GANDCRAB 5.0.7 Ransomware- How To Remove It

GANDCRAB 5.0.7 Ransomware – How To Remove It

This article has been created in order to show what is GandCrab 5.0.7 ransomware and how to remove it from your PC and try to restore files, encrypted by it.

A transition version of the notorious GandCrab ransomware virus, called GandCrab 5.0.7 has been reported to have become active and einfect users. Malware researcher Marcelo Rivero who found the strain claims the virus has a different ransom message than conventional GandCrab v5.0 variants. The virus belongs to the ransomware type, meaning GandCrab aims to encrypt the files on the computers infected by it and then leave a ransom note with the extension of the encrypted files and the suffix “-DECRYPT.TXT”. The end goal of this malware is to get victims to pay ransom in order to get the cyber-criminals behind the malware to pay ransom in order to be able to use their files again. If your computer has been infected by this instance of GandCrab ransomware, we suggest that you read the following article as it explains more about GandCrab 5.0.7 and aims to show how to remove it and how you can attempt to recover encrypted files by yourself.

Threat Summary

NameGANDCRAB 5.0.7
TypeRansomware, Cryptovirus
Short DescriptionThe GandCrab 5.0.7 ransomware encrypts files on your computer system and demands a ransom to be paid to decode them.
SymptomsThe ransomware will encrypt your files adding a 7-letter random file suffix and leave a ransom note with payment instructions.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by GANDCRAB 5.0.7


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss GANDCRAB 5.0.7.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

GandCrab Ransomware – Update February 2019

Update! February 2019 brings good news as malware researchers from BitDefender have released a new version for their GandCrab Decryption tool, which is available from the link leading to the BitDefender GandCrab 5.1 Decryptor.

GANDCRAB 5.0.7 -Distribution Methods

There is more than one method used for the distribution of GANDCRAB 5.0.7 ransomware. Since the virus is a variant of the GandCrab ransomware family, onee of the infection methods detected so far is by compromised game cracks for games that are downloaded from torrent sites, like fake versions of Pirate Bay and many other sites that are risky to visit. In addition to this, the virus may also imitate other often downloaded types of programs, like:

  • Portable versions of programs.
  • Activation software.
  • Key generators.
  • Setups of programs.

These seemingly legitimate files are usually uploaded on websites that may either be compromised or supported by the malware authors of GANDCRAB 5.0.7 virus.

In addition to this, another method of replication that is used by this variant of GANDCRAB ransomware may be the more aggressive spam e-mails tactic. These e-mails aim to convince users that the files attached to them are completely legitimate and can be opened and used and more so, important. They often pose as Invoices or Receipts coming from big companies, like PayPal, DHL, FedEx, eBay, Amazon and other big names, to increase the credibility.

GANDCRAB 5.0.7 Ransomware – Activity

Once the payload of GANDCRAB 5.0.7 is dropped on the victims’ computers, the ransomware may conduct series of malicious activites that end up with file encryption. For starters, GANDCRAB 5.0.7 drops it’s primary payload:

→ MD5: cd374fa30f9e9dc2adbc06aa08a8a89a
Name: 9.exe
Size: 139.28 KB

Besides the payload of the virus, other forms of unwanted files and modules may also be created in the following Windows directories:

  • %AppData%
  • %Local%
  • %Roaming%
  • %Temp%

Among the files dropped on the compromised computer, the ransomware may also drop It’s main note file, which has the following ransom message:

—= GANDCRAB V5.0.7 =—



All your files, documents, photos, databases and other important files are encrypted and have the extension:

The only method of recovering files is to purchase an unique private key. Only we can give you this key and only and only we can recover your files.

The server with your key is in a closed network TOR. You can get there by the following ways:


| 0. Download Tor browser –

| 1. Install Tor Browser
| 2. Open Tor Browser
| 3. Open link in TOR browser http://gandcrabmfe6mnef.onion/371525fbc2a9ddd2
| 4. Follow the instructions on this page


On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.


The ransom note of this virus aims to take users to the main TOR web page of GANDCRAB ransomware which looks like the following:

In addition to this, GANDCRAB 5.0.7 ransomware also changes the wallpaper of the infected computer to the following image:

The virus may also perform other malicious activities on the infected computers, such as:

  • Log the victim’s keystrokes.
  • Create mutexes.
  • Take screenshots.
  • Modifies application directory.
  • Adds file to open the next time Word is launched
  • Touch system files of Windows.
  • Creates process with hidden window .
  • Writes an unusually large amount of data to the registry .
  • Tries to detect virtual machine.
  • Reads data related to browser cookies
  • Steal files and information on the victim PC.

GANDCRAB 5.0.7 Ransomware – Encryption Process

The main encryption algorithm used by GandCrab ransomware is called Salsa20 and it is one of the fastest algorithms out there. The virus may encrypt files by creating copies of them and encrypting the copies while deleting the original unencrypted versions of the files or directly encrypting the files. Either way, the files appear with a 7 letter file extension that is random after encryption is complete:

GandCrab ransomware may scan only for files that are used in a very regular basis, such as:

  • Videos.
  • Documents.
  • Images.
  • Databases.
  • Archives.
  • Shadow Copies.

Remove GANDCRAB 5.0.7 and Try to Restore Your Data

If you are a victim of GANDCRAB v5.0.7 ransomware, you should get rid of this ransomware as quickly as possible before it replicates on other devices and infects them. You should remove the ransomware virus, preferrablu by following the manual or automatic removal steps underneath. They have been made with the main goal to help you detect and delete the virus files of GandCrab either manually or automatically. For best results, it is highly advisable to download and run a scan with a reputable anti-malware program. Such software aims to detect and remove all GandCrab 5.0.7-related files and objects automatically and also aims to ensure future threat protection.

If you want to recover files, encrypted by this GandCrab 5.0.7 variant, we would advise you to follow the file recvery methods below. We have created them to help users to try and restore as many files as possible, although the methods come with no 100% guarantee to work.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share