What seems to be a modified version that may look like a new GANDCRAB 5.3 ransomware version has been detected by researcher Jakub Kroustek(https://twitter.com/JakubKroustek/status/1119194352184700929). The ransomware virus aims to perform a variety of activities on the victimized computers, ending with their files becoming encrypted and unopenable. The GANDCRAB 5.3 Jokeroo ransomware may then drop a ransom note, where the victim is extorted to pay ransom if they want to use their files again. If your computer has been infected by GANDCRAB 5.3 ransomware, you should not pay ransom and focus on removing the virus and restoring the files yourself. Read this article if you are a victim of the GANDCRAB 5.3 threat.
|Short Description||Aims to encrypt the files on the computer infected by it and then ask victims to pay ransom to retrieve them.|
|Symptoms||Files have a random extension. A ransom note ending in “-MANUAL.txt” may appear and the wallpaper may be changed to “ENCRYPTED BY GANDCRAB 5.3” one.|
|Distribution Method||Spam Emails, Email Attachments, Executable files|
|Detection Tool|| See If Your System Has Been Affected by GANDCRAB 5.3 |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss GANDCRAB 5.3.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
GANDCRAB 5.3 – How Did I Get It and What Does It Do?
The GANDCRAB 5.3 Ransomware virus may enter your computer by being uploaded on comprmised sites. If that is the case, the virus may spread via an infection file, pretending to be:
- License activator.
- Portable program.
In addition to this, GANDCRAB 5.3 may also pretend to be a legitimate document of some sort and be sent to you via e-mail. If this is the case, then the document may be in a .ZIP or .RAR archive or be a .docx file, containing a malicious macro infection.
Once GANDCRAB 5.3 has been situated on your computer, the ransomware may change your wallpaper to the following image:
In addition to this, GANDCRAB 5.3 could also drop its ransom note file, which contains the following message:
—= GANDCRAB v5.3 =—
UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED
FAILING TO DO SO WIL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS
All your files, documents, photos, databases and other important files are encrypted and have the extension:
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
| 0. Download Tor browser – https://www.torproject.org/
| 1. Install Tor Browser
| 2. Open Tor Browser
| 3. Open link in TOR browser http://gandcrabmfe6mnef.onion/ b6314679c4ba3647/
| 4. Follow the instructions on this page
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW
In addition to the ransom note, GANDCRAB 5.3 could also perform other activities on the computers of victims, like check if the virus has ran previously on the infected machine. If so, GANDCRAB may stop the infection process and self-delete. Other activities include creating files in %AppData% and other system directories and also creating mutexes. In addition to this, GANDCRAB 5.3 could also check your IP and regional information to see which country you are from.
The encryption process of GANDCRAB 5.3 is rather complicated. The virus may target files of the following types:
- Audio files.
- Database files.
Once the files are encrypted, they do start to appear with a changed extension and the user cannot open them. Paying the ransom is not recommended, since you cannot possibly trust the ones behind GANDCRAB and by paying you support their cyber-criminal activity. Instead, we advise you to remove the virus and backup your files, even if they are encoded.
Remove GANDCRAB 5.3 and Try Restoring Files
To remove this virus, we suggest that you follow the removal instructions underneath. If the manual removal steps do not seem to work, then we suggest that you try and remove GANDCRAB 5.3 automatically, with the aid of an advanced anti-malware software. Such tool in particular is created to be able to fully erase malicious files of viruses, like GANDCRAB 5.3 safely and effectively.
If you want to restore files, encrypted by GANDCRAB 5.3, then you should focus on the alternative tools we have suggested underneath. They have been created with the primary idea of helping you get back at least some of the encrypted files, until a decryptor for them arrives. If it occurs, we will post an update with the decryptor in the following article.