Remove GANDCRAB ransomware virus (Restore .GDCB files)

This week, computer security specialists has received reports of yet another ransomware called GandCrab. This ransomware virus spreads via exploit kits and malware files and appends the GDCB extension to encrypted files.

The GandCrab virus is a ransomware that developed to encrypt personal photos, documents and music found on infected PC system using a strong encryption algorithm with a big key, adding the GDCB extension to all encrypted files. Once the encryption process is done, it will show a ransom demanding message offering decrypt all users photos, documents and music if a payment is made.

The ransomnote offers victim to use GandCrab Decryptor in order to decrypt all files. The GandCrab’s makers will require to pay a ransom (usually demand for 1.54 DASH ~ $1,200 USD). We don’t recommend paying a ransom, as there is no guarantee that you will be able to decrypt your files. Especially since you have a chance to restore your photos, documents and music for free using utilities such as ShadowExplorer and PhotoRec.

Use the step-by-step guide below to delete the virus itself and try to restore encrypted files.

Table of contents

1. What is GandCrab virus
2. How to decrypt .GDCB files (GandCrab Decryptor)
3. How to remove GandCrab virus
   • Run Zemana Anti-malware to remove ransomware virus
   • How to remove GandCrab with Malwarebytes
   • Remove GandCrab from PC system with KVRT
4. How to restore .GDCB files
   • Use ShadowExplorer to recover .GDCB files
   • Use PhotoRec to restore .GDCB files
5. How to prevent your system from becoming infected by GandCrab ransomware virus?
   • Run CryptoPrevent to protect your PC from GandCrab ransomware virus
6. Finish words

What is GandCrab virus

GandCrab is a variant of crypto viruses (malware that encrypt personal files and demand a ransom). It affects all current versions of Microsoft Windows operating system such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. This ransomware virus uses strong encryption method to eliminate the possibility of brute force a key that will allow to decrypt encrypted documents, photos and music.

Immediately after the launch, the GANDCRAB ransomware scans all available drives, including network and cloud storage, to determine which files will be encrypted. The virus uses the file name extension, as a method to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:

.ysp, .icxs, .xlsm, .gho, .ibank, .itdb, .vfs0, .dazip, .hkdb, .t13, .epk, .wp4, .wpa, .odc, .rar, .xmmap, .lvl, .odm, .srf, .1, .xlsb, .srw, .zif, .wpd, .rwl, .forge, .rw2, .x, .sum, .wbm, .fpk, .asset, .dcr, .jpe, .wbd, .wma, .eps, .odp, .xld, .wire, .orf, .pdd, .wb2, .sie, .lbf, .slm, .kdb, .ztmp, .wpd, .pdf, .mrwref, .wmd, .fsh, .layout, .hvpl, .vdf, .nrw, .pfx, .p7b, .xy3, .sav, .png, .txt, .raf, .wgz, .zip, .y, .7z, .bay, .zdb, .3ds, .flv, .pptm, .tor, .cr2, .mov, .mcmeta, .vcf, .xml, .crt, .pst, .crw, .xbdoc, .xlsx, .xxx, .rtf, .xll, .doc, .avi, .pef, .sql, .arch00, .csv, .wri, .wav, .big, .hkx, .jpeg, .qic, .mef, .bkf, .zw, .tax, .wsh, .gdb, .syncdb, .bc7, .raw, .1st, .docm, .mdb, .pptx, .3dm, .xyw, .m2, .wmo, .psd, .ntl, .ff, .ods, .wpe, .ppt, .wbmp, .iwi, .mdf, .svg, .lrf, .xls, .xmind, wallet, .xlgc, .js, .xls, .wpg, .dbf, .d3dbsp, .arw, .bc6, .wpl, .ybk, .der, .pem, .db0, .das, .bik, .wma, .indd, .iwd, .itl, .cdr, .cas, .xf, .p12, .wm, .xx, .zdc, .zi, .m4a, .yal, .xlsm, .itm, .qdf, .m3u, .wbk, .xlk, .pak, .docx, .yml, .erf, .mlx, .wot, .rim, .sis, .x3d, .hplg, .wp7, .zip, .css, .bkp, .wpb, .ptx, .cfr, .wmf, .wcf, .map, .kf, .xlsx, .mdbackup, .re4, .xbplate, .dwg, .ai, .wmv, .3fr, .snx, .wps, .desc, .xdl, .z, .webp, .t12, .mpqge, .apk, .rgss3a, .2bp, .wps, .sidd, .jpg, .p7c, .esm, .wn, .wmv, .wpt, .mddata, .fos, .wp6, .menu, .wpw, .bsa, .xyp, .rb, .ltx, .dba, .xpm, .wsc, .xwp, .odt, .mp4, .wdp, .vpp_pc, .wsd, .ws, .zabw, .wdb, .wotreplay, .rofl, .bar, .accdb, .pkpass, .sid, .vpk, .sb, .dmp, .z3d, .py, .ncf, .xar, .dxg, .w3x, .0, .xdb, .dng, .vtf, .webdoc, .wp, .upk, .x3f, .blob, .cer, .x3f, .sidn, .psk, .odb

Once a file is encrypted, its extension modified to GDCB. Next, the GANDCRAB ransomware creates a file called “GDCB-DECRYPT.txt”. This file contain a note on how to decrypt all encrypted documents, photos and music. You can see an one of the variants of the ransom note below:

---= GANDCRAB =---

Attention!
All your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB 
The only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
1. Download Tor browser - https://www.torproject.org/
2. Install Tor browser
3. Open Tor Browser
4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/ ***                
5. Follow the instructions on this page


If Tor/Tor browser is locked in your country or you can not install it, open one of the following links in your regular browser:
1. http://gdcbghvjyqy7jclk.onion.top/***              
2. http://gdcbghvjyqy7jclk.onion.casa/***              
3. http://gdcbghvjyqy7jclk.onion.guide/***                
4. http://gdcbghvjyqy7jclk.onion.rip/***                                           
5. http://gdcbghvjyqy7jclk.onion.plus/***                         

On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.

DANGEROUS!
Do not try to modify files or use your own private key - this will result in the loss of your data forever!

How to decrypt .GDCB files (GandCrab Decryptor)

Currently there is no available method to decrypt GDCB files, but you have a chance to recover encrypted documents, photos and music for free. The GANDCRAB ransomware repeatedly tells the victim that the only method of recovering files is to purchase a GandCrab Decryptor. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a method because of the big length of the key. Therefore, unfortunately, the only payment to the creators of the GandCrab ransomware entire amount requested – is the only method to try to get the GandCrab Decryptor and decrypt all your files.

There is absolutely no guarantee that after pay a ransom to the creators of the GandCrab virus, they will provide the GandCrab Decryptor to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware.

How to remove GandCrab virus

We can help you remove GandCrab virus, without the need to take your personal computer to a professional. Simply follow the removal tutorial below if you currently have the virus on your PC and want to delete it. If you have any difficulty while trying to remove the ransomware virus, feel free to ask for our assist in the comment section below. Some of the steps will require you to reboot your PC system or shut down this web site. So, read this guide carefully, then bookmark or print it for later reference.

Run Zemana Anti-malware to remove ransomware virus

Zemana Anti-malware is a tool that can remove ransomwares, ad supported software, potentially unwanted applications, browser hijackers and other malicious software from your PC easily and for free. Zemana Anti-malware is compatible with most antivirus software. It works under Windows (10 – XP, 32 and 64 bit) and uses minimum of personal computer resources.

1. Please go to the link below to download the latest version of Zemana for MS Windows. Save it on your Microsoft Windows desktop or in any other place.
   
   

   Zemana AntiMalware
   164986 downloads
   Author: Zemana Ltd
   Category: Security tools
   Update: July 16, 2019
   
2. Once downloading is complete, close all apps and windows on your computer. Open a file location. Double-click on the icon that’s named Zemana.AntiMalware.Setup.
3. Further, click Next button and follow the prompts.
4. Once setup is finished, press the “Scan” button for scanning your computer for the GandCrab ransomware virus and other security threats. This process can take some time, so please be patient. When a malicious software, ad supported software or potentially unwanted applications are found, the number of the security threats will change accordingly. Wait until the the checking is done.
5. Once the scan is done, Zemana AntiMalware will show a scan report. Review the scan results and then click “Next”. Once disinfection is done, you can be prompted to reboot your PC system.

How to remove GandCrab with Malwarebytes

We suggest using the Malwarebytes Free. You can download and install Malwarebytes to scan for and delete GandCrab ransomware virus from your personal computer. When installed and updated, the free malicious software remover will automatically scan and detect all threats exist on the PC system.

Visit the following page to download MalwareBytes Anti-Malware. Save it to your Desktop so that you can access the file easily.

After the download is complete, close all programs and windows on your PC. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup as shown on the image below.

When the installation starts, you will see the “Setup wizard” that will help you setup Malwarebytes on your computer.

Once install is complete, you will see window like below.

Now press the “Scan Now” button to perform a system scan with this tool for the GandCrab ransomware virus and other kinds of potential threats such as malware and potentially unwanted programs. This process can take quite a while, so please be patient. While the utility is checking, you can see how many objects and files has already scanned.

As the scanning ends, MalwareBytes Anti Malware will open you the results. Review the scan results and then click “Quarantine Selected” button.

The Malwarebytes will now get rid of GandCrab ransomware and other kinds of potential threats such as malicious software and potentially unwanted apps and add threats to the Quarantine. After the clean-up is finished, you may be prompted to reboot your system.

The following video explains guide on how to delete hijacker, adware and other malicious software with MalwareBytes Anti Malware.

Remove GandCrab from PC system with KVRT

KVRT is a free removal utility that may be downloaded and run to get rid of ransomware viruss, adware, malware, potentially unwanted programs, toolbars and other threats from your PC. You can run this utility to search for threats even if you have an antivirus or any other security program.

Download Kaspersky virus removal tool (KVRT) by clicking on the link below. Save it directly to your Microsoft Windows Desktop.

Once the download is complete, double-click on the KVRT icon. Once initialization procedure is finished, you’ll see the KVRT screen as shown in the following example.

Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan for the GandCrab ransomware and other trojans and malicious software. When a malicious software, ‘ad supported’ software or PUPs are detected, the count of the security threats will change accordingly.

After Kaspersky virus removal tool has completed scanning, a list of all items found is prepared as shown on the screen below.

Review the report and then click on Continue to begin a cleaning process.

How to restore .GDCB files

In some cases, you can restore files encrypted by GandCrab virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted files.

Use ShadowExplorer to recover .GDCB files

If automated backup (System Restore) is enabled, then you can use it to restore all encrypted files to previous versions.

Download ShadowExplorer by clicking on the link below.

Once the downloading process is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown on the image below.

Double click ShadowExplorerPortable to launch it. You will see the a window as shown on the image below.

In top left corner, select a Drive where encrypted photos, documents and music are stored and a latest restore point as on the image below (1 – drive, 2 – restore point).

On right panel look for a file that you want to recover, right click to it and select Export as shown below.

Use PhotoRec to restore .GDCB files

Before a file is encrypted, the GandCrab ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your documents, photos and music using file recover apps like PhotoRec.

Download PhotoRec on your computer by clicking on the following link.

After the download is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed on the screen below.

Double click on qphotorec_win to run PhotoRec for Windows. It will display a screen as shown in the figure below.

Select a drive to recover as shown in the figure below.

You will see a list of available partitions. Choose a partition that holds encrypted documents, photos and music as displayed in the figure below.

Click File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is done, press OK button.

Next, press Browse button to select where recovered files should be written, then click Search.

Count of recovered files is updated in real time. All recovered personal files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.

When the recovery is finished, click on Quit button. Next, open the directory where restored personal files are stored. You will see a contents like below.

All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.

How to prevent your system from becoming infected by GandCrab ransomware virus?

Most antivirus programs already have built-in protection system against the ransomware. Therefore, if your system does not have an antivirus application, make sure you install it. As an extra protection, use the CryptoPrevent.

Run CryptoPrevent to protect your PC from GandCrab ransomware virus

Download CryptoPrevent on your MS Windows Desktop by clicking on the following link.

www.foolishit.com/download/cryptoprevent/

Run it and follow the setup wizard. Once the setup is finished, you’ll be shown a window where you can choose a level of protection, as displayed in the following example.

Now click the Apply button to activate the protection.

Finish words

Now your machine should be free of the GandCrab ransomware virus. Delete Kaspersky virus removal tool and MalwareBytes Free. We recommend that you keep Zemana Anti-Malware (to periodically scan your computer for new malware). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.

If you are still having problems while trying to delete GandCrab ransomware from your computer, then ask for help in our Spyware/Malware removal forum.