Infected with GANDCRAB V5.0 Ransomware? Need to decrypt your files?

What is GANDCRAB V5.0 Ransomware

GANDCRAB V5.0 Ransomware (or GandCrab-5, GandCrab v5) is a particularly harmful virus, GandCrab 3 Ransomware successor. Thousands of computers in the world were infected by Gandcrab in September 2018. Ransomware threats usually encrypt user data using AES-256 and RSA-2048 encryption algorithms. Main feature of GANDCRAB 5 Ransomware is:.[five ransom symbols] extension, added to every affected file and unique ransom note(see in chapter below). If your files have .GDCB extension – you can decrypt they, using the decryptor from our article about first generation of Gandcrab. Unfortunately, if your files have .VSVDV suffix, a universal tool capable to restore they doesn’t exist. Other examples of extensions:.fbkdp, .ibagx, .qikka. After a procedure of encryption GandCrab 5 virus starts to create special files where cyber scammers demand a ransom. The reason for ransom is key for decryption. Note: GandCrab removes all shadow copies of your files and restore points by running WMIC.exe (a command shadowcopy delete). Also the virus can operate both when PC/Laptop has the Internet connection and without it.
GANDCRAB V5.0 Ransomware
Cybercriminals offer key for $800 in Bitcoin and Dash cryptocurrency, but in fact, real decryption, of course, is not warrantied. Criminals can trick every victim easily because all their shown contacts allow them to stay anonymous. That’s why we think it’s better to remove GandCrab V5.0 Ransomware and ignore scammers demands. Ransom note VSVDV-DECRYPT.txt file (also Gandcrab 5 can change a wallpaper of the desktop, by creating a pidor.bmp file) contains the following text inside:

---= GANDCRAB V5.0 =---
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: .VSVDV
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:>
---------------------------------------------------------------------------------------->
Download Tor browser - hxxps://www.torproject.org/
Install Tor browser
Open Tor Browser
Open link in TOR browser: hxxp://gandcrabmfe6mnef.onion/113737081e857d00
Follow the instructions on this page

----------------------------------------------------------------------------------------
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW

Remove GandCrab 5 Ransomware

Every victim also can be redirected to the malicious site, where you can see the following text:

lease turn on javascript!!
DASH
Bitcoin
Promotion code
Payment amount: **********DSH ( $********* )
1 DSH = $******
Buy cryptocurrency DASH. Here you can find services where you can do it.
Send ********* DSH to the address:
Please turn on javascript!!
Attention!
Please be careful and check the address visually after copy-pasting (because there is a probability of a malware on your PC that monitors and changes the address in your clipboard)
If you don't use TOR Browser:
Send a verification payment for a small amount, and then, make sure that the coins are coming, then send the rest of the amount.
We won't take any responsibility if your funds don't reach us
After payment, you will see your transactions below
The transaction will be confirmed after it receives 3 confirmations (usually it takes about 10 minutes)
Transactions list
TX Amount Status
None
This process is fully automated, all payments are instant.
After your payment, please refresh this page and get an opportunity to download GandCrab's Decryptor!

Update: Use following service to identify the version and type of ransomware you were attacked by: ID Ransomware. Also check following website for possible decryptor: Emsisoft Decryptors.

How GANDCRAB V5.0 Ransomware infected your PC

It spreads through two sets of exploits: RIG EK and GrandSoft EK. GANDCRAB V5.0 Ransomware is also available as RaaS on the cyber underground forums. It can also begin to spread by hacking through an unprotected RDP configuration, using email spam and malicious attachments, fraudulent downloads, web injections, fake updates, repackaged and infected installers. Ransom is asked to be paid in Dash coin, that also makes the task difficult for the police, as the user in this network is often anonymous. Encryption starts in the background. Way to protect your computer from such threats is to use antiviruses with crypto-protection like HitmanPro.Alert with CryptoGuard.

Follow these easy steps below.

1. Start your computer in Safe Mode with networking. To do that, restart your computer before your system starts hit F8 several times. This will stop system from loading and will show Advanced boot options screen. Choose Safe mode with networking option from the options list using up and down arrows on your keyboard and hit Enter.
2. Log in to the system infected with the GANDCRAB V5.0 Ransomware virus. Launch your Internet browser and download a reliable anti-malware program and start a full system scan. Once the scan is complete, review scan results and remove all entries detected.

Recommended Solution:

Norton is a powerful removal tool. It can remove all instances of newest viruses, similar to GANDCRAB V5.0 Ransomware – files, folders, registry keys.

 

Download Norton*Trial version of Norton provides detection of computer viruses for FREE. To remove malware, you have to purchase the full version of Norton.

Step 2: Remove following files and folders of GANDCRAB V5.0 Ransomware:

Deactivate following connections with sources:

zaeba.co.uk
www.wash-wear.com
www.rment.in
top-22.ru
tommarmores.com.br
test.theveeview.com
smbardoli.org
simetribilisim.com
sherouk.com
royal.by
relectrica.com.mx
pp-panda74.ru
picusglancus.pl
perovaphoto.ru
ocsp.trust-provider.com
ocsp.int-x3.letsencrypt.org
ocsp.comodoca4.com
oceanlinen.com
www.n2plus.co.th
www.mimid.cz
www.macartegrise.eu
www.lagouttedelixir.com
www.krishnagrp.com
www.ismcrossconnect.com
www.himmerlandgolf.dk
www.groupwine.fr
www.fabbfoundation.gm
www.cakav.hu
www.billerimpex.com
wpakademi.com
vjccons.com.vn
unnatimotors.in
topstockexpert.su

Remove following files and folders:

-DECRYPT.html
%s-DECRYPT.html
%s-DECRYPT.txt
pidor.bmp
CRAB-DECRYPT.txt
XMMFA-DECRYPT.html
QIKKA-DECRYPT.html
KRAB-DECRYPT.html
IBAGX-DECRYPT.html
KRAB-DECRYPT.txt
.exe

How to decrypt files infected by GANDCRAB V5.0 Ransomware (.CRAB files)?

Restore the system using System Restore

system restore

Although latest versions of GANDCRAB V5.0 Ransomware remove system restore files, this method may help you partially restore your files. Give it a try and use standard System Restore to revive your data.

  1. Initiate the search for ‘system restore
  2. Click on the result
  3. Choose the date before the infection appearance
  4. Follow the on-screen instructions

Roll the files back to the previous version

Previous versions can be copies of files and folders created by Windows Backup (if it is active) or copies of files and folders created by System Restore. You can use this feature to restore files and folders that you accidentally modified or deleted, or that were damaged (in our case – GANDCRAB V5.0 Ransomware by GandCrab). This feature is available in Windows 7 and later versions.

windows previous versions

  1. Right-click the file and choose Properties
  2. Open the Previous Version tab
  3. Select the latest version and click Copy
  4. Click Restore

Restore .CRAB files using shadow copies

stellar-data-recovery

  1. Download and run Stellar Data Recovery.
  2. Select type of files you want to restore and click Next.
  3. Select the drive and folder where your files are located and date that you want to restore them from and press Scan.
  4. Once the scanning process is done, click Recover to restore your files.

Protect your files from ransomware

The most modern software can protect your data from ransomware and crypto-trojans, but thousands of people still get infected. There are several programs that use different approach to protect your files from ransomware and lockers. One of the best is SOS Online Backup. The product will automatically find important files, then simply make a daily backup on the remote server. SOS runs quietly and automatically in the background and supports any size and any file type. All SOS apps (desktop AND mobile) encrypt files using UltraSafe 256-bit AES before transferring them to the cloud. You will not lose your important data. Download One Year Plan.

SOS Online Backup

Information provided by Tim Kas

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *