Infected with Gandcrab v5.0.4 Ransomware? Need to decrypt your files?
What is Gandcrab v5.0.4 Ransomware
Gandcrab v5.0.4 is an updated version of the GANDCRAB V5.0 crypto virus that encrypts user data and requires a ransom. Like previous versions, it encrypts most user files, such as office documents, archives, photos, video, audio and other files. The virus changes the extension of encrypted files to a set of 8 letters and adding to this extensions DECRYPT.txt or DECRYPT.html which at the same time are notes. Thus, an encrypted file will look like this: XTLKNFPQ-DECRYPT.html or XTLKNFPQ-DECRYPT.txt. As it becomes clear, these files become unsuitable for further use. Moreover, Gandcrab v5.0.4 removes shadow copies of files and system restore points to eliminate the possibility of manually decrypting files. Each time you try to open a file, the crypto virus opens a note file containing information about the purchase:
—= GANDCRAB V5.0.4 =—
All your files, documents, photos, databases and other important files are encrypted and have the extension: .YKWKCUGI
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
| 0. Download Tor browser – https://www.torproject.org/
| 1. Install Tor Browser
| 2. Open Tor Browser
| 3. Open link in TOR browser http://gandcrabmfe6mnef.onion/371525fbc2a9ddd2
| 4. Follow the instructions on this page
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW
—BEGIN GANDCRAB KEY—
IAQAADcGuK20868jo rVSSQNHeCNCzn LVthNchP1cchrZ+ZK64yengprthG 1oan 1 BmSjZWIVyseGGDBKUiOnX4NfUDgoNh rthhDaVWAetprp+ystBhHoerAGVbtaprwIXUeKItyFQJUkFlmE+J9/91W3ngfXUDpB13408PijhAwijqUnWNZBMXD4TQrv… [REDACTED] —END GANDCRAB KEY—
—BEGIN PC DATA—
—END PC DATA—
Here’s what the payment page looks like:
As in previous versions, fraudsters of this cryptovirus require a ransom of $ 2,400, and the ransom needs to be made only through the TOR browser and only in cryptocurrency. This is done in order not to leave traces of transactions and minimize risks. Moreover, fraudsters scare the user by saying that the amount of the ransom will increase if you do not pay immediately. Of course this is a trick. No one will ever give you guarantees that scammers will return your files. We in no way recommend that you pay intruders. At the bottom you can see our instructions and try to decrypt your files yourself by removing Gandcrab v5.0.4.
Update: Use following service to identify the version and type of ransomware you were attacked by: ID Ransomware. If you want to decrypt your files, please follow our instruction below or, if you have any difficulties, please contact us: firstname.lastname@example.org. We really can help to decrypt your files.
How Gandcrab v5.0.4 infected your PC
Like previous versions of this cryptovirus, Gandcrab v5.0.4 comes, as a rule, without the user’s consent through unprotected network settings. For example, as an attachment in a spam mailing list or as a false update for a program or utility. Be that as it may, we recommend that you familiarize yourself with our guides to try to get rid of Gandcrab v5.0.4 right now and decrypt your files.
First of all, don’t panic. Follow these easy steps below.
1. Start your computer in Safe Mode with networking. To do that, restart your computer before your system starts hit F8 several times. This will stop system from loading and will show Advanced boot options screen. Choose Safe mode with networking option from the options list using up and down arrows on your keyboard and hit Enter.
2. Log in to the system infected with the Gandcrab v5.0.4 virus. Launch your Internet browser and download a reliable anti-malware program and start a full system scan. Once the scan is complete, review scan results and remove all entries detected.
WiperSoft – fully removes all instances of Gandcrab v5.0.4 – files, folders, registry keys.
Restore your files using shadow copies
- Download and run Data Recovery Pro.
- Select the drive and folder where your files are located and date that you want to restore them from and press Scan.
- Choose all files on folder you want to restore and select Restore.
- Choose export location and view restored files.
Step 2: Remove following files and folders of Gandcrab v5.0.4:
Related connections or other entries:
How to decrypt files infected by Gandcrab v5.0.4?
You can try to use manual methods to restore and decrypt your files.
Decrypt files manually
Restore the system using System Restore
Although latest versions of Gandcrab v5.0.4 remove system restore files, this method may help you to partially restore your files. Give it a try and use standard System Restore to revive your data.
- Initiate the search for ‘system restore‘
- Click on the result
- Choose the date before the infection appearance
- Follow the on-screen instructions
Roll the files back to the previous version
Previous versions can be copies of files and folders created by Windows Backup (if it is active) or copies of files and folders created by System Restore. You can use this feature to restore files and folders that you accidentally modified or deleted, or that were damaged. This feature is available in Windows 7 and later versions.
- Right-click the file and choose Properties
- Open the Previous Version tab
- Select the latest version and click Copy
- Click Restore
Protect your computer from ransomware
Most modern antiviruses can protect your PC from ransomware and crypto-trojans, but thousands of people still get infected. There are several programs that use different approach t protect from ransomware and lockers. One of the best is HitmanPro.Alert with CryptoGuard. You may already know HitmanPro as famous cloud-based anti-malware scanner. Check out ultimate active protection software from SurfRight.
Written by Rami Douafi