Infected with GANDCRAB V3 Ransomware? Need to decrypt your files?
What is GANDCRAB V3 Ransomware
GANDCRAB V3 (or GandCrab-3) is a new version of most dangerous virus GandCrab Ransomware. Thousands of computers in the world were infected by Gandcrab in 2018. Most of the victims cannot recover lost data, despite all efforts. Ransomware threats usually encrypt user data using AES-256 and RSA-2048 encryption algorithms and demand a ransom for decryption. Main features of GANDCRAB 3 Ransomware are:.CRAB extension to every affected file and unique ransom note(see below). If your files have .GDCB extension – you can decrypt they, using the decryptor from our article about first generation of Gandcrab. Unfortunately, if your files have .CRAB suffix, a universal tool capable to restore they doesn’t exist. Cybercriminals (we think, that they are from Romania) offer to purchase decryption key for ~$400 in Dash cryptocurrency, but real decryption is not warrantied. Ransom note CRAB-DECRYPT.txt file can change a wallpaper of the desktop and contains the following text inside:
---= GANDCRAB V3 =---
All your files documents, photos, databases and other important files are encrypted and have the extension: .CRAB
The only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
0. Download Tor browser - https://www.torproject.org/
1. Install Tor browser
2. Open Tor Browser
3. Open link in TOR browser:
4. Follow the instructions on this page
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
The alternative way to contact us is to use Jabber messanger. Read how to:
0. Download Psi-Plus Jabber Client: https://psi-im.org/download/
1. Register new account: http://sj.ms/register.php
0) Enter "username": 96aecc225e5f48c0
1) Enter "password": your password
2. Add new account in Psi
3. Add and write Jabber ID: email@example.com any message
4. Follow instruction bot
It is a bot! It's fully automated artificial system without human control!
To contact us use TOR links. We can provide you all required proofs of decryption availibility anytime. We are open to conversations.
You can read instructions how to install and use jabber here http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf
Do not try to modify files or use your own private key. This will result in the loss of your data forever!
*CAUGHTION! – may be error in “CAUTION!”
Gandcrab V3 can code all pictures, photos, videos, databases, documents, tables and other files. Also, the virus can deactivate restore points, and remove shadow copies. Despite these features, the main method to restore files is restoring hidden copies. Some users reported, that they successfully restored a part of lost data by Data Recovery PRO. But first, try to remove GANDCRAB V3 Ransomware and decrypt .CRAB files manually, using our article.
Update: Use following service to identify the version and type of ransomware you were attacked by: ID Ransomware. Also check following website for possible decryptor: Emsisoft Decryptors.
How GANDCRAB V3 Ransomware infected your PC
It spreads through two sets of exploits: RIG EK and GrandSoft EK. GANDCRAB V3 Ransomware is also available as RaaS on the cyber underground forums. It can also begin to spread by hacking through an unprotected RDP configuration, using email spam and malicious attachments, fraudulent downloads, web injections, fake updates, repackaged and infected installers. Ransom is asked to be paid in Dash coin, that also makes the task difficult for the police, as the user in this network is often anonymous. Encryption starts in the background. Way to protect your computer from such threats is to use antiviruses with crypto-protection like HitmanPro.Alert with CryptoGuard.
Follow these easy steps below.
1. Start your computer in Safe Mode with networking. To do that, restart your computer before your system starts hit F8 several times. This will stop system from loading and will show Advanced boot options screen. Choose Safe mode with networking option from the options list using up and down arrows on your keyboard and hit Enter.
2. Log in to the system infected with the GANDCRAB V3 Ransomware virus. Launch your Internet browser and download a reliable anti-malware program and start a full system scan. Once the scan is complete, review scan results and remove all entries detected.
Norton is a powerful removal tool. It can remove all instances of newest viruses, similar to GANDCRAB V3 Ransomware – files, folders, registry keys.
*Trial version of Norton provides detection of computer viruses for FREE. To remove malware, you have to purchase the full version of Norton.
Step 2: Remove following files and folders of GANDCRAB V3 Ransomware:
Deactivate following connections:
Psi-Plus Jabber Client: firstname.lastname@example.org (18.104.22.168 TTL:149 Brazil)
carder.bit (22.214.171.124:80 USA)
xxxx://ipv4bot.whatismyipaddress.com (126.96.36.199 TTL:299 USA)
Remove following files and folders:
How to decrypt files infected by GANDCRAB V3 Ransomware (.CRAB files)?
Restore the system using System Restore
Although latest versions of GANDCRAB V3 Ransomware remove system restore files, this method may help you partially restore your files. Give it a try and use standard System Restore to revive your data.
- Initiate the search for ‘system restore‘
- Click on the result
- Choose the date before the infection appearance
- Follow the on-screen instructions
Roll the files back to the previous version
Previous versions can be copies of files and folders created by Windows Backup (if it is active) or copies of files and folders created by System Restore. You can use this feature to restore files and folders that you accidentally modified or deleted, or that were damaged (in our case – GANDCRAB V3 Ransomware by GandCrab). This feature is available in Windows 7 and later versions.
- Right-click the file and choose Properties
- Open the Previous Version tab
- Select the latest version and click Copy
- Click Restore
Restore .CRAB files using shadow copies
- Download and run Stellar Data Recovery.
- Select type of files you want to restore and click Next.
- Select the drive and folder where your files are located and date that you want to restore them from and press Scan.
- Once the scanning process is done, click Recover to restore your files.
Protect your files from ransomware
Most modern software can protect your data from ransomware and crypto-trojans, but thousands of people still get infected. There are several programs that use different approach to protect your files from ransomware and lockers. One of the best is SOS Online Backup. The product will automatically find important files, then simply make a daily backup on the remote server. SOS runs quietly and automatically in the background and supports any size and any file type. All SOS apps (desktop AND mobile) encrypt files using UltraSafe 256-bit AES before transferring them to the cloud. You will not lose your important data. Download One Year Plan.
Information provided by Tim Kas