Infected with GandCrab Ransomware? Need to decrypt your files?

What is GandCrab Ransomware

GandCrab is crypto ransomware encrypts user data using AES-256 (CBC mode) encryption algorithm and RSA-2048 for the key, and then demands a ransom of 1-3 Dash (crypto-currency) to buy GandCrab Decryptor from extortionists and restore files. Ransomware targets countries of Western Europe and South Korea. GandCrab Ransomware appends .GDCB extension to encrypted files. If your files have .CRAB extension, see our article about another version of Gandcrab 2.0 Ransomware. After finishing encryption process virus creates GDCB-DECRYPT.txt file with following content:

---= GANDCRAB =---
Attention!
All your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB
The only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
1. Download Tor browser - https://www.torproject.org/
2. Install Tor browser
3. Open Tor Browser
4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/[id]
5. Follow the instructions on this page
If Tor/Tor browser is locked in your country or you can not install it, open one of the following links in your regular browser:
1. http://gdcbghvjyqy7jclk.onion.top/[id]
2. http://gdcbghvjyqy7jclk.onion.casa/[id]
3. http://gdcbghvjyqy7jclk.onion.guide/[id]
4. http://gdcbghvjyqy7jclk.onion.rip/[id]
5. http://gdcbghvjyqy7jclk.onion.plus/[id]
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
DANGEROUS!
Do not try to modify files or use your own private key - this will result in the loss of your data forever!

GandCrab Ransomware stimulates users to pay the ransom by giving limited time period, after the end of which ransom amount doubles. This malware also detects existence of popular antiviruses and ransomware protection tools to avoid detection. We strongly recommend not to pay any money to malefactors. Try instructions below to remove GandCrab Ransomware and decrypt .GDCB files. If you won’t succeed in decoding, just preserve essential files to the time decryptor appears.

GandCrab Ransomware
gdcb encrypted files

Update: Use following service to identify the version and type of ransomware you were attacked by: ID Ransomware. Also check following website for possible decryptor: Emsisoft Decryptors.

How GandCrab Ransomware infected your PC

It spreads through two sets of exploits: RIG EK and GrandSoft EK. GandCrab Ransomware is also available as RaaS on the cyber underground forums. It can also begin to spread by hacking through an unprotected RDP configuration, using email spam and malicious attachments, fraudulent downloads, web injections, fake updates, repackaged and infected installers. Ransom is asked to be paid in Dash coin, that also makes the task difficult for the police, as the user in this network is often anonymous. Encryption starts in the background. Way to protect your computer from such threats is to use antiviruses with crypto-protection like HitmanPro.Alert with CryptoGuard.

First of all, don’t panic. Follow these easy steps below.

1. Start your computer in Safe Mode with networking. To do that, restart your computer before your system starts hit F8 several times. This will stop system from loading and will show Advanced boot options screen. Choose Safe mode with networking option from the options list using up and down arrows on your keyboard and hit Enter.
2. Log in to the system infected with the GandCrab Ransomware virus. Launch your Internet browser and download a reliable anti-malware program and start a full system scan. Once the scan is complete, review scan results and remove all entries detected.

Recommended Solution:

Norton is a powerful removal tool. It can remove all instances of newest viruses, similar to GandCrab Ransomware – files, folders, registry keys.

 

Download Norton*Trial version of Norton provides detection of computer viruses for FREE. To remove malware, you have to purchase the full version of Norton.

Step 2: Remove following files and folders of GandCrab Ransomware:

Remove following registry entries:

no information

Remove following files and folders:

GDCB-DECRYPT.txt
GandCrab.exe
nslookup.exe
apaluj.exe
kpmbri.exe
GandCrab Decryptor.exe

How to decrypt files infected by GandCrab Ransomware (.GDCB files)?

Use automated decryption tools

Norton decryptor for gandcrab ransomware

There is ransomware decryptor from BitDefender that can decrypt .GDCB files. It is free and may help you restore .GDCB files encrypted by GandCrab Ransomware virus. Download it here:

Download GandCrab Decryptor

You can also try to use manual methods to restore and decrypt .GDCB files.

Decrypt .GDCB files manually

Restore the system using System Restore

system restore

Although latest versions of GandCrab Ransomware remove system restore files, this method may help you partially restore your files. Give it a try and use standard System Restore to revive your data.

  1. Initiate the search for ‘system restore
  2. Click on the result
  3. Choose the date before the infection appearance
  4. Follow the on-screen instructions

Roll the files back to the previous version

Previous versions can be copies of files and folders created by Windows Backup (if it is active) or copies of files and folders created by System Restore. You can use this feature to restore files and folders that you accidentally modified or deleted, or that were damaged (in our case – GandCrab Ransomware by GandCrab Ransomware). This feature is available in Windows 7 and later versions.

windows previous versions

  1. Right-click the file and choose Properties
  2. Open the Previous Version tab
  3. Select the latest version and click Copy
  4. Click Restore

Restore .GDCB files using shadow copies

shadow explorer gui

  1. Download and run Shadow Explorer.
  2. Select the drive and folder where your files are located and date that you want to restore them from.
  3. Right-click on folder you want to restore and select Export.
  4. Once the scanning process is done, click Recover to restore your files.

Protect your computer from ransomware

hitmanpro alert with cryptoguard

Most modern antiviruses can protect your PC from ransomware and crypto-trojans, but thousands of people still get infected. There are several programs that use different approach t protect from ransomware and lockers. One of the best is HitmanPro.Alert with CryptoGuard. You may already know HitmanPro as famous cloud-based anti-malware scanner. Check out ultimate active protection software from SurfRight.

Download HitmanPro.Alert with CryptoGuard

Information provided by: Alexey Abalmasov

Leave a Reply

Your email address will not be published. Required fields are marked *