Our GandCrab ransomware removal guide shows how computer users can restore their computers from the dangerous virus. It alters important settings on the system, encrypts sensitive data with the .GDCB extension and can lead to further infections. Read our in-depth article to learn more about it.
|Short Description||The GandCrab ransomware is a dangerous virus that assigns the .GDCB extension to the compromised files. The victim’s system is also modified and additional malware can be instituted in them.|
|Symptoms||The victims will notice that a large portion of their data is going to be encrypted with a powerful cipher and renamed using a template extension. They may also experience significant performance issues, application failure and other types of damage.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by GandCrab |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss GandCrab.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
GandCrab Ransomware – Update April 2018
A new version of GandCrab ransomware has been released with a much higher infection rate. The new version is using the .CRAB file extension and currently files enciphered by it cannot be decrypted. It has been reported to be spread via spam e-mails carrying 7z archives, pretending to be PDF documents, but in fact containing .js infection files with the same names inside. More information on the latest version of GandCrab ransomware can be found on the related article link underneath:
GandCrab Ransomware – Update
GandCrab Ransomware – Ways of Distribution
The GandCrab Ransomware can be delivered using different strategies according to the hackers configuration and the computer targets. One of the most common methods is the use of email spam messages. They are creating in bulk and tend to use templates and common social engineering scenarios in order to convince the victims into interacting with the malware component. The operators can utilize file attachments that are disguised as legitimate utilites and important software. In other cases hyperlinks can be inserted in the body contents. As the hacker templates usually model popular web services the links themselves are masked as password reset links, confirmation messages or other typical redirects. The email messages can also contain other threats such as links or attachments with malware software installers. The are hacker-modified installers taken from the official vendors and modified to include the GandCrab Ransomware code. In certain cases the victims may be able to disallow the infection by unchecking certain options during the setup process.
In recent times it has become very popular for computer criminals to craft malware sites in order to deliver ransomware infections like the GandCrab virus. They are made using template engines that mimic well-known search engines and download portals. In some configurations the malware is delivered through site interaction via specific parts or by clicking on banners, links, ads and etc.
If the sites attempt to look like download portals they may offer infected documents that are also being distributed via e-mail messages. They can be of different types including rich text documents, spreadsheets and presentations. Once the victims open them up a notifcation prompt appears which asks them to enable the built-in macros (scripts). If this is done the infection follows.
Another method that is frequently used is the distribution of browser hijackers. They represent malware browser plugins that feature complex behavior patterns. They can alter important settings (default home page, search engine and new tabs page), as well as directly deliver malware threats to the victims.
Finally exploit kits can automatically test the targets for software vulnerabilities. If such are identified then the computers are penetrated and the GandCrab ransomware is installed onto them.
kepran.com, a-bricks.com, acelloria.com, abacustraining.com, a1fleetds.com, abacpayag.com, abchello.com
ablogabouticeland.com, a-fortunate-world.com, aceyz.com, academydf.com, acetechpng.com, acadekicks.com
acetechpng.com, aceroprojects.com, accelotech.com, accentflooringmn.com, aceroscampollano.com, , cencarbonfiber.com, accidentvictimservices.com, acces-info-communication.com, 86displays.com, 8hoursfromchicago.com, 9l0-518.com, 757sellfast.com, xn--m3cdha3exabl1bc9a7s.com, xn--m3cdbhk1b5e7a7d8h.com,
xn--m3cafj0bn1czac5bza9lme7b.com, xn--m3cdhe8bb0cv5ag4c8a8p.com, xn--12caqf7l9a2cb0dwddc0gual.com, xn--12cl3chah7dk7c6f5ae5gue.com, xn--72c1afja3d9cezh4w.com, xperjeans.com, xxcrossconcept.com, xploresydney.com
xueshengshi.com, wstfab.com, wincoair.com, wiquitous.com, wesingyou.com, world-concierge.com, windycitypizzakitchens.com, zxytcjj.com, zhwq1216.com, zichabowling.com, zambellimagali.com, zebra-zone.com,
yapaymesane.com, yannatravelsandeats.com, yotuba6480.com, youngstownautocredit.com
For security reasons we have masked the full URL’s to the script redirects.
GandCrab Ransomware – In-Depth Description
The captured GandCrab ransomware samples have been found to follow a very complex attack behavior. Upon infection it starts the sequence by attempting to bypass security software. This is done by actively scanning the infected computer for sandboxes, virtual machines and debuggers. In most cases ransomware strains bypass or delete them. If they are unable to do so they can delete the virus itself to avoid detection.
During the initial setup the malware engine scans for the presence of the following security applications and vendors:
- ESET NOD 32
- Trend Micro
The next step would be to launch information gathering option. It aims to extract as much data as possible that is being categorized into two main types. The first type is related to the anonymous metrics which are collected by the criminals to judge how effective the attack campaign is. Example data includes the operating system version, installed software and other related information. What’s more worrying is the fact that many of these virus strains also harvest personally-identifiable data which can directly expose the victims identity. The engine executes a deep system scan that can retrieve values and strings that include information such as their name, address, telephone number, preferences, interests and etc.
Once these two steps have complete the ransomware engine proceeds by concealing itself from the system. This means that if the system administrators execute a manual scan they may not be able to find out that there is an ongoing infection. At this point other security software have already been disabled and the GandCrab ransomware can freely execute any of its built-in modules. The security analysis reveals that it is based on a modular framework that allows it to be updated further with new components with every new release.
It can connect to a hacker-controlled server using a secure connection. It allows the hacker controllers to execute arbitrary commands and infect the system with additional threats. In many cases advanced ransomware like this one can also deliver a Trojan instance that allows the hacker operators to constantly spy on the victims as well as take over control of their machines at any given time.
The GandCrab ransomware has also been observed to attempt to manipulate all accessible Windows components — the registry, boot and recovery options, as well as user configuration settings. Such behavior patterns are part of the persistent state initiation. When this step is complete the GandCrab ransomware can automatically monitor the users behavior and disallow manual user removal attempts. In such cases only a quality anti-spyware solution can restore the affected computers. During the data extraction the security researchers discovered that the malware engine generates a full system profile: IP address, hardware components, Microsoft Windows credentials, computer name, unique machine ID and others.
As the hackers have attained complete access to the machines they can retrieve data from user applications as well. Usually this is used with web browsers where the hackers obtain stored contents such as: form data, preferences, cookies, bookmarks, history, account credentials and passwords.
The fact that the virus is capable of interacting with the Windows Volume Manager. This step allows the ransomware component to freely access and process data found on connected removable storage devices and network shares.
A recent trend among criminals distributing viruses such as the GandCrab ransomware is the distribution of cryptocurrency miners. They are persistent malware that take advantage of the available system resources and utilize it to generate income for the hacker operators.
GandCrab Ransomware – Encryption Process
Once all have executed successfully the ransomware component is started. Like other famous malware strains it strives to process as many user files as possible. Most ransomware tend to impact the most widely used data including the following:
- Configuration Files
As a result all processed files receive the .GDCB extension. It then shows a ransomware message crafted in a rich text file or shown as a lockscreen instance. If the second option is enabled then the users may not be able to interact with their computers until the threat is completely removed. One of the sample notes reads the following:
WE ARE REGRET, BUT ALL YOUR FILES WAS ENCRYPTED!
AS FAR AS WE KNOW:
Date of encrypt
Amount of your files
Volume of your files
But don’t worry, you can return all your files! We can help you!
Below you can choose one of your encrypted file from your PC and decrypt him, it is test decryptor for you.
But we can decrypt only 1 file for free.
ATTENTION! Don’t try use third-party decryptor tools! Because this will destroy yourr files!
What do you need?
You need GandCrab Decryptor. This software will decrypt all your encrypted files and will delete GandCrab from your PC. For purchase you need crypto-currency DASH (1 DASH = 760.567$). How to buy this currency you can read it here.
How much money you need to pay? Below we are specified amount and our wallet for payment
Price: 1.5 DASH (1200 USD)
This is the ransomware that expects a ransom payment in the DASH cryptocurrency. This is an alternative to Bitcoin, the hackers extort the victims for the sum of 1.5 — at the moment this is the equivalent of around $1150.
The users are blackmailed by being provided a trial decryptor, this tactic is used in order to manipulate the victims into paying the hacker operators. All users should know that they can effeciently remove the infection and restore their files by following our in-depth removal guide. Follow our instructions below.
GandCrab Ransomware – Affected Extensions
A thorough analysis was performed on several samples captured from the attacks. The security experts were able to extract the built-in list of target file type extensions. It encopasses a wide variety of target user files. It includes the following:
.1cd, .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .7zip, .aac, .ab4, .abd, .acc, .accdb, .accde, .accdr, .accdt, .ach,
.acr, .act, .adb, .adp, .ads, .agdl, .ai, .aiff, .ait, .al, .aoi, .apj, .apk, .arw, .ascx, .asf, .asm, .asp, .aspx,
.asset, .asx, .atb, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bin, .bkp, .blend,
.bmp, .bpw, .bsa, .c, .cash, .cdb, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cfn,
.cgm, .cib, .class, .cls, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cry, .cs, .csh, .csl, .css, .csv,
.d3dbsp, .dac, .das, .dat, .db, .db_journal, .db3, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .def, .der, .des,
.design, .dgc, .dgn, .dit, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb,
.eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flb, .flf, .flv, .flvv, .forge, .fpx, .fxg, .gbr, .gho,
.gif, .gray, .grey, .groups, .gry, .h, .hbk, .hdd, .hpp, .html, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .info, .info_,
.ini, .iwi, .jar, .java, .jnt, .jpe, .jpeg, .jpg, .js, .json, .k2p, .kc2, .kdbx, .kdc, .key, .kpdx, .kwm, .laccdb, .lbf, .lck, .ldf, .lit,
.litemod, .litesql, .lock, .log, .ltx, .lua, .m, .m2ts, .m3u, .m4a, .m4p, .m4v, .ma, .mab, .mapimail, .max, .mbx, .md, .mdb, .mdc, .mdf, .mef, .mfw,
.mid, .mkv, .mlb, .mmw, .mny, .money, .moneywell, .mos, .mov, .mp3, .mp4, .mpeg, .mpg, .mrw,
.msf, .msg, .myd, .nd, .ndd, .ndf, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb,
.nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .omg, .one, .orf, .ost,
.otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pbf, .pcd, .pct, .pdb, .pdd, .pdf, .pef,
.pem, .pfx, .php, .pif, .pl, .plc, .plus_muhd, .pm!, .pm, .pmi, .pmj, .pml, .pmm, .pmo, .pmr, .pnc, .pnd, .png, .pnx,
.pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .private, .ps, .psafe3, .psd, .pspimage, .pst,
.ptx, .pub, .pwm, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .qcow, .qcow2, .qed, .qtb, .r3d, .raf, .rar, .rat, .raw, .rdb, .re4, .rm,
.rtf, .rvt, .rw2, .rwl, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sd0, .sda, .sdb, .sdf, .sh, .sldm, .sldx, .slm, .sql, .sqlite, .sqlite3,
.sqlitedb, .sqlite-shm, .sqlite-wal, .sr2, .srb, .srf, .srs, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stl, .stm, .stw, .stx, .svg, .swf,
.sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tax, .tbb, .tbk, .tbn, .tex, .tga, .thm, .tif, .tiff, .tlg, .tlx, .txt, .upk, .usr, .vbox, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx,
.vmxf, .vob, .vpd, .vsd, .wab, .wad, .wallet, .war, .wav, .wb2, .wma, .wmf, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx,
.xlt, .xltm, .xltx, .xlw, .xml, .xps, .xxx, .ycbcra, .yuv, .zip
Along with this the malware includes a black list of folders and files that are skipped by the GandCrab ransomware engine:
- \Program Files\
- \Tor Browser\
- \All Users\
- \Local Settings\
Remove GandCrab Ransomware and Restore .GDCB Files
If your computer got infected with the GandCrab ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.
Manually delete GandCrab from your computer
Note! Substantial notification about the GandCrab threat: Manual removal of GandCrab requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.