Infected with GANDCRAB 4 Ransomware? Need to decrypt your files?

What is GANDCRAB 4 Ransomware

Gandcrab 4 is the newest version of most dangerous PC virus GANDCRAB RANSOMWARE. Unfortunately, the virus codes users files and adds new .KRAB extension (without any permission) by the most advanced algorithms of encryption AES-256 and RSA-2048(CBC), Salsa20, which made infected files undecryptable without special code. Users just lose their important files. Gandcrab 4 can encrypt pictures and photos with different extensions, all videos, databases, document file, for example, PDF, DOC, XLS. Also, Gandcrab 4 removes all shadow copies and restore points. Despite this fact, the main method to decrypt .Krab files is restoring by special recovering software(see below in our article). Some users reported, that they successfully restored a part of lost data by Data Recovery PRO.
You should try to remove Gandcrab 4 ransomware and restore .krab files. Also, we recommend going to the police, sometimes cyber scammers are caught by Interpol. Our recommendation is not to pay anything to hackers (they demand $1200 in BTC or in DASH for decryption keys). The previous version of Gandcrab become decryptable after a good work of Romanian Police. Gandcrab 4 Ransomware creates Ransome notes, called KRAB-DECRYPT.txt with the following text:

Gandcrab 4 ransomware

--= GANDCRAB V4 =---
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
----------------------------------------------------------------------------------------
| 0. Download Tor browser - https://www.torproject.org/
| 1. Install Tor browser
| 2. Open Tor Browser
| 3. Open link in TOR browser: ***
| 4. Follow the instructions on this page
----------------------------------------------------------------------------------------
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW
---BEGIN GANDCRAB KEY---
*************************************
---END GANDCRAB KEY---
---BEGIN PC DATA---
*************************************************==
---END PC DATA---

Update: Use following service to identify the version and type of ransomware you were attacked by: ID Ransomware. Also check following website for possible decryptor: Emsisoft Decryptors.

Previous versions of Gandcrab 4 ransomware

If your files have .CRAB or .GDCB extensions, your PC may be infected by previous versions of Gandcrab. Some of them already became decryptable. Please see useful information in our earlier articles:

1. How to remove GANDCRAB V3 Ransomware and decrypt .CRAB files
2. How to remove GandCrab2 Ransomware and decrypt .crab files
3. How to remove GandCrab Ransomware and decrypt .GDCB files

How GANDCRAB 4 Ransomware infected your PC

It spreads through two sets of exploits: RIG EK and GrandSoft EK. GANDCRAB 4 Ransomware is also available as RaaS on the cyber underground forums. It can also begin to spread by hacking through an unprotected RDP configuration, using email spam and documents malicious attachments, fraudulent downloads. Ransom is asked to be paid in Bitcoin or in Dash. Encryption starts in the background. Way to protect your computer from such threats is to use antiviruses with crypto-protection and backup service like HitmanPro.Alert with CryptoGuard. Also you can check our article below, we will try to describe all methods helping to prevent Ransomware infiltration.

Follow these easy steps below.

1. Start your computer in Safe Mode with networking. To do that, restart your computer before your system starts hit F8 several times. This will stop system from loading and will show Advanced boot options screen. Choose Safe mode with networking option from the options list using up and down arrows on your keyboard and hit Enter.
2. Log in to the system infected with the GANDCRAB 4 Ransomware virus. Launch your Internet browser and download a reliable anti-malware program and start a full system scan. Once the scan is complete, review scan results and remove all entries detected.

Try SpyHunter

SpyHunter is a powerful tool that is able to keep your Windows clean. It would automatically search out and delete all elements related to malware. It is not only the easiest way to eliminate malware but also the safest and most assuring one. The full version of SpyHunter costs $42 (you get 6 months of subscription). By clicking the button, you agree to EULA and Privacy Policy. Downloading will start automatically.

Download SpyHunter

for windows

Try Stellar Data Recovery

Stellar Data Recovery is one of the most effective tools that can recover lost and corrupted files — documents, emails, pictures, videos, audio files, and more — on any Windows device. The powerful scan engine can detect compromised files and finally save them to specified destination. Despite its advancedness, it’s very concise and simple so that even the most inexperienced user can figure it out.

Download Stellar Data Recovery

Try MailWasher

Email security is the first line of defense against ransomware viruses. To do this, we recommend that you use MailWasher. MailWasher blocks ransomware viruses coming through spam and phishing, and automatically detects malicious attachments and URLs. In addition, malicious messages can be blocked even before the recipient opens them. Since the main source of the spread of ransomware viruses are infected emails, antispam significantly reduces the risk of a virus appearing on your computer.

Download MailWasher

Step 2: Remove following files and folders of GANDCRAB v4 Ransomware:

Related connections:

(Tor-URLs): gandcrab2pie73et.onion
Psi-Plus Jabber Client: ransomware@sj.msns1.wowservers.ru (189.75.183.21 TTL:149 Brazil)
ransomware.bit
carder.bit (66.171.248.178:80 USA)
xxxx://ipv4bot.whatismyipaddress.com (66.171.248.178 TTL:299 USA)
94.249.60.127:53 Jordan
xxxx://financialbroker.gq/***
xxxx://rated.dadsrnp.xyz/***
xxxx://gandcrabmfe6mnef.onion
xxxx://gandcrabmfe6mnef.onion/6361f798c4ba3647
xxxx://terrapersonas.com/readme.php
xxxx://china029.com/j.php
www.cakav.hu
www.mimid.cz
xxxx://6chen.cn
xxxx://acbt.fr
xxxx://alem.be
xxxx://apps.identrust.com
xxxx://big-game-fishing-croatia.hr
xxxx://boatshowradio.com
xxxx://dna-cp.com
xxxx://h5s.vn
xxxx://marketisleri.com
xxxx://nesten.dk
xxxx://oceanlinen.com
xxxx://prosaledom.su/
xxxx://tommarmores.com.br
xxxx://wpakademi.com/
xxxx://www.billerimpex.com/
xxxx://www.fabbfoundation.gm
xxxx://www.lagouttedelixir.com
xxxx://www.macartegrise.eu/
xxxx://www.n2plus.co.th
xxxx://www.poketeg.com
xxxx://www.toflyaviacao.com.br

Related files and folders:

GDCB-DECRYPT.txt
GandCrab.exe
nslookup.exe
apaluj.exe
kpmbri.exe
GandCrab Decryptor.exe
jin.exe
kiqdsc.exe
kssbel.exe
Crack_Ghost_Mouse_Auto_Clicker.exe
1.exe

How to decrypt files infected by GANDCRAB 4 Ransomware (.KRAB files)?

Restore the system using System Restore

system restore

Although latest versions of GANDCRAB 4 Ransomware remove system restore files, this method may help you partially restore your files. Give it a try and use standard System Restore to revive your data.

  1. Initiate the search for ‘system restore
  2. Click on the result
  3. Choose the date before the infection appearance
  4. Follow the on-screen instructions

Roll the files back to the previous version

Previous versions can be copies of files and folders created by Windows Backup (if it is active) or copies of files and folders created by System Restore. You can use this feature to restore files and folders that you accidentally modified or deleted, or that were damaged (in our case – GANDCRAB 4 Ransomware by GandCrab). This feature is available in Windows 7 and later versions.

windows previous versions

  1. Right-click the file and choose Properties
  2. Open the Previous Version tab
  3. Select the latest version and click Copy
  4. Click Restore

Restore .KRAB files using shadow copies

stellar-data-recovery

  1. Download and run Stellar Data Recovery.
  2. Select type of files you want to restore and click Next.
  3. Select the drive and folder where your files are located and date that you want to restore them from and press Scan.
  4. Once the scanning process is done, click Recover to restore your files.

Protect your files from ransomware

Most modern software can protect your data from ransomware and crypto-trojans, but thousands of people still get infected. There are several programs that use different approach to protect your files from ransomware and lockers. One of the best is SOS Online Backup. The product will automatically find important files, then simply make a daily backup on the remote server. SOS runs quietly and automatically in the background and supports any size and any file type. All SOS apps (desktop AND mobile) encrypt files using UltraSafe 256-bit AES before transferring them to the cloud. You will not lose your important data. Download One Year Plan.

SOS Online Backup

Information provided by Tim Kas

Leave a Reply

Your email address will not be published. Required fields are marked *