Experienced security specialists discovered a new variant of ransomware that named ‘GANDCRAB v5.3‘. This blog post will provide you a brief summary of information related to this ransomware and how to recover (decrypt) encrypted files for free.
Immediately after the launch, the GANDCRAB 5.3 ransomware virus scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware uses the file name extension, as a method to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.kdc, .webdoc, .ods, .arch00, .der, .docx, .itdb, .mrwref, .fos, .raf, .ppt, .esm, .xll, .wb2, .zi, .mpqge, .wbm, .slm, .xar, .wpw, .wm, .xlsx, .dbf, .mcmeta, .3ds, .xyp, .hplg, .srf, .vtf, .m2, .x3f, .vpk, .wps, .r3d, .y, .epk, .wpe, .pdf, .sum, .rtf, .dwg, .odp, .wbz, .odt, .yml, .wmv, .db0, .sie, .xbplate, .odb, .icxs, .sr2, .wmo, .zw, .tax, .vpp_pc, .wcf, .ybk, .sid, .vfs0, .wp6, .cdr, .asset, .wpa, .xdb, .wp, .cas, .wmd, .mov, .wgz, .xy3, .zdb, .orf, .xyw, .pef, .t12, .1st, .snx, .flv, .iwd, .desc, .hkdb, .ptx, .yal, .bik, .wp4, .txt, .lvl, .docm, .dcr, .mdb, .bc6, .wpl, .psd, .0, .forge, .apk, .wbk, .wma, .pfx, .jpe, .ncf, .dazip, .wsh, .vcf, .pak, .wdp, .accdb, .py, .z, .sidn, .dng, .indd, .pem, .itl, .t13, .zabw, .tor, .wmv, .mddata, .webp, .menu, .re4, .wri, .wp5, .das, .ntl, .rim, .raw, .zif, .sis, .crt, .js, .wpb, .p12, .wma, .cr2, .wpt, .bkp, .bsa, .wmf, .p7b, .map, .wp7, .ysp, .eps, .doc, .pptx, .xlgc, .css, .wsd, .nrw, .blob, .rar, .vdf, .litemod, .z3d, .wot, .wdb, .crw, .bay, .xls, .wn, .ltx, .xf, .zip, .sav, .rw2, .d3dbsp, .wpg, .lrf, .p7c, .erf, .dxg, .zdc, .mlx, .itm, .xlsx, .odm, .ai, .csv, .wotreplay, .bkf, .m3u, .ibank, .syncdb, .png, .xld, .7z, wallet, .xlsm, .fsh, .big, .avi, .bc7, .m4a, .rgss3a, .pkpass, .jpeg, .x3d, .wav, .pptm, .svg, .kf, .w3x, .rb, .wpd, .qdf, .wbc, .lbf, .hvpl, .pdd, .sb, .iwi, .wsc, .rofl, .hkx, .mdf, .x3f, .xls, .fpk, .rwl, .gho, .sql, .pst, .xlsm, .bar, .psk, .gdb, .mp4, .wbd, .mdbackup, .3dm, .cer, .arw, .xbdoc, .srw, .xxx, .xml, .wire, .xmmap, .upk, .wbmp, .ff, .wps, .xx, .sidd, .ztmp
When the ransomware encrypts a file, it will add a new extension to every encrypted file. Once the ransomware virus finished enciphering of all photos, documents and music, it will create a file named “MANUAL.txt” with ransom note on how to decrypt all personal files. You can see an one of the variants of the ransomnote below:
---= GANDCRAB V5.3 =--- UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: *** The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. Only us can recover your files You need follow the next instructions: ---------------------------------------------------------------------------------------- 1. Send a mail to us at the next address with this note:*** ADDRESS: email@example.com ---------------------------------------------------------------------------------------- We will send you the instructions to pay.
|Type||ransomware, crypto virus|
|Detection Names||Kaspersky HEUR:Trojan.Win32.Generic, Avast Win32:Trojan-gen, ESET-NOD32 a variant of Win32/Filecoder.GandCrab.F, Symantec Ransom.GandCrab!g5|
|Symptoms||Files that won’t open, Odd (random) file extensions, Ransom demanding message on your desktop|
|Removal||To remove GANDCRAB V5.3 use the removal guide|
|Decryption||To decrypt GANDCRAB 5.3 use the steps|
- How to remove GANDCRAB 5.3 ransomware virus
- How to decrypt GANDCRAB 5.3
- How to restore encrypted files
- How to protect your machine from GANDCRAB 5.3 ransomware?
- Finish words
How to remove GANDCRAB 5.3 ransomware virus
Before you open the procedure of recovering photos, documents and music that has been encrypted, make sure GANDCRAB 5.3 ransomware is not running. Firstly, you need to get rid of this ransomware virus permanently. Happily, there are several malicious software removal tools that will effectively find and delete GANDCRAB 5.3 ransomware and other crypto virus malicious software from your computer.
Remove GANDCRAB 5.3 virus with Zemana Anti-malware
Thinking about remove GANDCRAB 5.3 ransomware virus from your system? Then pay attention to Zemana. This is a well-known utility, originally created just to scan for and remove malware, trojans and worms. But by now it has seriously changed and can not only rid you of malware, but also protect your computer from ransomware virus, malware and adware software, as well as identify and remove common viruses and trojans.
- Installing the Zemana Free is simple. First you’ll need to download Zemana on your Windows Desktop by clicking on the link below.
Author: Zemana Ltd
Category: Security tools
Update: February 14, 2019
- When the downloading process is complete, close all applications and windows on your PC system. Open a file location. Double-click on the icon that’s named Zemana.AntiMalware.Setup.
- Further, click Next button and follow the prompts.
- Once setup is finished, click the “Scan” button to find GANDCRAB 5.3 ransomware related files, folders and registry keys. Depending on your PC, the scan may take anywhere from a few minutes to close to an hour. While the Zemana Anti-Malware program is scanning, you can see how many objects it has identified as threat.
- When the scan is complete, a list of all threats found is produced. Review the results once the tool has complete the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply press “Next”. When finished, you can be prompted to restart your computer.
Remove GANDCRAB V5.3 virus with MalwareBytes Free
We recommend using the MalwareBytes Free. You may download and install MalwareBytes Anti Malware to detect and remove GANDCRAB V5.3 ransomware from your PC. When installed and updated, this free malware remover automatically scans for and removes all threats exist on the PC system.
Download MalwareBytes AntiMalware (MBAM) on your Microsoft Windows Desktop from the link below.
Category: Security tools
Update: February 5, 2019
When the downloading process is finished, close all programs and windows on your PC system. Double-click the install file called mb3-setup. If the “User Account Control” dialog box pops up as shown in the following example, click the “Yes” button.
It will open the “Setup wizard” which will help you set up MalwareBytes Anti Malware (MBAM) on your computer. Follow the prompts and do not make any changes to default settings.
Once install is complete successfully, click Finish button. MalwareBytes Anti Malware (MBAM) will automatically start and you can see its main screen as shown in the figure below.
Now click the “Scan Now” button to begin scanning your PC system for the GANDCRAB V5.3 ransomware and other security threats. This procedure may take quite a while, so please be patient. While the MalwareBytes Free tool is checking, you may see how many objects it has identified as being infected by malicious software.
After the scanning is finished, MalwareBytes AntiMalware (MBAM) will produce a list of malware, ransomware and trojans. In order to delete all items, simply press “Quarantine Selected” button. The MalwareBytes will begin to remove GANDCRAB V5.3 ransomware and other kinds of potential threats. After finished, you may be prompted to reboot the personal computer.
We suggest you look at the following video, which completely explains the process of using the MalwareBytes Free to remove adware software, hijacker and other malicious software.
Remove GANDCRAB v5.3 ransomware with KVRT
KVRT is a free removal tool that can be downloaded and use to remove ransomware, adware, malicious software, trojans, worms and other threats from your PC. You may run this tool to search for threats even if you have an antivirus or any other security application.
Download Kaspersky virus removal tool (KVRT) on your Microsoft Windows Desktop by clicking on the link below.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When the download is finished, double-click on the KVRT icon. Once initialization procedure is done, you will see the KVRT screen as displayed on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan for the GANDCRAB v5.3 ransomware virus and other trojans and malicious programs. Depending on your PC system, the scan can take anywhere from a few minutes to close to an hour. During the scan Kaspersky virus removal tool will find threats present on your PC system.
Once the scanning is done, KVRT will open a scan report as displayed on the screen below.
Next, you need to press on Continue to start a cleaning task.
How to decrypt GANDCRAB 5.3
GANDCRAB 5.3 ransomware virus uses a strong encryption method. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a solution because of the big length of the key. Therefore, unfortunately, the only payment to the authors of the GANDCRAB 5.3 ransomware entire amount requested – the only way to try to get the decryption key and decrypt all your files.
Never pay the ransom! You might feel that you have no other choice but to pay up and decrypt encrypted files documents, photos and music quickly. There is no guarantee that the makers of GANDCRAB 5.3 ransomware virus will live up to the word and give back your files.
Free malware removal tools listed in this article can be used to detect and delete ransomware virus and prevent any further damage. After that you can recover encrypted personal files from their Shadow Copies or using file restore tool.
How to restore encrypted files
In some cases, you can recover files encrypted by GANDCRAB 5.3 ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted documents, photos and music.
Recover encrypted files with ShadowExplorer
In some cases, you have a chance to restore your photos, documents and music which were encrypted by the GANDCRAB 5.3 ransomware virus. This is possible due to the use of the utility called ShadowExplorer. It is a free program that designed to obtain ‘shadow copies’ of files.
ShadowExplorer can be downloaded from the following link. Save it directly to your Microsoft Windows Desktop.
Category: Security tools
Update: February 27, 2018
After downloading is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as on the image below.
Double click ShadowExplorerPortable to run it. You will see the a window as displayed in the following example.
In top left corner, select a Drive where encrypted photos, documents and music are stored and a latest restore point as displayed in the figure below (1 – drive, 2 – restore point).
On right panel look for a file that you wish to restore, right click to it and select Export as displayed below.
Restore encrypted files with PhotoRec
Before a file is encrypted, the GANDCRAB 5.3 ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your personal files using file restore software such as PhotoRec.
Download PhotoRec on your PC by clicking on the link below.
Category: Security tools
Update: March 1, 2018
After the downloading process is done, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.
Double click on qphotorec_win to run PhotoRec for Windows. It will open a screen as displayed below.
Choose a drive to recover as displayed in the following example.
You will see a list of available partitions. Select a partition that holds encrypted documents, photos and music as shown in the following example.
Click File Formats button and specify file types to recover. You can to enable or disable the recovery of certain file types. When this is done, click OK button.
Next, click Browse button to select where recovered photos, documents and music should be written, then click Search.
Count of recovered files is updated in real time. All restored files are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the restore is done, click on Quit button. Next, open the directory where restored files are stored. You will see a contents as shown on the image below.
All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your machine from GANDCRAB 5.3 ransomware?
Most antivirus applications already have built-in protection system against the ransomware virus. Therefore, if your PC system does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Use HitmanPro.Alert to protect your PC system from GANDCRAB 5.3 ransomware
All-in-all, HitmanPro.Alert is a fantastic utility to protect your PC from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Windows operating system from Microsoft Windows XP to Windows 10.
Visit the page linked below to download HitmanPro Alert. Save it on your Desktop.
Category: Security tools
Update: March 6, 2019
After downloading is done, open the file location. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. After the utility is started, you will be shown a window where you can choose a level of protection, as displayed on the image below.
Now press the Install button to activate the protection.
Now your computer should be clean of the GANDCRAB 5.3 ransomware virus. Uninstall MalwareBytes Free and KVRT. We suggest that you keep Zemana Free (to periodically scan your PC system for new malicious software). Make sure that you have all the Critical Updates recommended for Windows OS. Without regular updates you WILL NOT be protected when new ransomware, malicious applications and adware are released.
If you are still having problems while trying to delete GANDCRAB 5.3 ransomware from your PC, then ask for help here.