GandCrab Ransomware Removal – Restore .GDCB Files
THREAT REMOVAL

GandCrab Ransomware Removal – Restore .GDCB Files

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by GandCrab and other threats.
Threats such as GandCrab may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

GandCrab ransomware image

Our GandCrab ransomware removal guide shows how computer users can restore their computers from the dangerous virus. It alters important settings on the system, encrypts sensitive data with the .GDCB extension and can lead to further infections. Read our in-depth article to learn more about it.

Threat Summary

NameGandCrab
TypeRansomware, Cryptovirus
Short DescriptionThe GandCrab ransomware is a dangerous virus that assigns the .GDCB extension to the compromised files. The victim’s system is also modified and additional malware can be instituted in them.
SymptomsThe victims will notice that a large portion of their data is going to be encrypted with a powerful cipher and renamed using a template extension. They may also experience significant performance issues, application failure and other types of damage.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by GandCrab

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss GandCrab.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

GANDCRAB – Update October 2018 – Free Decryption is Now Available

Researchers have successfully made a breakthrough with GandCrab ransomware and have developed a decryption tool for all versions of GandCrab ransomware. Following these developments, we have published instructions on how to decrypt GandCrab encrypted files for free, which you can find in the related article below:

Related:
How to decrypt files, encrypted by GandCrab ransomware for free, using the BitDefender GandCrab Decryptor? Instructions for GANDCRAB v1, v2, v3, v4 and v5.
GandCrab Ransomware – Decryption Instructions

GandCrab Ransomware – Update April 2018

A new version of GandCrab ransomware has been released with a much higher infection rate. The new version is using the .CRAB file extension and currently files enciphered by it cannot be decrypted. It has been reported to be spread via spam e-mails carrying 7z archives, pretending to be PDF documents, but in fact containing .js infection files with the same names inside. More information on the latest version of GandCrab ransomware can be found on the related article link underneath:

Related:.CRAB Files Virus – How to Remove GandCrab v2 and Restore Data

GandCrab Ransomware – Update

Update! A decryption tool is now available for the GandCrab ransomware! The tool was created by malware researchers from BitDefender and can be downloaded from the following link, inside an .exe file: GandCrab Decryption Tool.

GandCrab Ransomware – Ways of Distribution

The GandCrab Ransomware can be delivered using different strategies according to the hackers configuration and the computer targets. One of the most common methods is the use of email spam messages. They are creating in bulk and tend to use templates and common social engineering scenarios in order to convince the victims into interacting with the malware component. The operators can utilize file attachments that are disguised as legitimate utilites and important software. In other cases hyperlinks can be inserted in the body contents. As the hacker templates usually model popular web services the links themselves are masked as password reset links, confirmation messages or other typical redirects. The email messages can also contain other threats such as links or attachments with malware software installers. The are hacker-modified installers taken from the official vendors and modified to include the GandCrab Ransomware code. In certain cases the victims may be able to disallow the infection by unchecking certain options during the setup process.

In recent times it has become very popular for computer criminals to craft malware sites in order to deliver ransomware infections like the GandCrab virus. They are made using template engines that mimic well-known search engines and download portals. In some configurations the malware is delivered through site interaction via specific parts or by clicking on banners, links, ads and etc.

If the sites attempt to look like download portals they may offer infected documents that are also being distributed via e-mail messages. They can be of different types including rich text documents, spreadsheets and presentations. Once the victims open them up a notifcation prompt appears which asks them to enable the built-in macros (scripts). If this is done the infection follows.

Another method that is frequently used is the distribution of browser hijackers. They represent malware browser plugins that feature complex behavior patterns. They can alter important settings (default home page, search engine and new tabs page), as well as directly deliver malware threats to the victims.

Finally exploit kits can automatically test the targets for software vulnerabilities. If such are identified then the computers are penetrated and the GandCrab ransomware is installed onto them.

Computer security researchers have revealed some of the domains that spread GandCrab infections.WARNING! They are posted for information purposes only, do not interact with these domains! When they are opened a ZIP will be downloaded that includes a JavaScript code which leads to the actual GandCrab virus infection. The scripts include 3 payload URLs, this is a common technique among advanced viruses. If the primary site goes down a mirror copy is always accessible. The current list includes the following addresses:

kepran.com, a-bricks.com, acelloria.com, abacustraining.com, a1fleetds.com, abacpayag.com, abchello.com
ablogabouticeland.com, a-fortunate-world.com, aceyz.com, academydf.com, acetechpng.com, acadekicks.com
acetechpng.com, aceroprojects.com, accelotech.com, accentflooringmn.com, aceroscampollano.com, , cencarbonfiber.com, accidentvictimservices.com, acces-info-communication.com, 86displays.com, 8hoursfromchicago.com, 9l0-518.com, 757sellfast.com, xn--m3cdha3exabl1bc9a7s.com, xn--m3cdbhk1b5e7a7d8h.com,
xn--m3cafj0bn1czac5bza9lme7b.com, xn--m3cdhe8bb0cv5ag4c8a8p.com, xn--12caqf7l9a2cb0dwddc0gual.com, xn--12cl3chah7dk7c6f5ae5gue.com, xn--72c1afja3d9cezh4w.com, xperjeans.com, xxcrossconcept.com, xploresydney.com
xueshengshi.com, wstfab.com, wincoair.com, wiquitous.com, wesingyou.com, world-concierge.com, windycitypizzakitchens.com, zxytcjj.com, zhwq1216.com, zichabowling.com, zambellimagali.com, zebra-zone.com,
yapaymesane.com, yannatravelsandeats.com, yotuba6480.com, youngstownautocredit.com

For security reasons we have masked the full URL’s to the script redirects.

GandCrab Ransomware – In-Depth Description

The captured GandCrab ransomware samples have been found to follow a very complex attack behavior. Upon infection it starts the sequence by attempting to bypass security software. This is done by actively scanning the infected computer for sandboxes, virtual machines and debuggers. In most cases ransomware strains bypass or delete them. If they are unable to do so they can delete the virus itself to avoid detection.

During the initial setup the malware engine scans for the presence of the following security applications and vendors:

  • Avast
  • Avira
  • Comodo
  • ESET NOD 32
  • F-Secure
  • Kaspersky
  • McAfee
  • Microsoft
  • Norton/Symantec
  • Panda
  • Trend Micro

The next step would be to launch information gathering option. It aims to extract as much data as possible that is being categorized into two main types. The first type is related to the anonymous metrics which are collected by the criminals to judge how effective the attack campaign is. Example data includes the operating system version, installed software and other related information. What’s more worrying is the fact that many of these virus strains also harvest personally-identifiable data which can directly expose the victims identity. The engine executes a deep system scan that can retrieve values and strings that include information such as their name, address, telephone number, preferences, interests and etc.

Once these two steps have complete the ransomware engine proceeds by concealing itself from the system. This means that if the system administrators execute a manual scan they may not be able to find out that there is an ongoing infection. At this point other security software have already been disabled and the GandCrab ransomware can freely execute any of its built-in modules. The security analysis reveals that it is based on a modular framework that allows it to be updated further with new components with every new release.

It can connect to a hacker-controlled server using a secure connection. It allows the hacker controllers to execute arbitrary commands and infect the system with additional threats. In many cases advanced ransomware like this one can also deliver a Trojan instance that allows the hacker operators to constantly spy on the victims as well as take over control of their machines at any given time.

The GandCrab ransomware has also been observed to attempt to manipulate all accessible Windows components — the registry, boot and recovery options, as well as user configuration settings. Such behavior patterns are part of the persistent state initiation. When this step is complete the GandCrab ransomware can automatically monitor the users behavior and disallow manual user removal attempts. In such cases only a quality anti-spyware solution can restore the affected computers. During the data extraction the security researchers discovered that the malware engine generates a full system profile: IP address, hardware components, Microsoft Windows credentials, computer name, unique machine ID and others.

As the hackers have attained complete access to the machines they can retrieve data from user applications as well. Usually this is used with web browsers where the hackers obtain stored contents such as: form data, preferences, cookies, bookmarks, history, account credentials and passwords.

The fact that the virus is capable of interacting with the Windows Volume Manager. This step allows the ransomware component to freely access and process data found on connected removable storage devices and network shares.

A recent trend among criminals distributing viruses such as the GandCrab ransomware is the distribution of cryptocurrency miners. They are persistent malware that take advantage of the available system resources and utilize it to generate income for the hacker operators.

GandCrab Ransomware – Encryption Process

Once all have executed successfully the ransomware component is started. Like other famous malware strains it strives to process as many user files as possible. Most ransomware tend to impact the most widely used data including the following:

  • Images
  • Videos
  • Music
  • Backups
  • Documents
  • Databases
  • Configuration Files

As a result all processed files receive the .GDCB extension. It then shows a ransomware message crafted in a rich text file or shown as a lockscreen instance. If the second option is enabled then the users may not be able to interact with their computers until the threat is completely removed. One of the sample notes reads the following:

GandCrab ransomware note

Welcome!
WE ARE REGRET, BUT ALL YOUR FILES WAS ENCRYPTED!

AS FAR AS WE KNOW:
Country
OS
PC User
Pc Name
PC Group
PC Lang.
HDD
Date of encrypt
Amount of your files
Volume of your files

But don’t worry, you can return all your files! We can help you!

Below you can choose one of your encrypted file from your PC and decrypt him, it is test decryptor for you.
But we can decrypt only 1 file for free.

ATTENTION! Don’t try use third-party decryptor tools! Because this will destroy yourr files!

What do you need?

You need GandCrab Decryptor. This software will decrypt all your encrypted files and will delete GandCrab from your PC. For purchase you need crypto-currency DASH (1 DASH = 760.567$). How to buy this currency you can read it here.

How much money you need to pay? Below we are specified amount and our wallet for payment

Price: 1.5 DASH (1200 USD)

This is the ransomware that expects a ransom payment in the DASH cryptocurrency. This is an alternative to Bitcoin, the hackers extort the victims for the sum of 1.5 — at the moment this is the equivalent of around $1150.

The users are blackmailed by being provided a trial decryptor, this tactic is used in order to manipulate the victims into paying the hacker operators. All users should know that they can effeciently remove the infection and restore their files by following our in-depth removal guide. Follow our instructions below.

GandCrab Ransomware – Affected Extensions

A thorough analysis was performed on several samples captured from the attacks. The security experts were able to extract the built-in list of target file type extensions. It encopasses a wide variety of target user files. It includes the following:

.1cd, .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .7zip, .aac, .ab4, .abd, .acc, .accdb, .accde, .accdr, .accdt, .ach,
.acr, .act, .adb, .adp, .ads, .agdl, .ai, .aiff, .ait, .al, .aoi, .apj, .apk, .arw, .ascx, .asf, .asm, .asp, .aspx,
.asset, .asx, .atb, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bin, .bkp, .blend,
.bmp, .bpw, .bsa, .c, .cash, .cdb, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cfn,
.cgm, .cib, .class, .cls, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cry, .cs, .csh, .csl, .css, .csv,
.d3dbsp, .dac, .das, .dat, .db, .db_journal, .db3, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .def, .der, .des,
.design, .dgc, .dgn, .dit, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb,
.eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flb, .flf, .flv, .flvv, .forge, .fpx, .fxg, .gbr, .gho,
.gif, .gray, .grey, .groups, .gry, .h, .hbk, .hdd, .hpp, .html, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .info, .info_,
.ini, .iwi, .jar, .java, .jnt, .jpe, .jpeg, .jpg, .js, .json, .k2p, .kc2, .kdbx, .kdc, .key, .kpdx, .kwm, .laccdb, .lbf, .lck, .ldf, .lit,
.litemod, .litesql, .lock, .log, .ltx, .lua, .m, .m2ts, .m3u, .m4a, .m4p, .m4v, .ma, .mab, .mapimail, .max, .mbx, .md, .mdb, .mdc, .mdf, .mef, .mfw,
.mid, .mkv, .mlb, .mmw, .mny, .money, .moneywell, .mos, .mov, .mp3, .mp4, .mpeg, .mpg, .mrw,
.msf, .msg, .myd, .nd, .ndd, .ndf, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb,
.nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .omg, .one, .orf, .ost,
.otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pbf, .pcd, .pct, .pdb, .pdd, .pdf, .pef,
.pem, .pfx, .php, .pif, .pl, .plc, .plus_muhd, .pm!, .pm, .pmi, .pmj, .pml, .pmm, .pmo, .pmr, .pnc, .pnd, .png, .pnx,
.pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .private, .ps, .psafe3, .psd, .pspimage, .pst,
.ptx, .pub, .pwm, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .qcow, .qcow2, .qed, .qtb, .r3d, .raf, .rar, .rat, .raw, .rdb, .re4, .rm,
.rtf, .rvt, .rw2, .rwl, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sd0, .sda, .sdb, .sdf, .sh, .sldm, .sldx, .slm, .sql, .sqlite, .sqlite3,
.sqlitedb, .sqlite-shm, .sqlite-wal, .sr2, .srb, .srf, .srs, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stl, .stm, .stw, .stx, .svg, .swf,
.sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tax, .tbb, .tbk, .tbn, .tex, .tga, .thm, .tif, .tiff, .tlg, .tlx, .txt, .upk, .usr, .vbox, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx,
.vmxf, .vob, .vpd, .vsd, .wab, .wad, .wallet, .war, .wav, .wb2, .wma, .wmf, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx,
.xlt, .xltm, .xltx, .xlw, .xml, .xps, .xxx, .ycbcra, .yuv, .zip

Along with this the malware includes a black list of folders and files that are skipped by the GandCrab ransomware engine:

  • \ProgramData\
  • \Program Files\
  • \Tor Browser\
  • Ransomware
  • \All Users\
  • \Local Settings\
  • desktop.ini
  • autorun.inf
  • ntuser.dat
  • iconcache.db
  • bootsect.bak
  • boot.ini
  • ntuser.dat.log
  • thumbs.db
  • GDCB-DECRYPT.txt
  • .sql

Remove GandCrab Ransomware and Restore .GDCB Files

If your computer got infected with the GandCrab ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Note! Your computer system may be affected by GandCrab and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as GandCrab.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove GandCrab follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove GandCrab files and objects
2. Find files created by GandCrab on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by GandCrab

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

8 Comments

  1. Darina

    И сега как да си изчистя компа?

    Reply
    1. Martin Beltov (Post author)

      Здравейте, Дарина, подробна информация за конкретната заплаха е подробно изложена в тази статия. В последната част посочваме конкретни стъпки за премахването на наличните инфекции.
      Поздрави,
      Мартин

      Reply
  2. jorge

    Documentos encriptados con extencion GDCB, como puedo abrir mis documentos infectados (encriptados), que debo hacer algun programa o forma de recuperar.

    Reply
  3. Irene

    Siamo stati colpiti dal virus, abbiamo già pagato la licenza spyhunter ma non abbiamo ottenuto risultati. I file continuano ad essere criptati. Cosa posso fare per risolvere? Grazie

    Reply
    1. Milena Dimitrova

      Hi Irene,

      The program you have used is an anti-malware program. As stated in the article, it removes the ransomware so that it doesn’t spread further to more computers, but it doesn’t work as a decryption tool. Unfortunately, there still isn’t an official decryption tool for GandCrab ransomware but you may try using data recovery software.

      Reply
      1. Vinayak Jha

        Miilena and Irene, Help me if you got the tools for decrypting

        Reply
        1. Martin Beltov (Post author)

          Hello Vinayak,

          GandCrab is not a single ransomware strain but a whole family of similar threats that share a singe malware engine identified with this signature. Due to its complex nature there is no complete decryption tool that can effectively recover the affected data.

          This is the reason we propose that you attempt to recover your files using this guide.

          Reply
  4. Vinayak Jha

    Hi, Let me know if any tool works for decrypting the files.As it has encrypted most of the Pictures and videos in my pc.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...