Our GandCrab ransomware removal guide shows how computer users can restore their computers from the dangerous virus. It alters important settings on the system, encrypts sensitive data with the .GDCB extension and can lead to further infections. Read our in-depth article to learn more about it.
Threat Summary
| Name | GandCrab |
| Type | Ransomware, Cryptovirus |
| Short Description | The GandCrab ransomware is a dangerous virus that assigns the .GDCB extension to the compromised files. The victim’s system is also modified and additional malware can be instituted in them. |
| Symptoms | The victims will notice that a large portion of their data is going to be encrypted with a powerful cipher and renamed using a template extension. They may also experience significant performance issues, application failure and other types of damage. |
| Distribution Method | Spam Emails, Email Attachments |
| Detection Tool | See If Your System Has Been Affected by malware Download Malware Removal Tool | User Experience | Join Our Forum to Discuss GandCrab. |
| Data Recovery Tool | Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive. |
GANDCRAB – Update October 2018 – Free Decryption is Now Available
Researchers have successfully made a breakthrough with GandCrab ransomware and have developed a decryption tool for all versions of GandCrab ransomware. Following these developments, we have published instructions on how to decrypt GandCrab encrypted files for free, which you can find in the related article below:
GandCrab Ransomware – Update April 2018
A new version of GandCrab ransomware has been released with a much higher infection rate. The new version is using the .CRAB file extension and currently files enciphered by it cannot be decrypted. It has been reported to be spread via spam e-mails carrying 7z archives, pretending to be PDF documents, but in fact containing .js infection files with the same names inside. More information on the latest version of GandCrab ransomware can be found on the related article link underneath:
→ Related:.CRAB Files Virus – How to Remove GandCrab v2 and Restore Data
GandCrab Ransomware – Update
GandCrab Ransomware – Ways of Distribution
The GandCrab Ransomware can be delivered using different strategies according to the hackers configuration and the computer targets. One of the most common methods is the use of email spam messages. They are creating in bulk and tend to use templates and common social engineering scenarios in order to convince the victims into interacting with the malware component. The operators can utilize file attachments that are disguised as legitimate utilites and important software. In other cases hyperlinks can be inserted in the body contents. As the hacker templates usually model popular web services the links themselves are masked as password reset links, confirmation messages or other typical redirects. The email messages can also contain other threats such as links or attachments with malware software installers. The are hacker-modified installers taken from the official vendors and modified to include the GandCrab Ransomware code. In certain cases the victims may be able to disallow the infection by unchecking certain options during the setup process.
In recent times it has become very popular for computer criminals to craft malware sites in order to deliver ransomware infections like the GandCrab virus. They are made using template engines that mimic well-known search engines and download portals. In some configurations the malware is delivered through site interaction via specific parts or by clicking on banners, links, ads and etc.
If the sites attempt to look like download portals they may offer infected documents that are also being distributed via e-mail messages. They can be of different types including rich text documents, spreadsheets and presentations. Once the victims open them up a notifcation prompt appears which asks them to enable the built-in macros (scripts). If this is done the infection follows.
Another method that is frequently used is the distribution of browser hijackers. They represent malware browser plugins that feature complex behavior patterns. They can alter important settings (default home page, search engine and new tabs page), as well as directly deliver malware threats to the victims.
Finally exploit kits can automatically test the targets for software vulnerabilities. If such are identified then the computers are penetrated and the GandCrab ransomware is installed onto them.
Computer security researchers have revealed some of the domains that spread GandCrab infections.WARNING! They are posted for information purposes only, do not interact with these domains! When they are opened a ZIP will be downloaded that includes a JavaScript code which leads to the actual GandCrab virus infection. The scripts include 3 payload URLs, this is a common technique among advanced viruses. If the primary site goes down a mirror copy is always accessible. The current list includes the following addresses:
kepran.com, a-bricks.com, acelloria.com, abacustraining.com, a1fleetds.com, abacpayag.com, abchello.com
ablogabouticeland.com, a-fortunate-world.com, aceyz.com, academydf.com, acetechpng.com, acadekicks.com
acetechpng.com, aceroprojects.com, accelotech.com, accentflooringmn.com, aceroscampollano.com, , cencarbonfiber.com, accidentvictimservices.com, acces-info-communication.com, 86displays.com, 8hoursfromchicago.com, 9l0-518.com, 757sellfast.com, xn--m3cdha3exabl1bc9a7s.com, xn--m3cdbhk1b5e7a7d8h.com,
xn--m3cafj0bn1czac5bza9lme7b.com, xn--m3cdhe8bb0cv5ag4c8a8p.com, xn--12caqf7l9a2cb0dwddc0gual.com, xn--12cl3chah7dk7c6f5ae5gue.com, xn--72c1afja3d9cezh4w.com, xperjeans.com, xxcrossconcept.com, xploresydney.com
xueshengshi.com, wstfab.com, wincoair.com, wiquitous.com, wesingyou.com, world-concierge.com, windycitypizzakitchens.com, zxytcjj.com, zhwq1216.com, zichabowling.com, zambellimagali.com, zebra-zone.com,
yapaymesane.com, yannatravelsandeats.com, yotuba6480.com, youngstownautocredit.com
For security reasons we have masked the full URL’s to the script redirects.
GandCrab Ransomware – In-Depth Description
The captured GandCrab ransomware samples have been found to follow a very complex attack behavior. Upon infection it starts the sequence by attempting to bypass security software. This is done by actively scanning the infected computer for sandboxes, virtual machines and debuggers. In most cases ransomware strains bypass or delete them. If they are unable to do so they can delete the virus itself to avoid detection.
During the initial setup the malware engine scans for the presence of the following security applications and vendors:
- Avast
- Avira
- Comodo
- ESET NOD 32
- F-Secure
- Kaspersky
- McAfee
- Microsoft
- Norton/Symantec
- Panda
- Trend Micro
The next step would be to launch information gathering option. It aims to extract as much data as possible that is being categorized into two main types. The first type is related to the anonymous metrics which are collected by the criminals to judge how effective the attack campaign is. Example data includes the operating system version, installed software and other related information. What’s more worrying is the fact that many of these virus strains also harvest personally-identifiable data which can directly expose the victims identity. The engine executes a deep system scan that can retrieve values and strings that include information such as their name, address, telephone number, preferences, interests and etc.
Once these two steps have complete the ransomware engine proceeds by concealing itself from the system. This means that if the system administrators execute a manual scan they may not be able to find out that there is an ongoing infection. At this point other security software have already been disabled and the GandCrab ransomware can freely execute any of its built-in modules. The security analysis reveals that it is based on a modular framework that allows it to be updated further with new components with every new release.
It can connect to a hacker-controlled server using a secure connection. It allows the hacker controllers to execute arbitrary commands and infect the system with additional threats. In many cases advanced ransomware like this one can also deliver a Trojan instance that allows the hacker operators to constantly spy on the victims as well as take over control of their machines at any given time.
The GandCrab ransomware has also been observed to attempt to manipulate all accessible Windows components — the registry, boot and recovery options, as well as user configuration settings. Such behavior patterns are part of the persistent state initiation. When this step is complete the GandCrab ransomware can automatically monitor the users behavior and disallow manual user removal attempts. In such cases only a quality anti-spyware solution can restore the affected computers. During the data extraction the security researchers discovered that the malware engine generates a full system profile: IP address, hardware components, Microsoft Windows credentials, computer name, unique machine ID and others.
As the hackers have attained complete access to the machines they can retrieve data from user applications as well. Usually this is used with web browsers where the hackers obtain stored contents such as: form data, preferences, cookies, bookmarks, history, account credentials and passwords.
The fact that the virus is capable of interacting with the Windows Volume Manager. This step allows the ransomware component to freely access and process data found on connected removable storage devices and network shares.
A recent trend among criminals distributing viruses such as the GandCrab ransomware is the distribution of cryptocurrency miners. They are persistent malware that take advantage of the available system resources and utilize it to generate income for the hacker operators.
GandCrab Ransomware – Encryption Process
Once all
- Images
- Videos
- Music
- Backups
- Documents
- Databases
- Configuration Files
As a result all processed files receive the .GDCB extension. It then shows a ransomware message crafted in a rich text file or shown as a lockscreen instance. If the second option is enabled then the users may not be able to interact with their computers until the threat is completely removed. One of the sample notes reads the following:
Welcome!
WE ARE REGRET, BUT ALL YOUR FILES WAS ENCRYPTED!AS FAR AS WE KNOW:
Country
OS
PC User
Pc Name
PC Group
PC Lang.
HDD
Date of encrypt
Amount of your files
Volume of your filesBut don’t worry, you can return all your files! We can help you!
Below you can choose one of your encrypted file from your PC and decrypt him, it is test decryptor for you.
But we can decrypt only 1 file for free.ATTENTION! Don’t try use third-party decryptor tools! Because this will destroy yourr files!
What do you need?
You need GandCrab Decryptor. This software will decrypt all your encrypted files and will delete GandCrab from your PC. For purchase you need crypto-currency DASH (1 DASH = 760.567$). How to buy this currency you can read it here.
How much money you need to pay? Below we are specified amount and our wallet for payment
Price: 1.5 DASH (1200 USD)
This is the ransomware that expects a ransom payment in the DASH cryptocurrency. This is an alternative to Bitcoin, the hackers extort the victims for the sum of 1.5 — at the moment this is the equivalent of around $1150.
The users are blackmailed by being provided a trial decryptor, this tactic is used in order to manipulate the victims into paying the hacker operators. All users should know that they can effeciently remove the infection and restore their files by following our in-depth removal guide. Follow our instructions below.
GandCrab Ransomware – Affected Extensions
A thorough analysis was performed on several samples captured from the attacks. The security experts were able to extract the built-in list of target file type extensions. It encopasses a wide variety of target user files. It includes the following:
.1cd, .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .7zip, .aac, .ab4, .abd, .acc, .accdb, .accde, .accdr, .accdt, .ach,
.acr, .act, .adb, .adp, .ads, .agdl, .ai, .aiff, .ait, .al, .aoi, .apj, .apk, .arw, .ascx, .asf, .asm, .asp, .aspx,
.asset, .asx, .atb, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bin, .bkp, .blend,
.bmp, .bpw, .bsa, .c, .cash, .cdb, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cfn,
.cgm, .cib, .class, .cls, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cry, .cs, .csh, .csl, .css, .csv,
.d3dbsp, .dac, .das, .dat, .db, .db_journal, .db3, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .def, .der, .des,
.design, .dgc, .dgn, .dit, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb,
.eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flb, .flf, .flv, .flvv, .forge, .fpx, .fxg, .gbr, .gho,
.gif, .gray, .grey, .groups, .gry, .h, .hbk, .hdd, .hpp, .html, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .info, .info_,
.ini, .iwi, .jar, .java, .jnt, .jpe, .jpeg, .jpg, .js, .json, .k2p, .kc2, .kdbx, .kdc, .key, .kpdx, .kwm, .laccdb, .lbf, .lck, .ldf, .lit,
.litemod, .litesql, .lock, .log, .ltx, .lua, .m, .m2ts, .m3u, .m4a, .m4p, .m4v, .ma, .mab, .mapimail, .max, .mbx, .md, .mdb, .mdc, .mdf, .mef, .mfw,
.mid, .mkv, .mlb, .mmw, .mny, .money, .moneywell, .mos, .mov, .mp3, .mp4, .mpeg, .mpg, .mrw,
.msf, .msg, .myd, .nd, .ndd, .ndf, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb,
.nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .omg, .one, .orf, .ost,
.otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pbf, .pcd, .pct, .pdb, .pdd, .pdf, .pef,
.pem, .pfx, .php, .pif, .pl, .plc, .plus_muhd, .pm!, .pm, .pmi, .pmj, .pml, .pmm, .pmo, .pmr, .pnc, .pnd, .png, .pnx,
.pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .private, .ps, .psafe3, .psd, .pspimage, .pst,
.ptx, .pub, .pwm, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .qcow, .qcow2, .qed, .qtb, .r3d, .raf, .rar, .rat, .raw, .rdb, .re4, .rm,
.rtf, .rvt, .rw2, .rwl, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sd0, .sda, .sdb, .sdf, .sh, .sldm, .sldx, .slm, .sql, .sqlite, .sqlite3,
.sqlitedb, .sqlite-shm, .sqlite-wal, .sr2, .srb, .srf, .srs, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stl, .stm, .stw, .stx, .svg, .swf,
.sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tax, .tbb, .tbk, .tbn, .tex, .tga, .thm, .tif, .tiff, .tlg, .tlx, .txt, .upk, .usr, .vbox, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx,
.vmxf, .vob, .vpd, .vsd, .wab, .wad, .wallet, .war, .wav, .wb2, .wma, .wmf, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx,
.xlt, .xltm, .xltx, .xlw, .xml, .xps, .xxx, .ycbcra, .yuv, .zip
Along with this the malware includes a black list of folders and files that are skipped by the GandCrab ransomware engine:
- \ProgramData\
- \Program Files\
- \Tor Browser\
- Ransomware
- \All Users\
- \Local Settings\
- desktop.ini
- autorun.inf
- ntuser.dat
- iconcache.db
- bootsect.bak
- boot.ini
- ntuser.dat.log
- thumbs.db
- GDCB-DECRYPT.txt
- .sql
Remove GandCrab Ransomware and Restore .GDCB Files
If your computer got infected with the GandCrab ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me:
И сега как да си изчистя компа?
Здравейте, Дарина, подробна информация за конкретната заплаха е подробно изложена в тази статия. В последната част посочваме конкретни стъпки за премахването на наличните инфекции.
Поздрави,
Мартин
Documentos encriptados con extencion GDCB, como puedo abrir mis documentos infectados (encriptados), que debo hacer algun programa o forma de recuperar.
Siamo stati colpiti dal virus, abbiamo già pagato la licenza spyhunter ma non abbiamo ottenuto risultati. I file continuano ad essere criptati. Cosa posso fare per risolvere? Grazie
Hi Irene,
The program you have used is an anti-malware program. As stated in the article, it removes the ransomware so that it doesn’t spread further to more computers, but it doesn’t work as a decryption tool. Unfortunately, there still isn’t an official decryption tool for GandCrab ransomware but you may try using data recovery software.
Miilena and Irene, Help me if you got the tools for decrypting
Hello Vinayak,
GandCrab is not a single ransomware strain but a whole family of similar threats that share a singe malware engine identified with this signature. Due to its complex nature there is no complete decryption tool that can effectively recover the affected data.
This is the reason we propose that you attempt to recover your files using this guide.
Hi, Let me know if any tool works for decrypting the files.As it has encrypted most of the Pictures and videos in my pc.
Me han encriptado los archivos con una extensión .OAFCHZES.
La herramienta de bitdefender lamentablemente no me ha funcionado.
Según la nota del rescate en el encabezado aparece –= GANDCRAB V5.0.4 =—
Os agradecería opinión
Gracias. Saludos