GANDCRAB 5.1.5 Ransomware – How to Remove It
THREAT REMOVAL

GANDCRAB 5.1.5 Ransomware – How to Remove It

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

This blog post is made to help you understand what exactly is GANDCRAB 5.1.5 ransomware virus and how you can remove this threat from your PC and try to recover your files.

A new variant of GANDCRAB ransomware has been detected, using the 5.1.5 version as a name. GANDCRAB 5.1.5 belongs to the GandCrab ransomware family of viruses. It aims to lock your access to your personal documents, videos, images and other files and then set a random file extension. The end goal is for you to pay the criminals behind this virus ransom payment in BitCoin or ZCash in order for them to grant access back to your own files. If your computer has been affected by GANDCRAB 5.1.5 ransomware, we suggest that you read this article thoroughly.

Threat Summary

NameGANDCRAB 5.1.5
TypeRansomware
Short DescriptionVersion 5.1.5 of GANDCRAB ransomware. Encrypts your data and holds it hostage for ransom payment.
SymptomsYour files become encrypted with an added 7 random letters as a file extension after their original one. A ransom note is dropped with the file extension and then “-DECRYPT.txt”, containing the ransom message of GANDCRAB.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by GANDCRAB 5.1.5

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss GANDCRAB 5.1.5.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

GANDCRAB 5.1.5 –How Does It Infect

When it comes to infection, GANDCRAB 5.1.5 ransomware may use several different tactics to infect it’s victims’ PCs. One of them is to pretend that a file which is uploaded online is legitimate and trick users into downloading and executing the file in question. The main files which are used for those sort of infection procedures often end up to be the following:

  • Portable versions of programs.
  • Activation software.
  • Key generators.
  • Setups of programs.

These types of files can usually be encountered In multiple different websites, like torrent sites and compromised web pages of legitimate sites.

Another method of infection that is used by GandCrab 5.1.5 ransomware is to spread it’s payload as a form of a document that only seems legitimate, but is not. These methods of infection are usually conducted via e-mail and the infection process imitates invoices, receipts and other forms of files that appear legitimate, but may have malicious macros embedded in them:

GANDCRAB 5.1.5 Virus – What Does It Do

When you have become infected by the 5.1.5 version of

GandCrab, you will know it. This is because the virus firstly drops and executes it’s primary payload file, which has the following identification:

→ SHA256: b36c91065db430ce667ffc2d64149ccc45e6abf0df1cc11265f657b2a34f5677
Name: 5.exe
Size: 139.36 KB

In addition to the main malicious files of this virus, other modules (.dll, .tmp, .bat, etc.) may also be dropped in the following system directories of Windows:

  • %AppData%
  • %Local%
  • %Roaming%
  • %Temp%

Among these files that are dropped is also the DECRYPT.txt ransom note of GANDCRAB 5.1.5 ransomware which includes the name of the file extension used by this virus for it’s own name. The note has the following message to victims:

—= GANDCRAB V5.1.5 =—

UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED
FAILING TO DO SO WIL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS

Attention!

All your files, documents, photos, databases and other important files are encrypted and have the extension:

The only method of recovering files is to purchase an unique private key. Only we can give you this key and only and only we can recover your files.

The server with your key is in a closed network TOR. You can get there by the following ways:

—————————————————————————————–

| 0. Download Tor browser – https://www.torproject.org/

| 1. Install Tor Browser
| 2. Open Tor Browser
| 3. Open link in TOR browser http://gandcrabmfe6mnef.onion/371525fbc2a9ddd2
| 4. Follow the instructions on this page

—————————————————————————————–

On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.

ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW

The ransom note of this virus aims to take users to the main TOR web page of GANDCRAB ransomware which looks like the following:

Furthermore, GANDCRAB Ransomware does not stop there as the virus also changes your wallpaper with a shortened version of the virus’s ransom note:

In addition to this, GANDCRAB 5.1.5 ransomware may also perform the following actions on the compromised computers:

  • Delete Shadow copies.
  • Touch or modify Windows System files.
  • Change registry entries.
  • Create tasks.
  • Delete the Volume shadow copies.
  • Disable backup and recovery services.

GANDCRAB 5.1.5 – Encryption

For encryption, GANDCRAB 5.1.5 ransomware uses the Salsa20 encryption algorithm, but it may combine it with the RSA encryption cipher to encode the encryption key. The virus encrypts blocks of data of the files which is enough to make them unreadable, but it does not encrypt the whole file, since the process is made to be fast.

GANDCRAB 5.1.5 ransomware targets the following files for encryption:

  • Videos.
  • Images.
  • Databases.
  • Documents.
  • Archives.

After the files are encrypted, GANDCRAB 5.1.5 adds a 7 random letter extension to the end of each file, which is also used to name the ransom note. The files begin to appear like the following:

Furthermore, GANDCRAB 5.1.5 ransomware may also delete the shadow copies of the infected computer and disable system backup with he main goal of restricting the possibility of the user recovering his or her files this way. GANDCRAB ransomware does this by allegedly running the following commands as administrator on the victim PC:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

Remove GANDCRAB 5.1.5 and Restore Encrypted Files

Before starting the removal process of GANDCRAB 5.1.5, please backup your files, despite the fact that they may all be encrypted, just in case.

If you want to remove GANDCRAB 5.1.5 ransomware, you can do so either by yourself or automatically and information and steps for both are available in the removal accordion underneath. If manual removal does not seem to have any effect, we strongly suggest as what most security experts would use – to download and run a scan with an advanced anti-malware program, the main idea of which is to scan your computer for malicious files and objects and remove them thoroughly.

If you want to restore files, encrypted by GANDCRAB 5.1.5, we suggest that you give the steps underneath a try, since they aim to help you recover as many files as possible, even though they come with no 100% guarantee.

Avatar

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...