GandCrab Ransomware Removal – Restore .GDCB Files

Our GandCrab ransomware removal guide shows how computer users can restore their computers from the dangerous virus. It alters important settings on the system, encrypts sensitive data with the .GDCB extension and can lead to further infections. Read our in-depth article to learn more about it.

Threat Summary

Name	GandCrab
Type	Ransomware, Cryptovirus
Short Description	The GandCrab ransomware is a dangerous virus that assigns the .GDCB extension to the compromised files. The victim’s system is also modified and additional malware can be instituted in them.
Symptoms	The victims will notice that a large portion of their data is going to be encrypted with a powerful cipher and renamed using a template extension. They may also experience significant performance issues, application failure and other types of damage.
Distribution Method	Spam Emails, Email Attachments
Detection Tool	See If Your System Has Been Affected by GandCrab Download Malware Removal Tool
User Experience	Join Our Forum to Discuss GandCrab.
Data Recovery Tool	Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

GandCrab Ransomware – Update April 2018

A new version of GandCrab ransomware has been released with a much higher infection rate. The new version is using the .CRAB file extension and currently files enciphered by it cannot be decrypted. It has been reported to be spread via spam e-mails carrying 7z archives, pretending to be PDF documents, but in fact containing .js infection files with the same names inside. More information on the latest version of GandCrab ransomware can be found on the related article link underneath:

→ Related:.CRAB Files Virus – How to Remove GandCrab v2 and Restore Data

GandCrab Ransomware – Update

GandCrab Ransomware – Ways of Distribution

The GandCrab Ransomware can be delivered using different strategies according to the hackers configuration and the computer targets. One of the most common methods is the use of email spam messages. They are creating in bulk and tend to use templates and common social engineering scenarios in order to convince the victims into interacting with the malware component. The operators can utilize file attachments that are disguised as legitimate utilites and important software. In other cases hyperlinks can be inserted in the body contents. As the hacker templates usually model popular web services the links themselves are masked as password reset links, confirmation messages or other typical redirects. The email messages can also contain other threats such as links or attachments with malware software installers. The are hacker-modified installers taken from the official vendors and modified to include the GandCrab Ransomware code. In certain cases the victims may be able to disallow the infection by unchecking certain options during the setup process.

In recent times it has become very popular for computer criminals to craft malware sites in order to deliver ransomware infections like the GandCrab virus. They are made using template engines that mimic well-known search engines and download portals. In some configurations the malware is delivered through site interaction via specific parts or by clicking on banners, links, ads and etc.

If the sites attempt to look like download portals they may offer infected documents that are also being distributed via e-mail messages. They can be of different types including rich text documents, spreadsheets and presentations. Once the victims open them up a notifcation prompt appears which asks them to enable the built-in macros (scripts). If this is done the infection follows.

Another method that is frequently used is the distribution of browser hijackers. They represent malware browser plugins that feature complex behavior patterns. They can alter important settings (default home page, search engine and new tabs page), as well as directly deliver malware threats to the victims.

Finally exploit kits can automatically test the targets for software vulnerabilities. If such are identified then the computers are penetrated and the GandCrab ransomware is installed onto them.

GandCrab Ransomware – In-Depth Description

The captured GandCrab ransomware samples have been found to follow a very complex attack behavior. Upon infection it starts the sequence by attempting to bypass security software. This is done by actively scanning the infected computer for sandboxes, virtual machines and debuggers. In most cases ransomware strains bypass or delete them. If they are unable to do so they can delete the virus itself to avoid detection.

During the initial setup the malware engine scans for the presence of the following security applications and vendors:

• Avast
• Avira
• Comodo
• ESET NOD 32
• F-Secure
• Kaspersky
• McAfee
• Microsoft
• Norton/Symantec
• Panda
• Trend Micro

The next step would be to launch information gathering option. It aims to extract as much data as possible that is being categorized into two main types. The first type is related to the anonymous metrics which are collected by the criminals to judge how effective the attack campaign is. Example data includes the operating system version, installed software and other related information. What’s more worrying is the fact that many of these virus strains also harvest personally-identifiable data which can directly expose the victims identity. The engine executes a deep system scan that can retrieve values and strings that include information such as their name, address, telephone number, preferences, interests and etc.

Once these two steps have complete the ransomware engine proceeds by concealing itself from the system. This means that if the system administrators execute a manual scan they may not be able to find out that there is an ongoing infection. At this point other security software have already been disabled and the GandCrab ransomware can freely execute any of its built-in modules. The security analysis reveals that it is based on a modular framework that allows it to be updated further with new components with every new release.

It can connect to a hacker-controlled server using a secure connection. It allows the hacker controllers to execute arbitrary commands and infect the system with additional threats. In many cases advanced ransomware like this one can also deliver a Trojan instance that allows the hacker operators to constantly spy on the victims as well as take over control of their machines at any given time.

The GandCrab ransomware has also been observed to attempt to manipulate all accessible Windows components — the registry, boot and recovery options, as well as user configuration settings. Such behavior patterns are part of the persistent state initiation. When this step is complete the GandCrab ransomware can automatically monitor the users behavior and disallow manual user removal attempts. In such cases only a quality anti-spyware solution can restore the affected computers. During the data extraction the security researchers discovered that the malware engine generates a full system profile: IP address, hardware components, Microsoft Windows credentials, computer name, unique machine ID and others.

As the hackers have attained complete access to the machines they can retrieve data from user applications as well. Usually this is used with web browsers where the hackers obtain stored contents such as: form data, preferences, cookies, bookmarks, history, account credentials and passwords.

The fact that the virus is capable of interacting with the Windows Volume Manager. This step allows the ransomware component to freely access and process data found on connected removable storage devices and network shares.

A recent trend among criminals distributing viruses such as the GandCrab ransomware is the distribution of cryptocurrency miners. They are persistent malware that take advantage of the available system resources and utilize it to generate income for the hacker operators.

GandCrab Ransomware – Encryption Process

Once all have executed successfully the ransomware component is started. Like other famous malware strains it strives to process as many user files as possible. Most ransomware tend to impact the most widely used data including the following:

• Images
• Videos
• Music
• Backups
• Documents
• Databases
• Configuration Files

As a result all processed files receive the .GDCB extension. It then shows a ransomware message crafted in a rich text file or shown as a lockscreen instance. If the second option is enabled then the users may not be able to interact with their computers until the threat is completely removed. One of the sample notes reads the following:

Welcome!
WE ARE REGRET, BUT ALL YOUR FILES WAS ENCRYPTED!

AS FAR AS WE KNOW:
Country
OS
PC User
Pc Name
PC Group
PC Lang.
HDD
Date of encrypt
Amount of your files
Volume of your files

But don’t worry, you can return all your files! We can help you!

Below you can choose one of your encrypted file from your PC and decrypt him, it is test decryptor for you.
But we can decrypt only 1 file for free.

ATTENTION! Don’t try use third-party decryptor tools! Because this will destroy yourr files!

What do you need?

You need GandCrab Decryptor. This software will decrypt all your encrypted files and will delete GandCrab from your PC. For purchase you need crypto-currency DASH (1 DASH = 760.567$). How to buy this currency you can read it here.

How much money you need to pay? Below we are specified amount and our wallet for payment

Price: 1.5 DASH (1200 USD)

This is the ransomware that expects a ransom payment in the DASH cryptocurrency. This is an alternative to Bitcoin, the hackers extort the victims for the sum of 1.5 — at the moment this is the equivalent of around $1150.

The users are blackmailed by being provided a trial decryptor, this tactic is used in order to manipulate the victims into paying the hacker operators. All users should know that they can effeciently remove the infection and restore their files by following our in-depth removal guide. Follow our instructions below.

GandCrab Ransomware – Affected Extensions

A thorough analysis was performed on several samples captured from the attacks. The security experts were able to extract the built-in list of target file type extensions. It encopasses a wide variety of target user files. It includes the following:

.1cd, .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .7zip, .aac, .ab4, .abd, .acc, .accdb, .accde, .accdr, .accdt, .ach,
.acr, .act, .adb, .adp, .ads, .agdl, .ai, .aiff, .ait, .al, .aoi, .apj, .apk, .arw, .ascx, .asf, .asm, .asp, .aspx,
.asset, .asx, .atb, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bin, .bkp, .blend,
.bmp, .bpw, .bsa, .c, .cash, .cdb, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cfn,
.cgm, .cib, .class, .cls, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cry, .cs, .csh, .csl, .css, .csv,
.d3dbsp, .dac, .das, .dat, .db, .db_journal, .db3, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .def, .der, .des,
.design, .dgc, .dgn, .dit, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb,
.eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flb, .flf, .flv, .flvv, .forge, .fpx, .fxg, .gbr, .gho,
.gif, .gray, .grey, .groups, .gry, .h, .hbk, .hdd, .hpp, .html, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .info, .info_,
.ini, .iwi, .jar, .java, .jnt, .jpe, .jpeg, .jpg, .js, .json, .k2p, .kc2, .kdbx, .kdc, .key, .kpdx, .kwm, .laccdb, .lbf, .lck, .ldf, .lit,
.litemod, .litesql, .lock, .log, .ltx, .lua, .m, .m2ts, .m3u, .m4a, .m4p, .m4v, .ma, .mab, .mapimail, .max, .mbx, .md, .mdb, .mdc, .mdf, .mef, .mfw,
.mid, .mkv, .mlb, .mmw, .mny, .money, .moneywell, .mos, .mov, .mp3, .mp4, .mpeg, .mpg, .mrw,
.msf, .msg, .myd, .nd, .ndd, .ndf, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb,
.nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .omg, .one, .orf, .ost,
.otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pbf, .pcd, .pct, .pdb, .pdd, .pdf, .pef,
.pem, .pfx, .php, .pif, .pl, .plc, .plus_muhd, .pm!, .pm, .pmi, .pmj, .pml, .pmm, .pmo, .pmr, .pnc, .pnd, .png, .pnx,
.pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .private, .ps, .psafe3, .psd, .pspimage, .pst,
.ptx, .pub, .pwm, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .qcow, .qcow2, .qed, .qtb, .r3d, .raf, .rar, .rat, .raw, .rdb, .re4, .rm,
.rtf, .rvt, .rw2, .rwl, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sd0, .sda, .sdb, .sdf, .sh, .sldm, .sldx, .slm, .sql, .sqlite, .sqlite3,
.sqlitedb, .sqlite-shm, .sqlite-wal, .sr2, .srb, .srf, .srs, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stl, .stm, .stw, .stx, .svg, .swf,
.sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tax, .tbb, .tbk, .tbn, .tex, .tga, .thm, .tif, .tiff, .tlg, .tlx, .txt, .upk, .usr, .vbox, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx,
.vmxf, .vob, .vpd, .vsd, .wab, .wad, .wallet, .war, .wav, .wb2, .wma, .wmf, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx,
.xlt, .xltm, .xltx, .xlw, .xml, .xps, .xxx, .ycbcra, .yuv, .zip

Along with this the malware includes a black list of folders and files that are skipped by the GandCrab ransomware engine:

• \ProgramData\
• \Program Files\
• \Tor Browser\
• Ransomware
• \All Users\
• \Local Settings\
• desktop.ini
• autorun.inf
• ntuser.dat
• iconcache.db
• bootsect.bak
• boot.ini
• ntuser.dat.log
• thumbs.db
• GDCB-DECRYPT.txt
• .sql

Remove GandCrab Ransomware and Restore .GDCB Files

If your computer got infected with the GandCrab ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Manually delete GandCrab from your computer

Note! Substantial notification about the GandCrab threat: Manual removal of GandCrab requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove GandCrab files and objects

Boot Your PC Into Safe Mode

1. For Windows 7,XP and Vista. 2. For Windows 8, 8.1 and 10. Fix registry entries created by GandCrab on your PC.

For Windows XP, Vista, 7 systems:

1. Remove all CDs and DVDs, and then Restart your PC from the “Start” menu.
2. Select one of the two options provided below:

– For PCs with a single operating system: Press “F8” repeatedly after the first boot screen shows up during the restart of your computer. In case the Windows logo appears on the screen, you have to repeat the same task again.

– For PCs with multiple operating systems: Тhe arrow keys will help you select the operating system you prefer to start in Safe Mode. Press “F8” just as described for a single operating system.

3. As the “Advanced Boot Options” screen appears, select the Safe Mode option you want using the arrow keys. As you make your selection, press “Enter“.

4. Log on to your computer using your administrator account

While your computer is in Safe Mode, the words “Safe Mode” will appear in all four corners of your screen.

Step 1: Open the Start Menu

Step 2: Whilst holding down Shift button, click on Power and then click on Restart.
Step 3: After reboot, the aftermentioned menu will appear. From there you should choose Troubleshoot.

Step 4: You will see the Troubleshoot menu. From this menu you can choose Advanced Options.

Step 5: After the Advanced Options menu appears, click on Startup Settings.

Step 6: Click on Restart.

Step 7: A menu will appear upon reboot. You should choose Safe Mode by pressing its corresponding number and the machine will restart.

Some malicious scripts may modify the registry entries of your computer to change different settings. This is why manual clean up of your Windows Registry Database is strongly recommended. Since the tutorial on how to do this is a bit lenghty, we recommend following our instructive article about fixing registry entries.

2. Find malicious files created by GandCrab on your PC

Find malicious files created by GandCrab

1. For Windows 8, 8.1 and 10. 2. For Windows 7,XP and Vista.

For Newer Windows Operating Systems

Step 1:

On your keyboard press  + R and write explorer.exe in the Run text box and then click on the Ok button.

Step 2:

Click on your PC from the quick access bar. This is usually an icon with a monitor and its name is either “My Computer”, “My PC” or “This PC” or whatever you have named it.

Step 3:

Navigate to the search box in the top-right of your PC’s screen and type “fileextension:” and after which type the file extension. If you are looking for malicious executables, an example may be “fileextension:exe”. After doing that, leave a space and type the file name you believe the malware has created. Here is how it may appear if your file has been found:

N.B. We recommend to wait for the green loading bar in the navination box to fill up in case the PC is looking for the file and hasn’t found it yet.

For Older Windows Operating Systems

In older Windows OS’s the conventional approach should be the effective one:

Step 1:

Click on the Start Menu icon (usually on your bottom-left) and then choose the Search preference.

Step 2:

After the search window appears, choose More Advanced Options from the search assistant box. Another way is by clicking on All Files and Folders.

Step 3:

After that type the name of the file you are looking for and click on the Search button. This might take some time after which results will appear. If you have found the malicious file, you may copy or open its location by right-clicking on it.

Now you should be able to discover any file on Windows as long as it is on your hard drive and is not concealed via special software.

Automatically remove GandCrab by downloading an advanced anti-malware program

1. Remove GandCrab with SpyHunter Anti-Malware Tool and back up your data

Remove GandCrab with SpyHunter Anti-Malware Tool

1. Install SpyHunter to scan for and remove GandCrab.2. Scan with SpyHunter to Detect and Remove GandCrab. Back up your data to secure it against infections and file encryption by GandCrab in the future.

Step 1:Click on the “Download” button to proceed to SpyHunter’s download page.

Download

Malware Removal Tool

It is highly recommended to run a scan before purchasing the full version of the software to make sure that the current version of the malware can be detected by SpyHunter.

Step 2: Guide yourself by the download instructions provided for each browser.
Step 3: After you have installed SpyHunter, wait for it to automatically update.

Step1: After the update process has finished, click on the ‘Scan Computer Now’ button.

Step2: After SpyHunter has finished scanning your PC for any GandCrab files, click on the ‘Fix Threats’ button to remove them automatically and permanently.

Step3: Once the intrusions on your PC have been removed, it is highly recommended to restart it.

Back up your data to secure it against attacks in the future

IMPORTANT! Before reading the Windows backup instructions, we highly recommend to back up your data automatically with cloud backup and insure it against any type of data loss on your device, even the most severe. We recommend reading more about and downloading SOS Online Backup .

SOS Online Backup

2. Restore files encrypted by GandCrab

Restore Files Encrypted by GandCrab

Ransomware infections like GandCrab aim to encrypt your files using an encryption algorithm which may be very difficult to directly decrypt. This is why we have suggested several alternative methods that may help you go around direct decryption and try to restore your files. Bear in mind that they may not be 100% effective but they may help you little or a lot in some situations.

Method 1: Scanning your drive’s sectors by using Data Recovery software.
Another method of restoring your files is by trying to bring back your files via data recovery software. Here are some suggestions for preferred data recovery software solutions:

• Stellar Phoenix Data Recovery Technicians License(Pro version with more features)
• Stellar Phoenix Windows Data Recovery
• Stellar Phoenix Photo Recovery

Method 2: Trying Kaspersky and EmsiSoft’s decryptors.
If the first method does not work, we suggest trying to use decryptors for other ransomware viruses, in case your virus is a variant of them. The two primary developers of decryptors are Kaspersky and EmsiSoft, links to which we have provided below:

• Kaspersky Decryptors
• Emsisoft Decryptors

Urgent! It is strongly advisable to first remove the GandCrab threat before attempting any decryption, since it may interfere with system files and registries. You can do the removal yourself just in 5 minutes, using an advanced malware removal tool.

Method 3: Using Shadow Explorer

To restore your data in case you have backup set up, it is important to check for shadow copies in Windows using this software if ransomware has not deleted them:

• Shadow Explorer

Method 4: Finding GandCrab decryption key while it communicates it via a network sniffing software.

Another way to decrypt the files is by using a Network Sniffer to get the encryption key, while files are encrypted on your system. A Network Sniffer is a program and/or device monitoring data traveling over a network, such as its internet traffic and internet packets. If you have a sniffer set before the attack happened you might get information about the decryption key. See how-to instructions below:

Instructions on How to Find Decryption Key for Files Encrypted By Ransowmare

Optional: Using Alternative Anti-Malware Tools

Remove GandCrab Using Other Alternative Tools

STOPZilla Anti Malware

1. Download and Install STOPZilla Anti-malware to Scan for And Remove GandCrab.
Step 1: Download STOPZilla by clicking here.
Step 2: A pop-up window will appear. Click on the ‘Save File’ button. If it does not, click on the Download button and save it afterwards.

Step 3: After you have downloaded the setup, simply open it.
Step 4: The installer should appear. Click on the ‘Next’ button.

Step 5: Check the ‘I accept the agreement’ check circle if not checked if you accept it and click the ‘Next’ button once again.

Step 6: Review and click on the ‘Install’ button.

Step 7: After the installation process has completed click on the ‘Finish’ button.

2. Scan your PC with STOPZilla Anti Malware to remove all GandCrab associated files completely.
Step 1: Launch STOPZilla if you haven’t launched it after install.
Step 2: Wait for the software to automatically scan and then click on the ‘Repair Now’ button. If it does not scan automatically, click on the ‘Scan Now’ button.

Step 3: After the removal of all threats and associated objects, you should Restart your PC.

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts

Follow Me:

8 Comments

1. Darina February 5, 2018 at 4:28 pm

   И сега как да си изчистя компа?

   Reply ↓
   1. Martin Beltov (Post author)February 6, 2018 at 8:13 am

      Здравейте, Дарина, подробна информация за конкретната заплаха е подробно изложена в тази статия. В последната част посочваме конкретни стъпки за премахването на наличните инфекции.
      Поздрави,
      Мартин

      Reply ↓
2. jorge February 12, 2018 at 12:46 am

   Documentos encriptados con extencion GDCB, como puedo abrir mis documentos infectados (encriptados), que debo hacer algun programa o forma de recuperar.

   Reply ↓
3. Irene February 25, 2018 at 12:03 pm

   Siamo stati colpiti dal virus, abbiamo già pagato la licenza spyhunter ma non abbiamo ottenuto risultati. I file continuano ad essere criptati. Cosa posso fare per risolvere? Grazie

   Reply ↓
   1. Milena Dimitrova February 26, 2018 at 12:21 pm

      Hi Irene,

      The program you have used is an anti-malware program. As stated in the article, it removes the ransomware so that it doesn’t spread further to more computers, but it doesn’t work as a decryption tool. Unfortunately, there still isn’t an official decryption tool for GandCrab ransomware but you may try using data recovery software.

      Reply ↓
      1. Vinayak Jha April 16, 2018 at 8:28 am

         Miilena and Irene, Help me if you got the tools for decrypting

         Reply ↓
         1. Martin Beltov (Post author)April 16, 2018 at 9:23 am

            Hello Vinayak,

            GandCrab is not a single ransomware strain but a whole family of similar threats that share a singe malware engine identified with this signature. Due to its complex nature there is no complete decryption tool that can effectively recover the affected data.

            This is the reason we propose that you attempt to recover your files using this guide.

            Reply ↓
4. Vinayak Jha April 16, 2018 at 8:27 am

   Hi, Let me know if any tool works for decrypting the files.As it has encrypted most of the Pictures and videos in my pc.

   Reply ↓

Leave a Comment Cancel reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA. 9  −  three  =