition that holds encrypted files as shown in the following example.
Click File Formats button and specify file types to recover. You can to enable or disable the recovery of certain file types. When this is finished, click OK button.
Next, press Browse button to choose where restored personal files should be written, then click Search.
Count of restored files is updated in real time. All recovered documents, photos and music are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is finished, press on Quit button. Next, open the directory where recovered files are stored. You will see a contents as shown on the screen below.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to prevent your machine from becoming infected by GandCrab 5.0.5 ransomware?
Most antivirus apps already have built-in protection system against the virus. Therefore, if your personal computer does not have an antivirus program, make sure you install it. As an extra protection, run the CryptoPrevent.
Run CryptoPrevent to protect your PC from GandCrab 5.0.5 virus
Download CryptoPrevent by clicking on the link below. Save it on your Microsoft Windows desktop or in any other place.
Run it and follow the setup wizard. Once the installation is done, you’ll be displayed a window where you can select a level of protection, like below.
Now click the Apply button to activate the protection.
To sum up
Now your personal computer should be free of the GandCrab 5.0.5 virus. Delete KVRT and MalwareBytes. We suggest that you keep Zemana Anti-Malware (ZAM) (to periodically scan your system for new malware). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.
If you are still having problems while trying to get rid of GANDCRAB V5.0.5 ransomware from your computer, then ask for help here.