GANDCRAB 5.0.5 Ransomware - How to Remove It (+Restore Files)

GANDCRAB 5.0.5 Ransomware – How to Remove It (+Restore Files)

This article has been created to help explain what is GANDCRAB 5.0.5 ransomware virus and how you can remove it from your computer. It also aims to show how you can try and restore files, encrypted by GANDCRAB 5.0.5 ransomware.

Shortly after

free decryption for GandCrab ransomware has been discovered and users were able to decode all of their files encrypted by all of the virus’s versions so far, the GANDCRAB team have released yet another new virus version – GANDCRAB 5.0.5. This variant of the virus has several improvements over the old one, the main of which seems to be the fact that it can not be decrypted for free at this point. However, if your computer has been infected by the 5.0.5 variant of GANDCRAB 5.0.5 ransomware virus, you should read this article as it aims to show you how you can remove GANDCRAB 5.0.5 and how you can try and restore your encrypted files.

Threat Summary

NameGANDCRAB 5.0.5
TypeFile Encryption Ransomware
Short DescriptionA new iteration of the GANDCRAB virus family. Encrypts file and then asks victims to pay DASH or BitCoin to get them to work again.
SymptomsEncrypts documents, images, videos and other important files and adds a random file suffix and it’s ransom note in the following name format – {5-letter extension}-DECRYPT.txt.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by GANDCRAB 5.0.5


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss GANDCRAB 5.0.5.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

GandCrab Ransomware – Update February 2019

Update! February 2019 brings good news as malware researchers from BitDefender have released a new version for their GandCrab Decryption tool, which is available from the link leading to the BitDefender GandCrab 5.1 Decryptor.

GANDCRAB 5.0.5 – Spread

In order to be widespread on a massive scale, GANDCRAB 5.0.5 may be sent directly to victims or patiently waiting to be downloaded and executed. If sent directly to victims, the virus file, which begins the infection process may be spread as a result of being uploaded as an e-mail attachment. Such attachments often pretend to be various types of seemingly legitimate document files, such as:

  • Invoices for purchases.
  • Receipts for purchases.
  • Important documents from your bank.

In addition to this, the GANDCRAB 5.0.5 ransomware may also be spread by being uploaded on suspicious websites, whose primary goal is to decieve the victim that they are legitimate software download sites. They may upload malicious files that may appear on the users’ computers. These files may turn out to be anything the user is trying to download, for example:

  • Software license activators.
  • Cracks.
  • Patches.
  • Key generators.

GANDCRAB 5.0.5 – Activity

The main malicious files of GandCrab version 5.0.5 has been reported by researcher Marcelo Rivero at VirusBay to have the following parameters:

→ MD5:c805528f6844d7caf5793c025b56f67d
SHA-1: 39efa47a0257ff3f6239838529e1cab84f7864c6
SHA-256: a81d350afaf97cc038b3f20b46d4757150d7854df5e56780326f91bc7d4fd215

The malicious file may spawn two main .exe files, whose primary prupose is to obtain administrative privileges on the victim’s computer by executing the following Windows Commands as an administartor:

→ wmic.exe shadowcopy delete
wmd.exe /c timeout –c 5 & del “C”\Windows\System32\wermgr.exe” /f /q
wimeout.exe –c 5

Soon after this, the malware drops it’s ransom note, which is similar to other GANDCRAB variants and is name starts with the file extension and ends in “-DECRYPT.txt”. The ransom note of GANDCRAB 5.0.5 has the following message:

GandCrab 5.0.5’s ransom note:

—= GANDCRAB V5.0.5 =—
All your files, documents, photos, databases and other important files are encrypted and have the extension: {5 random letters}
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
| 0. Download Tor browser –
| 1. Install Tor Browser
| 2. Open Tor Browser
| 3. Open link in TOR browser http://gandcrabmfe6mnef.onion/{victim’s unique ID}
| 4. Follow the instructions on this page
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.

In addition to it’s ransom note, GANDCRAB 5.0.5 also aims to change the wallpaper on the victims computers by creating an image, that is located in the %Temp% directory and setting it as a wallpaper. The image appears like the following:

Both the ransom note and the wallpaper aim to convince victims to go to GANDCRAB’s new Tor web page, which looks like the following:

If the payment isn’t made until Pdate{, the cost of decrypting files will be doubled
Countdown to double price: Time is up. Price is doubled!
What’s the matter?
Your computer has been infected with GandCrab Ransomware.
All your files have been encrypted and you are not able to decrypt it by yourself.
To decrypt your files you have to buy GandCrab decryptor
The price is – 800 USD
What can I do to get my files back?
You should buy our software GandCrab Decryptor. It will scan your PC, network share, all connected devices and check for encrypted files and decrypt it. Current price: 800 USD. We accept cryptocurrency DASH and Bitcoin
What guarantees can you give me?
To be sure we have the decryptor and it works you can use free decrypt and decrypt one file for free.
But this file must be an image, because images usually are not valuable.
I don’t have Bitcoin (BTC) or DASH (DSH). How can I make the payment?
Easy. The list of the most popular exchange services:

The full list of exchange services for Bitcoin here and for DASH here.
Create an account
Charge the balance with a credit card or paypal
Buy requested amount of coins (Bitcoin or DASH)
Make withdrawal to our address.

After GANDCRAB does this, the virus may also begin to heavily modify the Windows Registry Editor. The malware does this by interfering with the following sub-keys:

→ HKEY_CURRENT_USER\Control Panel\International
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

In addition to this, GANDCRAB 5.0.5 may also perform series of activities that may delete the backed up files on the user’s computer by executing the following commands as an administrator in Windows Command Prompt:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

GANDCRAB 5.0.5 – Encryption Process

In order to encrypt the files on the infected computer, GANDCRAB claims to utilize the combination of Salsa20 encryption and RSA encryption for the keys. The virus targets the following types of files for it’s encryption process:

→ .1cd, .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .7zip, .aac, .ab4, .abd, .acc, .accdb, .accde, .accdr, .accdt, .ach,.acr, .act, .adb, .adp, .ads, .agdl, .ai, .aiff, .ait, .al, .aoi, .apj, .apk, .arw, .ascx, .asf, .asm, .asp, .aspx,.asset, .asx, .atb, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bin, .bkp,.blend,.bmp, .bpw, .bsa, .c, .cash, .cdb, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cfn,.cgm, .cib, .class, .cls, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cry, .cs, .csh, .csl, .css, .csv,.d3dbsp, .dac, .das, .dat, .db, .db_journal, .db3, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .def, .der, .des,.design, .dgc, .dgn, .dit, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb,.eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flb, .flf, .flv, .flvv, .forge, .fpx, .fxg, .gbr, .gho,.gif, .gray, .grey, .groups, .gry, .h, .hbk, .hdd, .hpp, .html, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .info, .info_,.ini, .iwi, .jar, .java, .jnt, .jpe, .jpeg, .jpg, .js, .json, .k2p, .kc2, .kdbx, .kdc, .key, .kpdx, .kwm, .laccdb, .lbf, .lck, .ldf, .lit,.litemod, .litesql, .lock, .log, .ltx, .lua, .m, .m2ts, .m3u, .m4a, .m4p, .m4v, .ma, .mab, .mapimail, .max, .mbx, .md, .mdb, .mdc, .mdf, .mef, .mfw,.mid, .mkv, .mlb, .mmw, .mny, .money, .moneywell, .mos, .mov, .mp3, .mp4, .mpeg, .mpg, .mrw,.msf, .msg, .myd, .nd, .ndd, .ndf, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb,.nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .omg, .one, .orf, .ost,.otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pbf, .pcd, .pct, .pdb, .pdd, .pdf, .pef,.pem, .pfx, .php, .pif, .pl, .plc, .plus_muhd, .pm!, .pm, .pmi, .pmj, .pml, .pmm, .pmo, .pmr, .pnc, .pnd, .png, .pnx,.pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .private, .ps, .psafe3, .psd, .pspimage, .pst,.ptx, .pub, .pwm, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .qcow, .qcow2, .qed, .qtb, .r3d, .raf, .rar, .rat, .raw, .rdb, .re4, .rm,.rtf, .rvt, .rw2, .rwl, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sd0, .sda, .sdb, .sdf, .sh, .sldm, .sldx, .slm, .sql, .sqlite, .sqlite3,.sqlitedb, .sqlite-shm, .sqlite-wal, .sr2, .srb, .srf, .srs, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stl, .stm, .stw, .stx, .svg, .swf,.sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tax, .tbb, .tbk, .tbn, .tex, .tga, .thm, .tif, .tiff, .tlg, .tlx, .txt, .upk, .usr, .vbox, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx,.vmxf, .vob, .vpd, .vsd, .wab, .wad, .wallet, .war, .wav, .wb2, .wma, .wmf, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx,.xlt, .xltm, .xltx, .xlw, .xml, .xps, .xxx, .ycbcra, .yuv, .zip

While encrypting files, GANDCRAB 5.0.5 ransomware skips encrypting data in the following Windows directories:

→ \ProgramData\
\Program Files\
\Tor Browser\
\All Users\
\Local Settings\

After GANDCRAB 5.0.5 ransomware encrypts the files on the victim’s computer, the ransomware virus may leave them looking like the following:

Remove GANDCRAB 5.0.5 and Try Restoring Encrypted Files

GANDCRAB 5.0.5 is not the type of virus you would want to underestimate. This is why, we recommend that you do a backup of your files before removing it.

Related: Safely Store Your Important Files and Protect Them from Malware

If you want to remove the GANDCRAB 5.0.5 ransomware virus, we advise you to follow the removal instructions below. They have been divided to help you delete GANDCRAB 5.0.5 either automatically or manually, so that if manual removal seems to not work out for you, you can try using automatic removal. Be advised, that according to security professionals the most effective approach to removing GANDCRAB 5.0.5 is to use an advanced anti-malware program to scan you PC with. Such software aims to scan your computer and remove all traces of this ransomware from it plus ensure that your machine is protected against future infections as well.

To try and recover files, encrypted by GANDCRAB ransomware, we advise you to take a look at the alternative recovery methods in step “4. Try to Restore files, encrypted by GANDCRAB 5.0.5” in the accordion underneath. They contain different methods to help you recover your files and these methods are not 100% guaranteed to work. In the meantime, you can also check

SensorsTechForum decryptors’ page list where we will publish any decryptors for GANDCRAB 5.0.5 or keep checking this page as we will update it when and if a decryptor is released.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share