This week, computer security specialists has received reports of yet another ransomware named GANDCRAB V5.0.9. This virus spreads via spam emails and malware files and appends new extension to encrypted files.
The GANDCRAB V5.0.9 is a malicious software which created in order to encrypt documents, photos and music. It hijack a whole computer or its data and demand a ransom in order to unlock (decrypt) them. The creators of the GANDCRAB V5.0.9 virus have a strong financial motive to infect as many personal computers as possible. The files that will be encrypted include the following file extensions:
.hplg, .kdc, .wotreplay, .xf, .rtf, .ptx, .pef, .rw2, .bik, .apk, .ztmp, .arw, .xbplate, .py, .txt, .bkp, .3fr, .csv, .wma, .iwd, .ibank, .fsh, .m4a, .icxs, .xmmap, .srf, .rb, .menu, .cr2, .hkx, .desc, .pem, .wm, .wbmp, .wps, .crt, .xx, .sidd, .1st, .qic, .m3u, .sav, .zi, .wpw, .xdb, .cas, .kf, .mcmeta, .wpl, .zdc, .ods, .y, .ntl, .xml, .xls, .rim, .der, .t13, .wpb, .ybk, .dxg, .odm, .wot, .lvl, .sis, .p12, .odp, .cer, .itdb, .svg, .r3d, .srw, .wbk, .x, .dmp, .cdr, .zip, .ltx, .yal, .webp, .tax, .bc6, .mpqge, .wpd, .xlsx, .vfs0, .big, .fos, .jpeg, .das, .flv, .xls, .wbc, .gdb, .sie, .xyw, .wav, .docx, .1, .pdd, .7z, .zip, .pptm, .xld, .zdb, .xbdoc, .erf, .wdb, .pdf, .sr2, .wire, .doc, .itl, .bar, .xll, .wp, .crw, .ws, .ncf, .wmv, .odb, .esm, .wps, .w3x, .z3d, .db0, .syncdb, .dng, .jpe, .psk, .ysp, .raf, .ff, .wmv, .xy3, .qdf, .wma, .rwl, .mlx, .sql, .pkpass, .tor, .xlsx, .zif, .wsc, .mov, .xmind, .mdf, .mp4, .forge, .wmo, .ppt, .map, .rar, .blob, .avi, .css, .z, .epk, .xlk, .dbf, .m2, .wsd, .wp5, .xpm, .vdf, .iwi, .3ds, .zabw, .zw, .rofl, .ai, .wcf, .mrwref, .bsa, .upk, .odc, .raw, .xlsm, .wpg, .png, wallet, .sid, .p7b, .jpg, .3dm, .xxx, .vcf, .xlgc, .wri, .bay, .xlsm, .mdbackup, .wp4, .x3d, .js, .dba, .bkf, .snx, .lbf, .d3dbsp, .accdb, .lrf, .sb, .mddata, .pfx, .xlsb, .wbd, .mdb, .vtf, .xdl, .litemod, .wbz, .dazip, .x3f, .x3f, .odt, .layout, .vpp_pc, .xwp, .arch00
Once the encryption procedure is finished, it will create a ransom instructions named “USERID-DECRYPT.txt” offering decrypt all users personal files if a payment is made. An example of the ransom instructions is:
---= GANDCRAB V5.0.9 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .USERID The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - h..ps://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: h..p://gandcrabmfe6mnef.onion/da9ad04e1e857d00 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY---
Unfortunately, at this time, victims of the GANDCRAB V5.0.9 ransomware cannot decrypt encrypted personal files without the actual encryption key. But you can follow our tutorial below to detect and remove GANDCRAB V5.0.9 ransomware virus from your PC as well as recover encrypted files for free.
Table of contents
- How to decrypt files encrypted by GANDCRAB V5.0.9
- How to remove GANDCRAB V5.0.9 ransomware
- How to restore files encrypted by GANDCRAB V5.0.9
- How to protect your machine from GANDCRAB V5.0.9 ransomware?
How to decrypt files encrypted by GANDCRAB V5.0.9
The ransom note encourages victim to contact GANDCRAB V5.0.9’s creators in order to decrypt all photos, documents and music. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins). We do not recommend paying a ransom, as there is no guarantee that you will be able to decrypt your personal files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
With some variants of this ransomware virus, it’s possible to use Windows Shadow Copies or file recover utilities to restore photos, documents and music that have been encrypted by GANDCRAB V5.0.9 ransomware. You can use the free tools listed below in the article.
How to remove GANDCRAB V5.0.9 ransomware
Before you start the procedure of recovering files that has been encrypted, make sure GANDCRAB V5.0.9 ransomware is not running. Firstly, you need to get rid of this ransomware permanently. Happily, there are several malicious software removal utilities that will effectively detect and remove GANDCRAB V5.0.9 ransomware virus and other crypto virus malicious software from your computer.
Automatically get rid of GANDCRAB V5.0.9 ransomware with Zemana Anti-malware
Zemana Anti-malware is a utility which can get rid of viruses, adware, potentially unwanted applications, browser hijackers and other malicious software from your computer easily and for free. Zemana Anti-malware is compatible with most antivirus software. It works under Windows (10 – XP, 32 and 64 bit) and uses minimum of computer resources.
- Zemana Anti Malware can be downloaded from the following link. Save it on your Desktop.
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- When the download is finished, close all apps and windows on your system. Open a file location. Double-click on the icon that’s named Zemana.AntiMalware.Setup.
- Further, press Next button and follow the prompts.
- Once setup is complete, click the “Scan” button to perform a system scan with this tool for the GANDCRAB V5.0.9 virus and other malicious software and PUPs. A system scan can take anywhere from 5 to 30 minutes, depending on your PC. When a threat is detected, the number of the security threats will change accordingly. Wait until the the checking is finished.
- Once the system scan is complete, Zemana Free will open a list of found items. In order to remove all items, simply press “Next”. After finished, you can be prompted to restart your machine.
Use MalwareBytes Anti-Malware to remove GANDCRAB V5.0.9 ransomware
Delete GANDCRAB V5.0.9 ransomware virus manually is difficult and often the virus is not fully removed. Therefore, we suggest you to run the MalwareBytes Anti Malware (MBAM) that are fully clean your PC. Moreover, this free application will allow you to get rid of malware, potentially unwanted software, toolbars and ad supported software that your computer may be infected too.
Please go to the following link to download the latest version of MalwareBytes Free for MS Windows. Save it to your Desktop so that you can access the file easily.
Category: Security tools
Update: April 15, 2020
When the downloading process is finished, close all windows on your PC system. Further, launch the file called mb3-setup. If the “User Account Control” prompt pops up as displayed below, click the “Yes” button.
It will display the “Setup wizard” which will help you install MalwareBytes Free on the computer. Follow the prompts and don’t make any changes to default settings.
Once install is done successfully, click Finish button. Then MalwareBytes AntiMalware will automatically start and you may see its main window like below.
Next, click the “Scan Now” button to perform a system scan for the GANDCRAB V5.0.9 ransomware and other malware and potentially unwanted applications. A system scan can take anywhere from 5 to 30 minutes, depending on your computer. When a threat is detected, the number of the security threats will change accordingly. Wait until the the checking is finished.
When the scan get finished, MalwareBytes will show you the results. When you’re ready, click “Quarantine Selected” button.
The MalwareBytes Anti Malware (MBAM) will delete GANDCRAB V5.0.9 ransomware related files, folders and registry keys. Once finished, you can be prompted to reboot your computer. We recommend you look at the following video, which completely explains the procedure of using the MalwareBytes Anti Malware to remove browser hijackers, adware and other malicious software.
Remove GANDCRAB 5.0.9 ransomware with KVRT
KVRT is a free removal utility that can be downloaded and use to delete ransomware viruss, ad-supported software, malware, PUPs, toolbars and other threats from your computer. You can run this utility to look for threats even if you have an antivirus or any other security application.
Download Kaspersky virus removal tool (KVRT) on your Microsoft Windows Desktop from the following link.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After downloading is finished, double-click on the Kaspersky virus removal tool icon. Once initialization process is finished, you will see the KVRT screen as displayed in the figure below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button for scanning your computer for the GANDCRAB 5.0.9 ransomware virus and other malicious software. This task may take some time, so please be patient. When a malware, ad supported software or PUPs are found, the number of the security threats will change accordingly.
When the system scan is complete, KVRT will display a scan report like below.
Review the scan results and then click on Continue to begin a cleaning procedure.
How to restore files encrypted by GANDCRAB V5.0.9
In some cases, you can recover files encrypted by GANDCRAB V5.0.9 virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted personal files.
Use shadow copies to restore files encrypted by GANDCRAB V5.0.9 ransomware
In order to recover your documents, photos and music encrypted by the GANDCRAB 5.0.9 ransomware from Shadow Volume Copies you can run a utility named ShadowExplorer. We suggest to use this method as it is easier to find and restore the previous versions of the encrypted files you need in an easy-to-use interface.
Download ShadowExplorer from the following link.
Category: Security tools
Update: September 15, 2019
Once the download is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown on the image below.
Launch the ShadowExplorer tool and then select the disk (1) and the date (2) that you wish to restore the shadow copy of file(s) encrypted by the GANDCRAB V5.0.9 ransomware as displayed in the following example.
Now navigate to the file or folder that you want to recover. When ready right-click on it and click ‘Export’ button as shown below.
Run PhotoRec to restore files encrypted by GANDCRAB V5.0.9
Before a file is encrypted, the GANDCRAB V5.0.9 ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your documents, photos and music using file recover programs such as PhotoRec.
Download PhotoRec from the link below. Save it on your Desktop.
Category: Security tools
Update: March 1, 2018
After the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the figure below.
Double click on qphotorec_win to run PhotoRec for Windows. It will show a screen as displayed on the screen below.
Select a drive to recover as shown in the following example.
You will see a list of available partitions. Choose a partition that holds encrypted photos, documents and music as on the image below.
Click File Formats button and select file types to restore. You can to enable or disable the restore of certain file types. When this is complete, click OK button.
Next, press Browse button to choose where restored photos, documents and music should be written, then press Search.
Count of restored files is updated in real time. All recovered photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the restore is done, click on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as displayed on the screen below.
All recovered photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your machine from GANDCRAB V5.0.9 ransomware?
Most antivirus applications already have built-in protection system against the ransomware. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, run the CryptoPrevent.
Run CryptoPrevent to protect your machine from GANDCRAB V5.0.9 ransomware virus
Download CryptoPrevent on your Windows Desktop from the following link.
Run it and follow the setup wizard. Once the setup is complete, you’ll be displayed a window where you can choose a level of protection, as shown below.
Now press the Apply button to activate the protection.
To sum up
Now your PC should be clean of the GANDCRAB V5.0.9 virus. Delete MalwareBytes Free and KVRT. We recommend that you keep Zemana Anti-Malware (to periodically scan your computer for new malicious software). Moreover, to prevent ransomware, please stay clear of unknown and third party programs, make sure that your antivirus program, turn on the option to block or detect ransomware.
If you need more help with GANDCRAB V5.0.9 ransomware related issues, go to here.