Cyber threat analysts discovered a new variant of the GandCrab ransomware which named GandCrab V3. Like the previous version of this ransomware, it appends .CRAB extension to encrypted file names. This post will provide you a brief summary of information related to this new ransomware, how to remove GandCrab V3 and how to restore all encrypted photos, documents and music for free.
The GandCrab V3 is a malware which created in order to encrypt files. It hijack a whole personal computer or its data and demand a ransom in order to unlock (decrypt) them. The creators of the GandCrab V3 virus have a strong financial motive to infect as many personal computers as possible. The files that will be encrypted include the following file extensions:
.qic, .wav, .csv, .m4a, .doc, .big, .sr2, .wire, .slm, .cas, .lvl, .bay, .psk, .fsh, .rofl, .ai, .css, .sis, .wp7, .eps, .menu, .mdbackup, .xbplate, .dba, .js, .xlsm, .vfs0, .ntl, .litemod, .xmind, .crt, .dmp, .lbf, .p12, .odt, .zip, .syncdb, .tax, .mdf, .xls, .xy3, .wpt, .wpd, .indd, .wbc, .pptx, .wma, .bsa, .sidd, .yal, .cer, .wma, .p7c, .docx, .wp4, .sav, .wb2, .snx, .hplg, .xpm, .xlgc, .dbf, .pfx, .txt, .0, .rim, .vdf, .ysp, .mrwref, .wsc, .xlsb, .wm, .jpe, .ppt, .ws, .xx, .xml, .wpe, .rtf, .crw, .wbm, .bar, .xlk, .xls, .hkx, .kdc, .xll, .dazip, .wmf, .docm, .zif, .vtf, .wotreplay, .mp4, .sb, .3fr, .w3x, .qdf, .7z, .odc, .x3d, .iwd, .dxg, .odb, .arw, .cdr, .raf, .ptx, .xlsx, .wmv, .der, .pst, .py, .jpeg, .sidn, .p7b, .xar, .map, .wbmp, .xmmap, .srf, .wmv, .blob, .wsd, .x3f, .lrf, .svg, .xyw, .rw2, .webp, .bkp, .icxs, .mef, .xwp, .re4, .erf, .accdb, .rb, .dwg, .nrw, .wdp, .avi, .r3d, .zabw, .pdd, .upk, .1st, .zip, .wmo, .pdf, .wpb, .bc6, .ybk, .epk, .wsh, .forge, .odp, .wpl, .vcf, .desc, .wpg, .sql, .mpqge, .png, .bkf, .y, .zdc, .m3u, .wps, .xyp, .x3f, .pak, .srw, .hvpl, .d3dbsp, .vpp_pc, .xf, .cr2, .ztmp, .wdb, .3dm, .zdb, .fos, .wp6, .pkpass, .dng, .mddata, .z, .esm, .mlx, .sie, .sid, .hkdb, .cfr, .pef, .2bp, .gho, .mdb, .iwi, .xld, .xdb, .wcf, .raw, .x, .asset, .zi, .wri, .yml, .pptm, .wgz, .xlsx, .m2, .3ds, .itdb, .flv, .tor, .xbdoc, .wmd, .wpd, .ods, .itl, .bik, .vpk, .xxx, .wot, .apk, .wbk, .mov, .psd, .ltx, wallet, .gdb, .wps, .ff, .layout, .odm, .xdl, .ibank, .t12, .1, .xlsm, .wpw, .rwl, .kf, .wpa, .sum
Once the encryption procedure is done, it will create a ransom note called “CRAB-DECRYPT.txt” offering decrypt all users files if a payment is made. You can see an one of the variants of the ransomnote below:
---= GANDCRAB V3 =---
All your files documents, photos, databases and other important files
are encrypted and have the extension: .CRAB
The only method of recovering files is to purchase a private key.
It is on our server and only we can recover your files.
The server with your key is in a closed network TOR. You can get
there by the following ways:
0. Download Tor browser - https://www.torproject.org/
1. Install Tor browser
2. Open Tor Browser
3. Open link in TOR browser: http://gandcrab2pie73et.onion/[id]
4. Follow the instructions on this page
On our page you will see instructions on payment
and get the opportunity to decrypt 1 file for free.
The ransomnote offers victim to contact GandCrab V3’s developers in order to decrypt all personal files. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins). We do not recommend paying a ransom, as there is no guarantee that you will be able to decrypt your documents, photos and music. Especially since you have a chance to restore your documents, photos and music for free using free utilities like ShadowExplorer and PhotoRec.
Unfortunately, at this time, victims of the GandCrab V3 virus cannot decrypt encrypted personal files without the actual encryption key. But you can follow our tutorial below to search for and get rid of GandCrab V3 ransomware virus from your machine as well as restore encrypted photos, documents and music for free.
Table of contents
- What is GandCrab V3 ransomware
- How to decrypt encrypted files
- How to remove GandCrab V3 ransomware virus
- Run ShadowExplorer to restore encrypted files
- Restore encrypted files with PhotoRec
- To sum up
How to decrypt encrypted files
Currently there is no available method to decrypt CRAB files, but you have a chance to restore encrypted documents, photos and music for free. The virus repeatedly tells the victim that uses a hybrid AES + RSA encryption mode. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a method because of the big length of the key. Therefore, unfortunately, the only payment to the developers of the GandCrab V3 ransomware entire amount requested – the only method to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the creators of the GandCrab V3 virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware.
How to remove GandCrab V3 ransomware virus
The GandCrab V3 ransomware virus can hide its components which are difficult for you to find out and delete completely. This may lead to the fact that after some time, the ransomware once again infect your computer and encrypt your photos, documents and music. Moreover, I want to note that it’s not always safe to remove virus manually, if you don’t have much experience in setting up and configuring the Windows operating system. The best method to find out and delete GandCrab V3 ransomware virus is to use free malicious software removal apps which are listed below.
Run Zemana Anti-malware to delete GandCrab V3 ransomware virus
You can remove GandCrab V3 ransomware virus automatically with a help of Zemana Anti-malware. We advise this malicious software removal tool because it can easily remove ransomwares, potentially unwanted applications, adware and toolbars with all their components such as folders, files and registry entries.
Now you can set up and run Zemana to get rid of GandCrab V3 from your web browser by following the steps below:
Visit the page linked below to download Zemana Free installer named Zemana.AntiMalware.Setup on your PC. Save it on your Windows desktop.
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Run the setup file after it has been downloaded successfully and then follow the prompts to set up this utility on your machine.
During setup you can change certain settings, but we advise you don’t make any changes to default settings.
When installation is finished, this malware removal tool will automatically launch and update itself. You will see its main window as displayed on the image below.
Now click the “Scan” button for scanning your PC system for the GandCrab V3 virus and other security threats. This task can take some time, so please be patient. During the scan Zemana Anti Malware (ZAM) will detect threats present on your system.
When the scan get finished, you’ll be shown the list of all detected items on your computer. Next, you need to press “Next” button.
The Zemana Anti Malware (ZAM) will get rid of GandCrab V3 virus and other security threats. Once disinfection is done, you may be prompted to reboot your machine to make the change take effect.
How to remove GandCrab V3 with Malwarebytes
We advise using the Malwarebytes Free. You can download and install Malwarebytes to detect and remove GandCrab V3 ransomware virus from your personal computer. When installed and updated, the free malicious software remover will automatically scan and detect all threats present on the computer.
Visit the following page to download the latest version of MalwareBytes Free for MS Windows. Save it on your Desktop.
Category: Security tools
Update: April 15, 2020
After the download is complete, close all windows on your PC. Further, start the file called mb3-setup. If the “User Account Control” dialog box pops up as displayed below, click the “Yes” button.
It will display the “Setup wizard” that will help you install MalwareBytes Free on the personal computer. Follow the prompts and do not make any changes to default settings.
Once installation is finished successfully, press Finish button. Then MalwareBytes AntiMalware will automatically run and you can see its main window as shown in the figure below.
Next, press the “Scan Now” button to start checking your PC for the GandCrab V3 virus and other security threats. This procedure can take some time, so please be patient. While the tool is scanning, you can see number of objects and files has already scanned.
Once the scanning is complete, you can check all threats detected on your machine. Review the results once the utility has finished the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply press “Quarantine Selected” button.
The MalwareBytes AntiMalware will get rid of GandCrab V3 ransomware virus and other security threats and move threats to the program’s quarantine. After the process is finished, you can be prompted to reboot your computer. We suggest you look at the following video, which completely explains the procedure of using the MalwareBytes Anti Malware (MBAM) to remove browser hijackers, ‘ad supported’ software and other malicious software.
Run KVRT to remove GandCrab V3 ransomware virus from the PC
The KVRT utility is free and easy to use. It can scan and remove virus like GandCrab V3, malicious software, PUPs and ‘ad supported’ software in Firefox, Internet Explorer, Google Chrome and Edge web-browsers and thereby restore their default settings (default search engine, start page and new tab). KVRT is powerful enough to find and remove malicious registry entries and files that are hidden on the PC.
Download Kaspersky virus removal tool (KVRT) by clicking on the following link. Save it to your Desktop so that you can access the file easily.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the download is finished, double-click on the KVRT icon. Once initialization procedure is finished, you’ll see the KVRT screen as shown in the following example.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan with this utility for the GandCrab V3 ransomware virus and other malicious software. Depending on your PC, the scan can take anywhere from a few minutes to close to an hour. When a malicious software, ‘ad supported’ software or PUPs are detected, the count of the security threats will change accordingly.
Once the checking is finished, Kaspersky virus removal tool will show you the results as displayed in the figure below.
You may delete items (move to Quarantine) by simply click on Continue to start a cleaning task.
To sum up
After completing the steps above, your personal computer should be clean from GandCrab V3 ransomware and other malicious software. Your personal computer will no longer encrypt your documents, photos and music. Unfortunately, if the step-by-step tutorial does not help you, then you have caught a new variant of virus, and then the best way – ask for help here.