What is .KRAB virus? Computer security researchers discovered a new variant of GandCrab ransomware, which named .KRAB virus. It appends the .KRAB extension to encrypted file names. This article will provide you with all the things you need to know about this ransomware, how to remove .KRAB virus from your PC system and how to restore all encrypted photos, documents and music for free.
The .KRAB virus is a malware that created in order to encrypt photos, documents and music. It hijack a whole machine or its data and demand a ransom in order to unlock (decrypt) them. The authors of the .KRAB virus have a strong financial motive to infect as many PC systems as possible. The files that will be encrypted include the following file extensions:
.zi, .qic, .litemod, .xdl, .ws, .hplg, .sie, .sr2, .rwl, .pef, .wmo, .wb2, .png, .upk, .rw2, .wma, .crw, .raw, .mcmeta, .avi, .mrwref, .wpd, .srw, .bar, .mdbackup, .ybk, .orf, .x3d, .xmmap, .xml, .snx, .sid, .wbd, .xyp, .xyw, .d3dbsp, .mlx, .vpp_pc, .erf, .rar, .wpe, .wpb, .vpk, .webp, .wp, .x, .wmf, .svg, .rim, .y, .wbm, .ztmp, .rgss3a, .dmp, .ppt, .m4a, .js, .ptx, .zdb, .db0, .wotreplay, .doc, .fos, .hvpl, .ibank, .zw, .sum, .pptx, .pkpass, .wbc, .jpe, .icxs, .py, .xlgc, .pdd, .psk, .arw, .xlsm, .wm, .pfx, .yml, .x3f, .m2, .srf, .wire, .tor, .w3x, .wbz, .itm, .3ds, .odp, .hkdb, .dng, .pdf, .slm, .jpg, .xls, .txt, .ysp, .wp5, .webdoc, .bik, .xbplate, .mdf, .layout, .itdb, .wn, .fpk, .sb, .sav, .odc, .docx, .pptm, .hkx, .forge, .bc6, .odm, .ltx, .wri, .wsd, .xls, .wot, .xy3, .ntl, .wpw, .pem, .dbf, .xx, .xpm, .3dm, .kdc, .zabw, .dwg, .xlk, .mpqge, .bkp, .bc7, .jpeg, .desc, .raf, .wpt, .epk, .yal, .wmd, .xxx, .indd, .psd, .p12, .iwi, .wmv, .xdb, .mdb, .ai, .odb, .asset, .eps, .zdc, .cr2, .1st, .wp7, .kf, .vcf, .qdf, .menu, .csv, .lbf, .wpg, .big, .mddata, .wmv, .mp4, .m3u, .xar, .z3d, .cas, .arch00, .gdb, .wpd, .ncf, .dba, .x3f, .dazip, .map, .wav, .1, .bkf, .t12, .pst, wallet, .blob, .docm, .xlsb, .r3d, .xlsx, .re4, .z, .wsh, .ff, .flv, .xlsm, .esm, .kdb, .sql, .accdb, .vfs0, .mov, .xwp, .sidd, .wp4, .nrw, .zip, .cdr, .ods, .wbmp, .lrf, .rb, .wcf, .pak, .dxg, .itl, .rtf, .wdb, .2bp, .rofl, .mef, .xmind, .t13, .vtf, .das, .wps, .wma, .p7b
When the ransomware virus encrypts a file, it will add the .KRAB extension to every encrypted file. Once the ransomware virus finished enciphering of all files, it will drop a file called “KRAB-DECRYPT.txt” with ransom demanding message on how to decrypt all photos, documents and music. An example of the ransomnote is:
—= GANDCRAB V4 =—
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
———————————————————————————-
| 0. Download Tor browser – https://www.torproject.org/
| 1. Install Tor browser
| 2. Open Tor Browser
| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/
| 4. Follow the instructions on this page
———————————————————————————-On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
ATTENTION !
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW— BEGIN GANDCRAB KEY —
If your photos, documents and music have been encrypted by the .KRAB virus, We suggests: do not to pay the ransom. If this malicious software make money for its makers, then your payment will only increase attacks against you. Of course, decryption without the private key is not possible, but that does not mean that the .KRAB virus must seriously disrupt your live. The free tools listed below be able to find out and get rid of this virus and prevent any further damage. After that you can restore encrypted personal files from their Shadow Copies or using file restore tool.
Unfortunately, at this time, victims of the .KRAB virus cannot decrypt encrypted files without the actual encryption key. But you can use our tutorial below to detect and remove .KRAB virus from your personal computer as well as restore encrypted personal files for free.
Table of contents
- What is KRAB file
- How to decrypt .KRAB files
- How to remove .KRAB virus
- Recovering files encrypted with .KRAB virus
- How to prevent your computer from becoming infected by .KRAB virus?
- Finish words
How to decrypt .KRAB files
Currently there is no available way to decrypt .KRAB files, but you have a chance to restore encrypted personal files for free. The ransomware virus uses a new SALSA encryption mode. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a method because of the big length of the key. Therefore, unfortunately, the only payment to the creators of the .KRAB virus entire amount requested – the only method to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the developers of the .KRAB virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
How to remove .KRAB virus
The .KRAB virus can hide its components which are difficult for you to find out and remove completely. This can lead to the fact that after some time, the virus once again infect your PC system and encrypt your photos, documents and music. Moreover, I want to note that it’s not always safe to get rid of ransomware virus manually, if you do not have much experience in setting up and configuring the MS Windows operating system. The best way to find and remove .KRAB virus is to run free malicious software removal apps which are listed below.
Remove .KRAB virus with Zemana Anti-malware
You can remove .KRAB virus automatically with a help of Zemana Anti-malware. We suggest this malicious software removal tool because it can easily remove ransomware viruses, potentially unwanted programs, ad supported software and toolbars with all their components such as folders, files and registry entries.
Now you can install and use Zemana Anti Malware to remove .KRAB virus from your internet browser by following the steps below:
Please go to the following link to download Zemana AntiMalware (ZAM) installation package called Zemana.AntiMalware.Setup on your machine. Save it on your Microsoft Windows desktop.
164859 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Start the setup package after it has been downloaded successfully and then follow the prompts to set up this utility on your PC.
During installation you can change certain settings, but we suggest you do not make any changes to default settings.
When installation is done, this malicious software removal utility will automatically start and update itself. You will see its main window like below.
Now click the “Scan” button . Zemana Free utility will start scanning the whole computer to find out .KRAB virus related files, folders and registry keys. This task can take some time, so please be patient.
After the scan is complete, Zemana Anti-Malware (ZAM) will open you the results. Next, you need to press “Next” button.
The Zemana will delete .KRAB virus related files, folders and registry keys. After the clean-up is done, you can be prompted to reboot your PC system to make the change take effect.
Run Malwarebytes to remove KRAB virus
Remove .KRAB virus manually is difficult and often the virus is not completely removed. Therefore, we advise you to run the Malwarebytes Free that are completely clean your computer. Moreover, the free program will allow you to get rid of malicious software, potentially unwanted software, toolbars and ad supported software that your computer may be infected too.
Download MalwareBytes from the link below.
327111 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once the download is done, close all applications and windows on your personal computer. Double-click the install file called mb3-setup. If the “User Account Control” dialog box pops up as shown below, click the “Yes” button.
It will open the “Setup wizard” that will help you install MalwareBytes on your computer. Follow the prompts and do not make any changes to default settings.
Once setup is finished successfully, press Finish button. MalwareBytes Free will automatically start and you can see its main screen as displayed on the screen below.
Now click the “Scan Now” button . MalwareBytes program will scan through the whole PC for the .KRAB virus and other malicious software and PUPs. This procedure may take quite a while, so please be patient. When a threat is detected, the number of the security threats will change accordingly.
After MalwareBytes completes the scan, MalwareBytes Anti Malware will open a list of all items detected by the scan. In order to remove all threats, simply click “Quarantine Selected” button. The MalwareBytes will remove .KRAB virus related files, folders and registry keys and move items to the program’s quarantine. When the procedure is finished, you may be prompted to reboot the computer.
We recommend you look at the following video, which completely explains the process of using the MalwareBytes Anti Malware (MBAM) to remove adware, browser hijacker and other malware.
Scan and clean your personal computer of virus with KVRT
KVRT is a free portable application that scans your computer for adware, PUPs and ransomwares such as GandCrab V4 and helps remove them easily. Moreover, it will also help you get rid of any malicious internet browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) by clicking on the following link. Save it directly to your MS Windows Desktop.
129247 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When the download is finished, double-click on the KVRT icon. Once initialization process is done, you will see the Kaspersky virus removal tool screen like below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button to look for .KRAB virus and other known infections. While the KVRT is scanning, you may see count of objects it has identified either as being malicious software.
Once finished, you will be opened the list of all found items on your PC as on the image below.
You may remove threats (move to Quarantine) by simply click on Continue to start a cleaning task.
Recovering files encrypted with .KRAB virus
In some cases, you can recover files encrypted by .KRAB virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted photos, documents and music.
Restore .KRAB encrypted files using Shadow Explorer
A free utility named ShadowExplorer is a simple solution to use the ‘Previous Versions’ feature of Windows 10 (8, 7 , Vista). You can restore .KRAB documents, photos and music encrypted by the KRAB virus from Shadow Copies for free.
ShadowExplorer can be downloaded from the following link. Save it to your Desktop.
439514 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the downloading process is done, extract the saved file to a folder on your personal computer. This will create the necessary files as shown in the figure below.
Run the ShadowExplorerPortable program. Now choose the date (2) that you want to recover from and the drive (1) you want to restore files (folders) from as shown in the figure below.
On right panel navigate to the file (folder) you wish to recover. Right-click to the file or folder and click the Export button as displayed in the figure below.
And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and press ‘OK’ button.
Run PhotoRec to restore .KRAB files
Before a file is encrypted, the .KRAB virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your photos, documents and music using file restore programs like PhotoRec.
Download PhotoRec on your machine by clicking on the link below.
After the download is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown on the image below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It will open a screen as displayed in the figure below.
Select a drive to recover as displayed in the figure below.
You will see a list of available partitions. Select a partition that holds encrypted files as displayed in the figure below.
Click File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is finished, press OK button.
Next, press Browse button to select where recovered documents, photos and music should be written, then press Search.
Count of restored files is updated in real time. All restored photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is done, press on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as displayed on the image below.
All restored personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to prevent your computer from becoming infected by .KRAB virus?
Most antivirus applications already have built-in protection system against the ransomware virus. Therefore, if your personal computer does not have an antivirus program, make sure you install it. As an extra protection, use the CryptoPrevent.
Use CryptoPrevent to protect your PC from .KRAB virus
Download CryptoPrevent from the link below.
www.foolishit.com/download/cryptoprevent/
Run it and follow the setup wizard. Once the installation is finished, you’ll be displayed a window where you can select a level of protection, as on the image below.
Now press the Apply button to activate the protection.
Finish words
Now your computer should be free of the .KRAB virus. Uninstall MalwareBytes AntiMalware (MBAM) and KVRT. We advise that you keep Zemana AntiMalware (to periodically scan your computer for new malicious software). Moreover, to prevent virus, please stay clear of unknown and third party programs, make sure that your antivirus program, turn on the option to stop or search for ransomware.
If you need more help with .KRAB virus related issues, go to here.
tried malwarebytes premium and restarted my pc and lo and behold i STILL see KRAB decoder on my desktop. i did a rescan with it and it came up with nothing. now im terrified to open any music or pic file with KRAB marked on it. HELP!!
Try Kaspersky virus removal tool, it should detect and remove KRAB ransomware.