GANDCRAB 5.1.6 Ransom Virus - How to Remove It

GANDCRAB 5.1.6 Ransom Virus – How to Remove It


with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by GANDCRAB 5.1.6 and other threats.
Threats such as GANDCRAB 5.1.6 may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

This article has been made to explain what is GANDCRAB 5.1.6 ransomware virus, how to remove it from your computer and how you can try and recover files that are encrypted by it.

Yet another new version of GANDCRAB ransomware has been detected, this time calling itself 5.1.6, making malware researchers curious whether or not the ransomware authors are mocking them or they have released the virus to be sold in the deep web marketplaces as a service (RaaS). GandCrab 5.1.6 is a ransomware virus which aims to encrypt the files on the computers that are compromised by it and then leave behind a ransom note extorting victims to pay ransom in cryptocurrencies in order to retrieve access to their files. In case your computer has been affected by the 5.1.6 instance of GANDCRAB ransomware, we advise reading the following article.

Threat Summary

NameGANDCRAB 5.1.6
TypeRansomware, Cryptovirus
Short DescriptionA variant of the
What is GandCrab ransomware? How to remove GandCrab ransomware? How to open files encrypted by GandCrab ransomware? How to try and restore encrypted files?
GANDCRAB ransomware family. Encrypts files and holds them hostage for ransom payment.
SymptomsFiles are encrypted with random 10 letters file extension added after their original name and may also be renamed.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by GANDCRAB 5.1.6


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss GANDCRAB 5.1.6.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

GANDCRAB 5.1.6 –Infection

One of the methods of infection which are used by GANDCRAB 5.1.6 ransomware is believed to be done by uploading a file online and making it seem that the file is some sort of a legitimate program. One recent case of a user who complained on our forum was regarding a game crack, concerning Battlefield 5 and other games. Besides cracks, other types of files containing GANDCRAB 5.1.6 could also be encountered out there, for example:

  • Portable programs.
  • Activators for licenses.
  • Keygens.
  • Software installers.

GANDCRAB 5.1.6 Virus – Main Activity Report

Upon infection, GANDCRAB 5.1.6 ransomware may either download it’s payload from a command and control (C2C) server or extract it on the infected computer. The malware uses obfuscation techniques to avoid most conventional antivirus programs and infect silently. The main infection file of GANDCRAB 5.1.6 is reported to be the following:

→ SHA256:1a8226571d4e22d3383e2c163da39f22e1c4fed5f79b0dbefb7defbc7d359d11
Name: 1.exe
Size: 139.34 KB

Furthermore, GANDCRAB 5.1.6 ransomware may also drop other malicious files that support the main payload. These files are often .tmp, .dll or .bat files and they often have random names and reside in the following Windows directories:

  • %Local%
  • %LocalLow%
  • %Roaming%
  • %AppData%
  • %Temp%

Among the files dropped by GANDCRAB 5.1.6 ransomware is the virus’s ransom note, which is also set as a main wallpaper on the infected computer:

Besides the wallpaper of GANDCRAB Ransomware, the virus also drops it’s ransom note file in almost every folder, where encrypted files reside. The ransom note begins with the random file extension that is also added to the encrypted files and ends with “-DECRYPT.TXT”. It likely contains the following message:

—= GANDCRAB V5.1.6 =—



All your files, documents, photos, databases and other important files are encrypted and have the extension:

The only method of recovering files is to purchase an unique private key. Only we can give you this key and only and only we can recover your files.

The server with your key is in a closed network TOR. You can get there by the following ways:


| 0. Download Tor browser –

| 1. Install Tor Browser
| 2. Open Tor Browser
| 3. Open link in TOR browser http://gandcrabmfe6mnef.onion/371525fbc2a9ddd2
| 4. Follow the instructions on this page


On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.


The ransom note of the virus aims to convince victims to visit the main TOR web page of GANDCRAB 5.1.6, which like it’s other versions has further guides and steps on how to purchase BitCoin or Zcash to pay the ransom. The crooks even go as far as to offer Customer Support by answering questions in a “Contact Us” form and they also have multi-language support – anything in the name of the ransom being paid. The TOR page is well made and looks like the following:

GANDCRAB 5.1.6 ransomware may also add registry entries that result in it’s malicious file being automatically ran after Windows is force reset. The registry sub-keys that may be attacked are likely the following:

→ HKEY_CURRENT_USER\Control Panel\International
HKEY_CURRENT_USER\Keyboard Layout\Preload
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\productName

In additiion to this, GANDCRAB 5.1.6 may also connect to the following remote locations:


GANDCRAB 5.1.6 may also perform other activities on the computers compromised by it:

  • Create mutexes.
  • Touch system files of Windows.
  • Log the victim’s keystrokes.
  • Steal files and information on the victim PC.
  • Take screenshots.
  • Modifies application directory.
  • Creates process with hidden window .
  • Writes an unusually large amount of data to the registry .
  • Tries to detect virtual machine.
  • Reads data related to browser cookies
  • Adds file to open the next time Word is launched

GANDCRAB 5.1.6 – How Does It Encrypt

GANDCRAB 5.1.6 ransomware aims to encrypt the following types of files on the compromised computer:

  • Images.
  • Videos.
  • Documents.
  • Databases.
  • Archives.
  • Shadow Copies.

GANDCRAB 5.1.6 targets files for encryption based on their file extensions. The virus may scan for the file extensions associated with the often used files by users, which almost always are among the following:


The virus encrypts the files by encoding blocks of original data from the file which is enough to make it appear as if the file is corrupt. Then, GANDCRAB 5.1.6 adds a random 10-letter file extension, making the files begin to appear like the following:

Remove GANDCRAB 5.1.6 and Restore Encrypted Files

If you want to remove this instance of GandCrab ransomware, we suggest that you backup your files before that, even if they are encrypted. For the removal process of GandCrab ransomware, we strongly suggest that you follow te removal instructions that are underneath this article. They have been created with the primary purpose to assist you into removing GANDCRAB 5.1.6 ransomware according to the way you prefer. If you cannot seem to manually remove the virus, be advised that most security professionals recommend taking advantage of an advanced anti-malware program. Such software’s main goal is to thoroughly scan your computer for malware and remove all of the viruses that are related to it.

If you want to try and restore files, encrypted by GANDCRAB 5.1.6 ransomware, we would recommend that you give the alternative recovery methods shown underneath a try. They may not be 100% effective, but with their aid, you might be able to restore at least some of your encrypted files.

Note! Your computer system may be affected by GANDCRAB 5.1.6 and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as GANDCRAB 5.1.6.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove GANDCRAB 5.1.6 follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove GANDCRAB 5.1.6 files and objects
2. Find files created by GANDCRAB 5.1.6 on your PC

Before starting the Automatic Removal below, please boot back into Normal mode, in case you are currently in Safe Mode.
This will enable you to install and use SpyHunter 5 successfully.

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by GANDCRAB 5.1.6

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share