Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Our GandCrab ransomware removal guide shows how computer users can restore their computers from the dangerous virus. It alters important settings on the system, encrypts sensitive data with the .GDCB extension and can lead to further infections. Read our in-depth article to learn more about it.
Threat Summary
Name
GandCrab
Type
Ransomware, Cryptovirus
Short Description
The GandCrab ransomware is a dangerous virus that assigns the .GDCB extension to the compromised files. The victim’s system is also modified and additional malware can be instituted in them.
Symptoms
The victims will notice that a large portion of their data is going to be encrypted with a powerful cipher and renamed using a template extension. They may also experience significant performance issues, application failure and other types of damage.
Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.
GANDCRAB – Update October 2018 – Free Decryption is Now Available
Researchers have successfully made a breakthrough with GandCrab ransomware and have developed a decryption tool for all versions of GandCrab ransomware. Following these developments, we have published instructions on how to decrypt GandCrab encrypted files for free, which you can find in the related article below:
A new version of GandCrab ransomware has been released with a much higher infection rate. The new version is using the .CRAB file extension and currently files enciphered by it cannot be decrypted. It has been reported to be spread via spam e-mails carrying 7z archives, pretending to be PDF documents, but in fact containing .js infection files with the same names inside. More information on the latest version of GandCrab ransomware can be found on the related article link underneath:
Update! A decryption tool is now available for the GandCrab ransomware! The tool was created by malware researchers from BitDefender and can be downloaded from the following link, inside an .exe file: GandCrab Decryption Tool.
GandCrab Ransomware – Ways of Distribution
The GandCrab Ransomware can be delivered using different strategies according to the hackers configuration and the computer targets. One of the most common methods is the use of email spam messages. They are creating in bulk and tend to use templates and common social engineering scenarios in order to convince the victims into interacting with the malware component. The operators can utilize file attachments that are disguised as legitimate utilites and important software. In other cases hyperlinks can be inserted in the body contents. As the hacker templates usually model popular web services the links themselves are masked as password reset links, confirmation messages or other typical redirects. The email messages can also contain other threats such as links or attachments with malware software installers. The are hacker-modified installers taken from the official vendors and modified to include the GandCrab Ransomware code. In certain cases the victims may be able to disallow the infection by unchecking certain options during the setup process.
In recent times it has become very popular for computer criminals to craft malware sites in order to deliver ransomware infections like the GandCrab virus. They are made using template engines that mimic well-known search engines and download portals. In some configurations the malware is delivered through site interaction via specific parts or by clicking on banners, links, ads and etc.
If the sites attempt to look like download portals they may offer infected documents that are also being distributed via e-mail messages. They can be of different types including rich text documents, spreadsheets and presentations. Once the victims open them up a notifcation prompt appears which asks them to enable the built-in macros (scripts). If this is done the infection follows.
Another method that is frequently used is the distribution of browser hijackers. They represent malware browser plugins that feature complex behavior patterns. They can alter important settings (default home page, search engine and new tabs page), as well as directly deliver malware threats to the victims.
Finally exploit kits can automatically test the targets for software vulnerabilities. If such are identified then the computers are penetrated and the GandCrab ransomware is installed onto them.
Computer security researchers have revealed some of the domains that spread GandCrab infections.WARNING! They are posted for information purposes only, do not interact with these domains! When they are opened a ZIP will be downloaded that includes a JavaScript code which leads to the actual GandCrab virus infection. The scripts include 3 payload URLs, this is a common technique among advanced viruses. If the primary site goes down a mirror copy is always accessible. The current list includes the following addresses:
For security reasons we have masked the full URL’s to the script redirects.
GandCrab Ransomware – In-Depth Description
The captured GandCrab ransomware samples have been found to follow a very complex attack behavior. Upon infection it starts the sequence by attempting to bypass security software. This is done by actively scanning the infected computer for sandboxes, virtual machines and debuggers. In most cases ransomware strains bypass or delete them. If they are unable to do so they can delete the virus itself to avoid detection.
During the initial setup the malware engine scans for the presence of the following security applications and vendors:
Avast
Avira
Comodo
ESET NOD 32
F-Secure
Kaspersky
McAfee
Microsoft
Norton/Symantec
Panda
Trend Micro
The next step would be to launch information gathering option. It aims to extract as much data as possible that is being categorized into two main types. The first type is related to the anonymous metrics which are collected by the criminals to judge how effective the attack campaign is. Example data includes the operating system version, installed software and other related information. What’s more worrying is the fact that many of these virus strains also harvest personally-identifiable data which can directly expose the victims identity. The engine executes a deep system scan that can retrieve values and strings that include information such as their name, address, telephone number, preferences, interests and etc.
Once these two steps have complete the ransomware engine proceeds by concealing itself from the system. This means that if the system administrators execute a manual scan they may not be able to find out that there is an ongoing infection. At this point other security software have already been disabled and the GandCrab ransomware can freely execute any of its built-in modules. The security analysis reveals that it is based on a modular framework that allows it to be updated further with new components with every new release.
It can connect to a hacker-controlled server using a secure connection. It allows the hacker controllers to execute arbitrary commands and infect the system with additional threats. In many cases advanced ransomware like this one can also deliver a Trojan instance that allows the hacker operators to constantly spy on the victims as well as take over control of their machines at any given time.
The GandCrab ransomware has also been observed to attempt to manipulate all accessible Windows components — the registry, boot and recovery options, as well as user configuration settings. Such behavior patterns are part of the persistent state initiation. When this step is complete the GandCrab ransomware can automatically monitor the users behavior and disallow manual user removal attempts. In such cases only a quality anti-spyware solution can restore the affected computers. During the data extraction the security researchers discovered that the malware engine generates a full system profile: IP address, hardware components, Microsoft Windows credentials, computer name, unique machine ID and others.
As the hackers have attained complete access to the machines they can retrieve data from user applications as well. Usually this is used with web browsers where the hackers obtain stored contents such as: form data, preferences, cookies, bookmarks, history, account credentials and passwords.
The fact that the virus is capable of interacting with the Windows Volume Manager. This step allows the ransomware component to freely access and process data found on connected removable storage devices and network shares.
A recent trend among criminals distributing viruses such as the GandCrab ransomware is the distribution of cryptocurrency miners. They are persistent malware that take advantage of the available system resources and utilize it to generate income for the hacker operators.
GandCrab Ransomware – Encryption Process
Once all have executed successfully the ransomware component is started. Like other famous malware strains it strives to process as many user files as possible. Most ransomware tend to impact the most widely used data including the following:
Images
Videos
Music
Backups
Documents
Databases
Configuration Files
As a result all processed files receive the .GDCB extension. It then shows a ransomware message crafted in a rich text file or shown as a lockscreen instance. If the second option is enabled then the users may not be able to interact with their computers until the threat is completely removed. One of the sample notes reads the following:
Welcome! WE ARE REGRET, BUT ALL YOUR FILES WAS ENCRYPTED!
AS FAR AS WE KNOW: Country OS PC User Pc Name PC Group PC Lang. HDD Date of encrypt Amount of your files Volume of your files
But don’t worry, you can return all your files! We can help you!
Below you can choose one of your encrypted file from your PC and decrypt him, it is test decryptor for you. But we can decrypt only 1 file for free.
ATTENTION! Don’t try use third-party decryptor tools! Because this will destroy yourr files!
What do you need?
You need GandCrab Decryptor. This software will decrypt all your encrypted files and will delete GandCrab from your PC. For purchase you need crypto-currency DASH (1 DASH = 760.567$). How to buy this currency you can read it here.
How much money you need to pay? Below we are specified amount and our wallet for payment
Price: 1.5 DASH (1200 USD)
This is the ransomware that expects a ransom payment in the DASH cryptocurrency. This is an alternative to Bitcoin, the hackers extort the victims for the sum of 1.5 — at the moment this is the equivalent of around $1150.
The users are blackmailed by being provided a trial decryptor, this tactic is used in order to manipulate the victims into paying the hacker operators. All users should know that they can effeciently remove the infection and restore their files by following our in-depth removal guide. Follow our instructions below.
GandCrab Ransomware – Affected Extensions
A thorough analysis was performed on several samples captured from the attacks. The security experts were able to extract the built-in list of target file type extensions. It encopasses a wide variety of target user files. It includes the following:
Along with this the malware includes a black list of folders and files that are skipped by the GandCrab ransomware engine:
\ProgramData\
\Program Files\
\Tor Browser\
Ransomware
\All Users\
\Local Settings\
desktop.ini
autorun.inf
ntuser.dat
iconcache.db
bootsect.bak
boot.ini
ntuser.dat.log
thumbs.db
GDCB-DECRYPT.txt
.sql
Remove GandCrab Ransomware and Restore .GDCB Files
If your computer got infected with the GandCrab ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
GandCrab may remain persistent on your system and may re-infect it. We recommend you to download SpyHunter and run free scan to remove all virus files on your PC. This saves you hours of time and effort compared to doing the removal yourself.
Before starting the actual removal process, we recommend that you do the following preparation steps.
Make sure you have these instructions always open and in front of your eyes.
Do a backup of all of your files, even if they could be damaged. You should back up your data with a cloud backup solution and insure your files against any type of loss, even from the most severe threats.
Be patient as this could take a while.
Step 1: Boot Your PC In Safe Mode to isolate and remove GandCrab
OFFER
Manual Removal Usually Takes Time and You Risk Damaging Your Files If Not Careful!
We Recommend To Scan Your PC with SpyHunter
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria
1. Hold Windows key()+ R
2. The “Run” Window will appear. In it, type “msconfig” and click OK.
3. Go to the “Boot” tab. There select “Safe Boot”, tick “Network” and then click “Apply” and “OK”.
Tip: Make sure to reverse those changes by unticking Safe Boot after that, because your system will always boot in Safe Boot from now on.
4. When prompted, click on “Restart” to go into Safe Mode.
5. You can recognise Safe Mode by the words written on the corners of your screen.
Step 2: Clean any registries, created by GandCrab on your computer.
The usually targeted registries of Windows machines are the following:
You can access them by opening the Windows registry editor and deleting any values, created by GandCrab there. This can happen by following the steps underneath:
1. Open the Run Window again, type “regedit” and click OK.
2. When you open it, you can freely navigate to the Run and RunOnce keys, whose locations are shown above.
3. You can remove the value of the virus by right-clicking on it and removing it.
Tip: To find a virus-created value, you can right-click on it and click “Modify” to see which file it is set to run. If this is the virus file location, remove the value.
Step 3: Find files created by GandCrab
For Windows 8, 8.1 and 10. For Windows XP, Vista, and 7.
For Newer Windows Operating Systems
1: On your keyboard press + R and write explorer.exe in the Run text box and then click on the Ok button.
2: Click on your PC from the quick access bar. This is usually an icon with a monitor and its name is either “My Computer”, “My PC” or “This PC” or whatever you have named it.
3: Navigate to the search box in the top-right of your PC’s screen and type “fileextension:” and after which type the file extension. If you are looking for malicious executables, an example may be “fileextension:exe”. After doing that, leave a space and type the file name you believe the malware has created. Here is how it may appear if your file has been found:
N.B. We recommend to wait for the green loading bar in the navination box to fill up in case the PC is looking for the file and hasn’t found it yet.
For Older Windows Operating Systems
In older Windows OS’s the conventional approach should be the effective one:
1: Click on the Start Menu icon (usually on your bottom-left) and then choose the Search preference.
2: After the search window appears, choose More Advanced Options from the search assistant box. Another way is by clicking on All Files and Folders.
3: After that type the name of the file you are looking for and click on the Search button. This might take some time after which results will appear. If you have found the malicious file, you may copy or open its location by right-clicking on it.
Now you should be able to discover any file on Windows as long as it is on your hard drive and is not concealed via special software.
IMPORTANT! Before starting “Step 4”, please boot back into Normal mode, in case you are currently in Safe Mode. This will enable you to install and use SpyHunter 5 successfully.
Step 4: Scan for GandCrab with SpyHunter Anti-Malware Tool
1. Click on the “Download” button to proceed to SpyHunter’s download page.
It is recommended to run a scan before purchasing the full version of the software to make sure that the current version of the malware can be detected by SpyHunter. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.
2. After you have installed SpyHunter, wait for it to update automatically.
3. After the update process has finished, click on the ‘Malware/PC Scan’ tab. A new window will appear. Click on ‘Start Scan’.
4. After SpyHunter has finished scanning your PC for any files of the associated threat and found them, you can try to get them removed automatically and permanently by clicking on the ‘Next’ button.
If any threats have been removed, it is highly recommended to restart your PC.
Step 5 (Optional): Try to Restore Files Encrypted by GandCrab.
Ransomware infections and GandCrab aim to encrypt your files using an encryption algorithm which may be very difficult to decrypt. This is why we have suggested a data recovery method that may help you go around direct decryption and try to restore your files. Bear in mind that this method may not be 100% effective but may also help you a little or a lot in different situations.
1. Download the reccomended Data Recovery software by clicking on the link underneath:
2. On the download page, click on the “Download” button:
3. Click on “Save File” button:
4. Accept all agreements and click “Next”:
5. After all the “Next” steps, click on “Install” and then wait for the installation to complete:
6.Run the software. Click on the location to scan for missing or deleted files and click on “Scan”:
7. Wait for the scan to complete, it may take some time. Be advised that this scan is not 100% guaranteed to recover all files, but it does have some chance to get your data back:
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
GandCrab may remain persistent on your system and may re-infect it. We recommend you to download SpyHunter and run free scan to remove all virus files on your PC. This saves you hours of time and effort compared to doing the removal yourself.
Before starting the actual removal process, we recommend that you do the following preparation steps.
Make sure you have these instructions always open and in front of your eyes.
Do a backup of all of your files, even if they could be damaged. You should back up your data with a cloud backup solution and insure your files against any type of loss, even from the most severe threats.
Be patient as this could take a while.
Step 1: Boot Your PC In Safe Mode to isolate and remove GandCrab
OFFER
Manual Removal Usually Takes Time and You Risk Damaging Your Files If Not Careful!
We Recommend To Scan Your PC with SpyHunter
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria
1. Hold Windows key()+ R
2. The “Run” Window will appear. In it, type “msconfig” and click OK.
3. Go to the “Boot” tab. There select “Safe Boot” and then click “Apply” and “OK”.
Tip: Make sure to reverse those changes by unticking Safe Boot after that, because your system will always boot in Safe Boot from now on.
4. When prompted, click on “Restart” to go into Safe Mode.
5. You can recognise Safe Mode by the words written on the corners of your screen.
Step 2: Clean any registries, created by GandCrab on your computer.
The usually targeted registries of Windows machines are the following:
You can access them by opening the Windows registry editor and deleting any values, created by GandCrab there. This can happen by following the steps underneath:
1. Open the Run Window again, type “regedit” and click OK.
2. When you open it, you can freely navigate to the Run and RunOnce keys, whose locations are shown above.
3. You can remove the value of the virus by right-clicking on it and removing it.
Tip: To find a virus-created value, you can right-click on it and click “Modify” to see which file it is set to run. If this is the virus file location, remove the value.
Step 3: Find files created by GandCrab
For Windows 8, 8.1 and 10. For Windows XP, Vista, and 7.
For Newer Windows Operating Systems
1: On your keyboard press + R and write explorer.exe in the Run text box and then click on the Ok button.
2: Click on your PC from the quick access bar. This is usually an icon with a monitor and its name is either “My Computer”, “My PC” or “This PC” or whatever you have named it.
3: Navigate to the search box in the top-right of your PC’s screen and type “fileextension:” and after which type the file extension. If you are looking for malicious executables, an example may be “fileextension:exe”. After doing that, leave a space and type the file name you believe the malware has created. Here is how it may appear if your file has been found:
N.B. We recommend to wait for the green loading bar in the navination box to fill up in case the PC is looking for the file and hasn’t found it yet.
For Older Windows Operating Systems
In older Windows OS’s the conventional approach should be the effective one:
1: Click on the Start Menu icon (usually on your bottom-left) and then choose the Search preference.
2: After the search window appears, choose More Advanced Options from the search assistant box. Another way is by clicking on All Files and Folders.
3: After that type the name of the file you are looking for and click on the Search button. This might take some time after which results will appear. If you have found the malicious file, you may copy or open its location by right-clicking on it.
Now you should be able to discover any file on Windows as long as it is on your hard drive and is not concealed via special software.
IMPORTANT! Before starting “Step 4”, please boot back into Normal mode, in case you are currently in Safe Mode. This will enable you to install and use SpyHunter 5 successfully.
Step 4: Scan for GandCrab with SpyHunter Anti-Malware Tool
1. Click on the “Download” button to proceed to SpyHunter’s download page.
It is recommended to run a scan before purchasing the full version of the software to make sure that the current version of the malware can be detected by SpyHunter. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.
2. After you have installed SpyHunter, wait for it to update automatically.
3. After the update process has finished, click on the ‘Malware/PC Scan’ tab. A new window will appear. Click on ‘Start Scan’.
4. After SpyHunter has finished scanning your PC for any files of the associated threat and found them, you can try to get them removed automatically and permanently by clicking on the ‘Next’ button.
If any threats have been removed, it is highly recommended to restart your PC.
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
GandCrab may remain persistent on your system and may re-infect it. We recommend you to download SpyHunter and run free scan to remove all virus files on your PC. This saves you hours of time and effort compared to doing the removal yourself.
Before starting the actual removal process, we recommend that you do the following preparation steps.
Make sure you have these instructions always open and in front of your eyes.
Be patient as this could take a while.
Step 1: Uninstall GandCrab and related software from Windows
OFFER
Manual Removal Usually Takes Time and You Risk Damaging Your Files If Not Careful!
We Recommend To Scan Your PC with SpyHunter
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria
Here is a method in few easy steps that should be able to uninstall most programs.No matter if you are using Windows 10, 8, 7, Vista or XP, those steps will get the job done. Dragging the program or its folder to the recycle bin can be a very bad decision. If you do that, bits and pieces of the program are left behind, and that can lead to unstable work of your PC, errors with the file type associations and other unpleasant activities. The proper way to get a program off your computer is to Uninstall it. To do that:
1. Hold the Windows Logo Button and “R” on your keyboard. A Pop-up window will appear.
2. In the field type in “appwiz.cpl” and press ENTER.
3. This will open a window with all the programs installed on the PC. Select the program that you want to remove, and press “Uninstall”
Follow the instructions above and you will successfully uninstall most programs.
Step 2: Clean your Browsers from GandCrab.
Remove an extension from Mozilla FirefoxRemove an extension from Google Chrome Remove an extension from Internet Explorer Remove an extension from Microsoft Edge
1. Start Mozilla Firefox. Open the menu window
2. Select the “Add-ons” icon from the menu.
3. Select the unwanted extension and click “Remove“
4. After the extension is removed, restart Mozilla Firefox by closing it from the red “X” button at the top right corner and start it again.
1. Start Google Chrome and open the drop menu
2. Move the cursor over “Tools” and then from the extended menu choose “Extensions“
3. From the opened “Extensions” menu locate the unwanted extension and click on its “Remove” button.
4. After the extension is removed, restart Google Chrome by closing it from the red “X” button at the top right corner and start it again.
1. Start Internet Explorer: 2. Click on the gear icon labeled ‘Tools’ to open the drop menu and select ‘Manage Add-ons’
3. In the ‘Manage Add-ons’ window.
4. Select the extension you want to remove and then click ‘Disable’. A pop-up window will appear to inform you that you are about to disable the selected extension, and some more add-ons might be disabled as well. Leave all the boxes checked, and click ‘Disable’.
5. After the unwanted extension has been removed, restart Internet Explorer by closing it from the red ‘X’ button located at the top right corner and start it again.
1. Start Edge
2. Open the drop menu by clicking on the icon at the top right corner.
3. From the drop menu select “Extensions”.
4. Choose the suspected malicious extension you want to remove and then click on the gear icon.
5. Remove the malicious extension by scrolling down and then clicking on Uninstall.
Step 3: Clean any registries, created by GandCrab on your computer.
The usually targeted registries of Windows machines are the following:
You can access them by opening the Windows registry editor and deleting any values, created by GandCrab there. This can happen by following the steps underneath:
1. Open the Run Window again, type “regedit” and click OK.
2. When you open it, you can freely navigate to the Run and RunOnce keys, whose locations are shown above.
3. You can remove the value of the virus by right-clicking on it and removing it.
Tip: To find a virus-created value, you can right-click on it and click “Modify” to see which file it is set to run. If this is the virus file location, remove the value.
IMPORTANT! Before starting “Step 4”, please boot back into Normal mode, in case you are currently in Safe Mode. This will enable you to install and use SpyHunter 5 successfully.
Step 4: Scan for GandCrab with SpyHunter Anti-Malware Tool
1. Click on the “Download” button to proceed to SpyHunter’s download page.
It is recommended to run a scan before purchasing the full version of the software to make sure that the current version of the malware can be detected by SpyHunter. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.
2. After you have installed SpyHunter, wait for it to update automatically.
3. After the update process has finished, click on the ‘Malware/PC Scan’ tab. A new window will appear. Click on ‘Start Scan’.
4. After SpyHunter has finished scanning your PC for any files of the associated threat and found them, you can try to get them removed automatically and permanently by clicking on the ‘Next’ button.
If any threats have been removed, it is highly recommended to restart your PC.
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
GandCrab may remain persistent on your system and may re-infect it. We recommend you to download Combo Cleaner and run free scan to remove all virus files on your Mac. This saves you hours of time and effort compared to doing the removal yourself.
Combo Cleaner’s scanner is free but the paid version is needed to remove the malware threats. Read Combo Cleaner’s EULA and Privacy Policy
Preparation Phase:
Before starting to follow the steps below, be advised that you should first do the following preparations:
Backup your files in case the worst happens.
Make sure to have a device with these instructions on standy.
Arm yourself with patience.
Step 1: Uninstall GandCrab and remove related files and objects
OFFER
Manual Removal Usually Takes Time and You Risk Damaging Your Files If Not Careful!
We Recommend To Scan Your Mac with Combo Cleaner
Keep in mind, that Combo Cleaner needs to purchased to remove the malware threats. Click on the corresponding links to check Combo Cleaner’s EULA and Privacy Policy
1. Hit the ⇧+⌘+U keys to open Utilities. Another way is to click on “Go” and then click “Utilities”, like the image below shows:
2. Find Activity Monitor and double-click it:
3. In the Activity Monitor look for any suspicious processes, belonging or related to GandCrab:
Tip: To quit a process completely, choose the “Force Quit” option.
4. Click on the “Go” button again, but this time select Applications. Another way is with the ⇧+⌘+A buttons.
5. In the Applications menu, look for any suspicious app or an app with a name, similar or identical to GandCrab. If you find it, right-click on the app and select “Move to Trash”.
6. Select Accounts, after which click on the Login Items preference. Your Mac will then show you a list of items that start automatically when you log in. Look for any suspicious apps identical or similar to GandCrab. Check the app you want to stop from running automatically and then select on the Minus (“–“) icon to hide it.
7. Remove any left-over files that might be related to this threat manually by following the sub-steps below:
Go to Finder.
In the search bar type the name of the app that you want to remove.
Above the search bar change the two drop down menus to “System Files” and “Are Included” so that you can see all of the files associated with the application you want to remove. Bear in mind that some of the files may not be related to the app so be very careful which files you delete.
If all of the files are related, hold the ⌘+A buttons to select them and then drive them to “Trash”.
In case you cannot remove GandCrab via Step 1 above:
In case you cannot find the virus files and objects in your Applications or other places we have shown above, you can manually look for them in the Libraries of your Mac. But before doing this, please read the disclaimer below:
Disclaimer! If you are about to tamper with Library files on Mac, be sure to know the name of the virus file, because if you delete the wrong file, it may cause irreversible damage to your MacOS. Continue on your own responsibility!
1. Click on “Go” and Then “Go to Folder” as shown underneath:
2. Type in “/Library/LauchAgents/” and click Ok:
3. Delete all of the virus files that have similar or the same name as GandCrab. If you believe there is no such file, do not delete anything.
You can repeat the same procedure with the following other Library directories:
→ ~/Library/LaunchAgents /Library/LaunchDaemons
Tip: ~ is there on purpose, because it leads to more LaunchAgents.
Step 2: Remove GandCrab – related extensions from Safari / Chrome / Firefox
Remove an extension from Safari and reset it.Remove a toolbar from Google Chrome Remove a toolbar from Mozilla Firefox
1. Start Safari
2. After hovering your mouse cursor to the top of the screen, click on the Safari text to open its drop down menu.
3. From the menu, click on “Preferences“
4. After that, select the ‘Extensions’ Tab
5. Click once on the extension you want to remove.
6. Click ‘Uninstall’
A pop-up window will appear asking for confirmation to uninstall the extension. Select ‘Uninstall’ again, and the GandCrab will be removed.
How to Reset Safari
IMPORTANT: Before resetting Safari make sure you back up all your saved passwords within the browser in case you forget them.
Start Safari and then click on the gear leaver icon.
Click the Reset Safari button and you will reset the browser.
1. Start Google Chrome and open the drop menu
2. Move the cursor over “Tools” and then from the extended menu choose “Extensions“
3. From the opened “Extensions” menu locate the add-on and click on the garbage bin icon on the right of it.
4. After the extension is removed, restart Google Chrome by closing it from the red “X” in the top right corner and start it again.
1. Start Mozilla Firefox. Open the menu window
2. Select the “Add-ons” icon from the menu.
3. Select the Extension and click “Remove“
4. After the extension is removed, restart Mozilla Firefox by closing it from the red “X” in the top right corner and start it again.
Step 3: Scan for and remove GandCrab files from your Mac
When you are facing problems on your Mac as a result of unwanted scripts and programs such as GandCrab, the recommended way of eliminating the threat is by using an anti-malware program. Combo Cleaner offers advanced security features along with other modules that will improve your Mac’s security and protect it in the future.
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Здравейте, Дарина, подробна информация за конкретната заплаха е подробно изложена в тази статия. В последната част посочваме конкретни стъпки за премахването на наличните инфекции. Поздрави, Мартин
Documentos encriptados con extencion GDCB, como puedo abrir mis documentos infectados (encriptados), que debo hacer algun programa o forma de recuperar.
Siamo stati colpiti dal virus, abbiamo già pagato la licenza spyhunter ma non abbiamo ottenuto risultati. I file continuano ad essere criptati. Cosa posso fare per risolvere? Grazie
The program you have used is an anti-malware program. As stated in the article, it removes the ransomware so that it doesn’t spread further to more computers, but it doesn’t work as a decryption tool. Unfortunately, there still isn’t an official decryption tool for GandCrab ransomware but you may try using data recovery software.
GandCrab is not a single ransomware strain but a whole family of similar threats that share a singe malware engine identified with this signature. Due to its complex nature there is no complete decryption tool that can effectively recover the affected data.
This is the reason we propose that you attempt to recover your files using this guide.
Me han encriptado los archivos con una extensión .OAFCHZES. La herramienta de bitdefender lamentablemente no me ha funcionado. Según la nota del rescate en el encabezado aparece –= GANDCRAB V5.0.4 =—
И сега как да си изчистя компа?
Здравейте, Дарина, подробна информация за конкретната заплаха е подробно изложена в тази статия. В последната част посочваме конкретни стъпки за премахването на наличните инфекции.
Поздрави,
Мартин
Documentos encriptados con extencion GDCB, como puedo abrir mis documentos infectados (encriptados), que debo hacer algun programa o forma de recuperar.
Siamo stati colpiti dal virus, abbiamo già pagato la licenza spyhunter ma non abbiamo ottenuto risultati. I file continuano ad essere criptati. Cosa posso fare per risolvere? Grazie
Hi Irene,
The program you have used is an anti-malware program. As stated in the article, it removes the ransomware so that it doesn’t spread further to more computers, but it doesn’t work as a decryption tool. Unfortunately, there still isn’t an official decryption tool for GandCrab ransomware but you may try using data recovery software.
Miilena and Irene, Help me if you got the tools for decrypting
Hello Vinayak,
GandCrab is not a single ransomware strain but a whole family of similar threats that share a singe malware engine identified with this signature. Due to its complex nature there is no complete decryption tool that can effectively recover the affected data.
This is the reason we propose that you attempt to recover your files using this guide.
Hi, Let me know if any tool works for decrypting the files.As it has encrypted most of the Pictures and videos in my pc.
Me han encriptado los archivos con una extensión .OAFCHZES.
La herramienta de bitdefender lamentablemente no me ha funcionado.
Según la nota del rescate en el encabezado aparece –= GANDCRAB V5.0.4 =—
Os agradecería opinión
Gracias. Saludos