.krab Files Virus (GANDCRAB V4.1) – How to Remove + Restore Data

.krab Files Virus (GANDCRAB V4.1) – How to Remove + Restore Data

This article has been made with the goal of explain what is the updated GandCrab v4.1 ransomware version and how to remove it from your computer plus how you can restore files, encrypted with the .krab file extensions.

An updated version of the recently released version 4 of the GandCrab ransomware menace has been detected by security researchers. The ransomware encrypts the files, adding the .krab file extension with small letters unlike it’s previous v4 variant which used capital letters of the same suffix. The ransomware still uses the very same strong encryption algorithm and after encoding the files, the virus ads the krab-decrypt.txt ransom note to the encoded files. What is particularly interesting about the malicious file of this ransomware is that it uses an .exe file for it’s infection to take place. More information, removal and recovery of files, encrypted by this GandCrab v4.1 version is available in our research article underneath.

Threat Summary

NameGandCrab v4.1
TypeRansomware, Cryptovirus
Short DescriptionVersion of GandCrab ransomware. Encrypts the files, making them unable to be opened and asks victims to pay ransom in the DASH cryptocurrency to get the files to work again.
SymptomsThe GANDCRAB V4.1 virus leaves the files with the .krab file extension and drops a ransom note, called krab-decrypt.txt.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by GandCrab v4.1


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss GandCrab v4.1.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

GANDCRAB – Update October 2018 – Free Decryption is Now Available

Researchers have successfully made a breakthrough with GandCrab ransomware and have developed a decryption tool for all versions of GandCrab ransomware. Following these developments, we have published instructions on how to decrypt GandCrab encrypted files for free, which you can find in the related article below:

Related: GandCrab Ransomware – Decryption Instructions

GandCrab v4.1 .krab Ransomware – Information Database:

GandCrab v4.1 (.krab) Ransomware – How Does It Infect

GandCrab v4.1 (.krab) Ransomware – How Does It Infect

The main method of infection of the 4.1 version of GandCrab ransomware is reported by automated analyzer VMRay to be an .exe file, with the following main indicator of compromise (IOC):

8ecbfe6f52ae98b5c9e406459804c4ba7f110e71716ebf05015a3a99c995baa1 (SHA256)
Jeremy Witt’s Dental Records.exe

The file is similar to the executable which was detected in association with the v4 GandCrab variant where the .exe file posed as a fake crack for software, such as Image to PDF converters or other licensed versions of programs. These programs were uploaded on suspicious websites, which were with low reputation, but the as the name “Jeremy Witt’s Dental Records.exe” suggests, the file may be automatically generated on a fake dental records database website which the victim downloads, while believing, these are actually the dental records. Not only this, but the ransomware also still uses similar exploits, like SMB v1 and prays on users who lack the MS17-010 patch installed on their operating systems.

Furthermore, in addition to an .exe type of file, this malware may also be spread via other means as well, including spammed e-mail messages which may carry malicious e-mail attachments. The e-mails may contain deceptive messages in them that point out that the attachment is an important type of file, like an invoice, receipt or other form of document.

GandCrab V4.1 (.krab) Virus – Activity Report

GandCrab V4.1 (.krab) Virus – Activity Report

Once the 4.1 version of GandCrab has infected your computer, the malware drops It’s malicious pyload on the victim’s computer with the following permissions:

  • {random name}.lock with Access permissions.
  • krab-decrypt.txt with Access and Write permissions
  • A lot of randomly named .lock files with Access and Write permissions created in most commonly used folders.

Besides these files, the ransomware begins modifications in the %SystemDrive% directory as it attacks the following directories and tampers with the system files in them:

→ C:\bootmgr
C:\Program Data
C:\System Volume Information
C:\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\{random number}

In those directories, the GandCrab v4 ransomware goes through great extents to create a lot of .lcok types of files, that are likely related to the encryption folders that are targeted by the ransomware, since it goes through all of the sub-folders in those directories to create those .lock files. These files are believed to be related to the encryption process, more importantly to be the decryption keys themselves which are likely different for every folder.

The GandCrab v4.1 also heavily attacks the Windows Registry Editor where the ransomware creates multiple different registry value entries with Access, Read and Write permissions. The registry sub-keys which are attacked are the following:

→ HKEY_CURRENT_USER\Control Panel\International
HKEY_CURRENT_USER\Keyboard Layout\Preload
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

So far, by the looks of it, GandCrab v4.1 has been created by someone with extensive knowledge on how to remotely tamper with Windows machines.

The ransom note of GandCrab v4.1 is created on almost every folder where files are encrypted, so that it is hard to not see it. What is interesting is that the 7.86 kb ransom note file is also in the Recycle Bin which further shows the great extent to which the makers of this ransomware want you to know of it’s presence. The ransom note may still contain the very same GandCrab extortion message, this time starting with the 4.1 variant:

–= GANDCRAB V4.1 =—
All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB
The only method of recovering files is to purchase a unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
| 0. Download Tor browser – https://www.torproject.org/
| 1. Install Tor browser
| 2. Open Tor Browser
| 3. Open link in TOR browser: ***
| 4. Follow the instructions on this page
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.

The ransom note leads victims to GandCrab’s Tor web page, where they are demanded an even higher ransom payment in the DASH cryptocurrency ($1200), as researcher Kevin Beaumont on DoublePulsar reports:

Source: DoublePulsar.com

For the moment, it is not clear whether or not GandCrab v4.1 deletes the shadow copies, but it is very likely that the virus uses the following commands to erase them:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

GandCrab v4.1 – Encryption Report

GandCrab v4.1 – Encryption Report

The encryption which Is used by this variant of GandCrab ransomware is quite different from the standard RSA+AES RC4 encryption mode. The virus now uses the Salsa20 encryption mode, developed by Daniel J.Bernstein and released back in 2007. With key sizes of 256 bits, this encryption contains a combination of XOR and ARX operations. This makes the ciphers with the advantage of giving crooks the benefit of locking the files so that they may not be easily decryptable, even by professionals.

The virus looks for different types of important files, with a priority of hunting for database files of Microsoft Access and Microsoft Outlook files as well. The ransomware also goes through great extents to prevent important Windows files from being encrypted so that you can still use your PC to pay the ransom online in the cryptocurrency DASH. The encrypted files by GandCrab v4.1 are appended the .krab file extension after their original one and they start to appear like the following:

How to Remove GandCrab V4.1 Ransomware and Try to Restore .krab Files

GandCrab v4.1 ransomware is not one of those threats that you should underestimate if you want to remove it. For maximum effectiveness of the removal process of this ransomware, it is strongly recommended that you follow either the manual or automatic removal process underneath. But be careful and follow the manual removal only if you have some malware removal experience. Other than that, as security experts often advise, it is recommended that you download an advanced anti-malware program which will take care of the removal of GandCrab v4.1 for you automatically plus ensure that your PC remains protected in the future as well.

Be advised that if you want to try and restore your encrypted files, we have prepared some theoretical alternatives below in step “2. Restore files, encrypted by GandCrab v4.1” underneath. They may not work at a 100% effectiveness but might be able to help you recover at least some of your encrypted files, which is still better than paying ransom to cyber-criminals.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share