GANDCRAB 5.1.6 Ransom Virus - How to Remove It
THREAT REMOVAL

GANDCRAB 5.1.6 Ransom Virus – How to Remove It

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

This article has been made to explain what is GANDCRAB 5.1.6 ransomware virus, how to remove it from your computer and how you can try and recover files that are encrypted by it.

Yet another new version of GANDCRAB ransomware has been detected, this time calling itself 5.1.6, making malware researchers curious whether or not the ransomware authors are mocking them or they have released the virus to be sold in the deep web marketplaces as a service (RaaS). GandCrab 5.1.6 is a ransomware virus which aims to encrypt the files on the computers that are compromised by it and then leave behind a ransom note extorting victims to pay ransom in cryptocurrencies in order to retrieve access to their files. In case your computer has been affected by the 5.1.6 instance of GANDCRAB ransomware, we advise reading the following article.

Threat Summary

NameGANDCRAB 5.1.6
TypeRansomware, Cryptovirus
Short DescriptionA variant of the GANDCRAB ransomware family. Encrypts files and holds them hostage for ransom payment.
SymptomsFiles are encrypted with random 10 letters file extension added after their original name and may also be renamed.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by GANDCRAB 5.1.6

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss GANDCRAB 5.1.6.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

GANDCRAB 5.1.6 –Infection

One of the methods of infection which are used by GANDCRAB 5.1.6 ransomware is believed to be done by uploading a file online and making it seem that the file is some sort of a legitimate program. One recent case of a user who complained on our forum was regarding a game crack, concerning Battlefield 5 and other games. Besides cracks, other types of files containing GANDCRAB 5.1.6 could also be encountered out there, for example:

  • Portable programs.
  • Activators for licenses.
  • Keygens.
  • Software installers.

GANDCRAB 5.1.6 Virus – Main Activity Report

Upon infection, GANDCRAB 5.1.6 ransomware may either download it’s payload from a command and control (C2C) server or extract it on the infected computer. The malware uses obfuscation techniques to avoid most conventional antivirus programs and infect silently. The main infection file of GANDCRAB 5.1.6 is reported to be the following:

→ SHA256:1a8226571d4e22d3383e2c163da39f22e1c4fed5f79b0dbefb7defbc7d359d11
Name: 1.exe
Size: 139.34 KB

Furthermore, GANDCRAB 5.1.6 ransomware may also drop other malicious files that support the main payload. These files are often .tmp, .dll or .bat files and they often have random names and reside in the following Windows directories:

  • %Local%
  • %LocalLow%
  • %Roaming%
  • %AppData%
  • %Temp%

Among the files dropped by GANDCRAB 5.1.6 ransomware is the virus’s ransom note, which is also set as a main wallpaper on the infected computer:

Besides the wallpaper of GANDCRAB Ransomware, the virus also drops it’s ransom note file in almost every folder, where encrypted files reside. The ransom note begins with the random file extension that is also added to the encrypted files and ends with “-DECRYPT.TXT”. It likely contains the following message:

—= GANDCRAB V5.1.6 =—

UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED
FAILING TO DO SO WIL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS

Attention!

All your files, documents, photos, databases and other important files are encrypted and have the extension:

The only method of recovering files is to purchase an unique private key. Only we can give you this key and only and only we can recover your files.

The server with your key is in a closed network TOR. You can get there by the following ways:

—————————————————————————————–

| 0. Download Tor browser – https://www.torproject.org/

| 1. Install Tor Browser
| 2. Open Tor Browser
| 3. Open link in TOR browser http://gandcrabmfe6mnef.onion/371525fbc2a9ddd2
| 4. Follow the instructions on this page

—————————————————————————————–

On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.

ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW

The ransom note of the virus aims to convince victims to visit the main TOR web page of GANDCRAB 5.1.6, which like it’s other versions has further guides and steps on how to purchase BitCoin or Zcash to pay the ransom. The crooks even go as far as to offer Customer Support by answering questions in a “Contact Us” form and they also have multi-language support – anything in the name of the ransom being paid. The TOR page is well made and looks like the following:

GANDCRAB 5.1.6 ransomware may also add registry entries that result in it’s malicious file being automatically ran after Windows is force reset. The registry sub-keys that may be attacked are likely the following:

→ HKEY_CURRENT_USER\Control Panel\International
HKEY_CURRENT_USER\Keyboard Layout\Preload
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Logging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\productName
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Domain

In additiion to this, GANDCRAB 5.1.6 may also connect to the following remote locations:

→ 78.46.77.98
217.26.53.161
74.220.215.73
136.243.13.215
138.201.162.99

GANDCRAB 5.1.6 may also perform other activities on the computers compromised by it:

  • Create mutexes.
  • Touch system files of Windows.
  • Log the victim’s keystrokes.
  • Steal files and information on the victim PC.
  • Take screenshots.
  • Modifies application directory.
  • Creates process with hidden window .
  • Writes an unusually large amount of data to the registry .
  • Tries to detect virtual machine.
  • Reads data related to browser cookies
  • Adds file to open the next time Word is launched

GANDCRAB 5.1.6 – How Does It Encrypt

GANDCRAB 5.1.6 ransomware aims to encrypt the following types of files on the compromised computer:

  • Images.
  • Videos.
  • Documents.
  • Databases.
  • Archives.
  • Shadow Copies.

GANDCRAB 5.1.6 targets files for encryption based on their file extensions. The virus may scan for the file extensions associated with the often used files by users, which almost always are among the following:

→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”

The virus encrypts the files by encoding blocks of original data from the file which is enough to make it appear as if the file is corrupt. Then, GANDCRAB 5.1.6 adds a random 10-letter file extension, making the files begin to appear like the following:

Remove GANDCRAB 5.1.6 and Restore Encrypted Files

If you want to remove this instance of GandCrab ransomware, we suggest that you backup your files before that, even if they are encrypted. For the removal process of GandCrab ransomware, we strongly suggest that you follow te removal instructions that are underneath this article. They have been created with the primary purpose to assist you into removing GANDCRAB 5.1.6 ransomware according to the way you prefer. If you cannot seem to manually remove the virus, be advised that most security professionals recommend taking advantage of an advanced anti-malware program. Such software’s main goal is to thoroughly scan your computer for malware and remove all of the viruses that are related to it.

If you want to try and restore files, encrypted by GANDCRAB 5.1.6 ransomware, we would recommend that you give the alternative recovery methods shown underneath a try. They may not be 100% effective, but with their aid, you might be able to restore at least some of your encrypted files.

Avatar

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...