Remove GANDCRAB v5.0.4 Cryptovirus - Restore Files
THREAT REMOVAL

Remove GANDCRAB v5.0.4 Cryptovirus – Restore Files

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by GANDCRAB v5.0.4 and other threats.
Threats such as GANDCRAB v5.0.4 may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

The article will aid you to remove GANDCRAB v5.0.4 ransomware effectively. Follow the ransomware removal instructions given at the bottom of this article.

GANDCRAB v5.0.4 is the latest version of the nefarious GandCrab cryptovirus. The virus will encrypt your files and the criminals behind it will try to extort money from you to allegedly recover your files back to normal and return your computer to its original operation state before it was struck with GandCrab. After files become encrypted, they will receive a random 8-letter extension. The ransom note’s name is formed by using this extension in capital letters and adding -DECRYPT.txt or -DECRYPT.html afterward. Slight variations in the ransom notes might exist with different versions of GandCrab cryptovirus. Continue to read the article and see how you could try to potentially recover some of your encrypted files and data.

Threat Summary

NameGANDCRAB v5.0.4
TypeRansomware, Cryptovirus
Short DescriptionThe GandCrab ransomware encrypts files on your computer system and demands a ransom to be paid to allegedly recover them.
SymptomsThe ransomware will encrypt your files with an 8-random-letter extension and leave a ransom note with payment instructions.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by GANDCRAB v5.0.4

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss GANDCRAB v5.0.4.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

GANDCRAB v5.0.4 Virus – Update January 2019

The GANDCRAB v5.0.4 Virus keeps on spreading on a massive scale and the newest email campaign for it features an interesting script file. The file is named “Love_You_34029936-2019-txt.js” and poses to be a simple text file with the header “My love letter for you“. The file might be inside a .zip file with the same name. If the criminals have somehow obtained a contact list with known email addresses to the victims they send the emails to, that would be even more clever.

The JavaScript file will download and install the the GandCrab 5.0.4 ransomware as well as the

What is VMProtectss.exe Monero miner? How to remove the VMProtectss.exe miner malware completely from your computer and prevent it from mining Monero?
XMRig Monero Miner cryptocurrency mining malware. The following processes are run:

  • wincfg32scv.exe
  • 1119713827.exe
  • 2987227227.exe

Among these suspicious processes, other files might also be added to aid the ransomware in maintaining its persistence on the compromised machine.

GANDCRAB v5.0.4 Virus – Update December 2018

GANDCRAB v5.0.4 Virus keeps going like hot cakes in December 2018, just as it was when it initially came out. Over two dozen new samples have been reported by malware researchers and even more have been spotted in the wild. You can see one of them being dissected inside VirusTotal’s service, from the screenshot provided here:

In addition to all of those attack vectors,

Remove GANDCRAB v5.0.9 ransomware effectively. Follow the GANDCRAB v5.0.9 ransomware removal instructions given at the bottom of this article.
GANDCRAB v5.0.9 Cryptovirus is already out and new victims already have their computer systems compromised.

GANDCRAB v5.0.4 Virus – Distribution Tactics

The GANDCRAB v5.0.4 ransomware might distribute itself via different tactics. A payload dropper which initiates the malicious script for this ransomware is being spread around the Internet, and researchers have gotten their hands on a malware sample. If that file lands on your computer system and you somehow execute it – your computer device will become infected.

Below, you can see the payload file of the cryptovirus being detected by the VirusTotal service:

We have also been contacted by infected users that file-distribution trackers such as PirateBay have executables dropping the GANDCRAB v5.0.4 ransomware. Do not download cracked software and games from torrent sites.

Freeware which is found on the Web can be presented as helpful also be hiding the malicious script for the cryptovirus. Refrain from opening files right after you have downloaded them. You should first scan them with a security tool, while also checking their size and signatures for anything that seems out of the ordinary. You should read the tips for preventing ransomware located at the corresponding forum thread.

GANDCRAB v5.0.4 Virus – Technical Information

GANDCRAB v5.0.4 is a virus that encrypts your files and leaves a ransom note, with instructions inside it, about the compromised computer device. The extortionists want you to pay a ransom fee for the alleged restoration of your files. Previous GANDCRAB 5.0 versions are said to use the

The ransomware was just updated in two new versions - GANDCRAB v5.0.1 and GANDCRAB v5.0.2. CVE-2018-0896 is used in these latest campaigns.
CVE-2018-0896 vulnerability. That could be exploited with this new version as well. Other vulnerabilities and exploit tactics are not excluded from being used in addition to the one mentioned above.

Version 5.0.4 of GandCrab was spotted by malware researcher Ben Hunter (with Twitter handle @B_H101) earlier today (02.10.2018).

GANDCRAB v5.0.4 ransomware makes various entries in the Windows Registry to achieve persistence, and could launch or repress processes in a Windows environment. Such entries are typically designed in a way to start the virus automatically with each boot of the Windows Operating System. Below you will see the list with registries that are tampered with:

After encryption the GANDCRAB v5.0.4 virus will save a ransom note. The ransom note’s name is formed by using this extension in capital letters and adding -DECRYPT.txt or -DECRYPT.html, so as an example the note with instructions would be called YKWKCUGI-DECRYPT.txt.

The ransom note is displayed below:

That ransom message has the following contents:

—= GANDCRAB V5.0.4 =—

Attention!

All your files, documents, photos, databases and other important files are encrypted and have the extension: .YKWKCUGI

The only method of recovering files is to purchase an unique private key. Only we can give you this key and only and only we can recover your files.

The server with your key is in a closed network TOR. You can get there by the following ways:

—————————————————————————————–

| 0. Download Tor browser – https://www.torproject.org/

| 1. Install Tor Browser
| 2. Open Tor Browser
| 3. Open link in TOR browser http://gandcrabmfe6mnef.onion/371525fbc2a9ddd2
| 4. Follow the instructions on this page

—————————————————————————————–

On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.

ATTENTION!

IN ORDER TO PREVENT DATA DAMAGE:

* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW

—BEGIN GANDCRAB KEY—
IAQAADcGuK20868jo rVSSQNHeCNCzn LVthNchP1cchrZ+ZK64yengprthG 1oan 1 BmSjZWIVyseGGDBKUiOnX4NfUDgoNh rthhDaVWAetprp+ystBhHoerAGVbtaprwIXUeKItyFQJUkFlmE+J9/91W3ngfXUDpB13408PijhAwijqUnWNZBMXD4TQrv… [REDACTED] —END GANDCRAB KEY—

—BEGIN PC DATA—
wfKD6iudumBkmpL8IRr4U7WxEFa3OW3tyzxyOuL12FYqvNmWPB5KYaxd5ZYqTpNRu3YM7nNWsbfaTHGHjR4qBMvz39M074b6dEHXDG/iHZJy8+LFIv/dmMngioqtOiJtTit2DjRIuBtNYA==
—END PC DATA—

Inside the ransom note it is described to visit a payment page hosted on the TOR network that looks like the following:

We are sorry, but your files have been encrypted!
Don’t worry, we can help you to return all of your files!
Files decryptor’s price is 2400 USD
If payment isn’t made until 2018-07-20 02:32:41 UTC the cost of decrypting files will be doubled
Amount was doubled!
Time left to double price:
—————————————————————————————–
What the matter? Buy GandCrab Decryptor Support is 24/7 Test decrypt
—————————————————————————————–
Please turn on javascript!!
What the matter?
Your computer has been infected with GandCrab Ransomware. Your files have been encrypted and you can’t decrypt it by yourself.
In the network, you can probably find decryptors and third-party software, but it won’t help you and it only can make your files undecryptable
What can I do to get my files back?
You should buy GandCrab Decryptor. This software will help you to decrypt all of your encrypted files and remove GandCrab Ransomware from your PC.
Current price: $2,400.00. As payment, you need cryptocurrency DASH or Bitcoin
What guarantees can you give to me?
You can use test decryption and decrypt 1 file for free
What is cryptocurrency and how can I purchase GandCrab Decryptor?
You can read more details about cryptocurrency at Google or here.
As payment, you have to buy DASH or Bitcoin using a credit card, and send coins to our address.
How can I pay to you?
You have to buy Bitcoin or DASH using a credit card. Links to services where you can do it: Dash exchanges list, Bitcoin exchanges list
After it, go to our payment page Buy GandCrab Decryptor, choose your payment method and follow the instructions

The message above, displayed by the GANDCRAB v5.0.4 ransomware virus indicates that your files are encrypted. You are demanded to pay a ransom sum in either Bitcoin or DASH cryptocurrency to allegedly restore your files. However, you should NOT under any circumstances pay any ransom sum. Your files may not get recovered, and nobody could give you a guarantee for that. Adding to that, giving money to cybercriminals will most likely motivate them to create more ransomware viruses or commit different criminal activities. That may even result to you getting your files encrypted all over again after payment.

In addition, a picture of Valery Sinyaev will be dropped by the ransomware with the following accusations:

Valery Sinyaev destroy families, people, fire people, he is a asshole that believe he is god. Deserve it and more…stay tuned company if you don’t take actions against him!

We see more and more people being the face of ransomware viruses, but they are mostly political figures or ex-politicians.

GANDCRAB v5.0.4 Ransomware – Encryption Process

The encryption process of the GANDCRAB v5.0.4 ransomware rather simple – every file that gets encrypted will become simply unusable. Files will get an extension composed of eight random letters. The newly added extension will be added as a secondary one, without changing the original extension.

A list with the targeted extensions of files which are sought to get encrypted is believed to be the same as for the original 5.0 version, as shown below:

→.1st, .602, .7z, .7-zip, .abw, .act, .adoc, .aim, .ans, .apkg, .apt, .arj, .asc, .asc, .ascii, .ase, .aty, .awp, .awt, .aww, .cab, .doc, .docb, .docx, .dotm, .gzip, .iso, .lzh, .lzma, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .rar, .sldm, .sldx, .tar, .vbo, .vdi, .vmdk, .vmem, .vmx, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xps, .z, .zip

The files used most by users and which are probably encrypted are from the following categories:

  • Audio files
  • Video files
  • Document files
  • Image files
  • Backup files
  • Banking credentials, etc

The GANDCRAB v5.0.4 cryptovirus could be set to erase all the Shadow Volume Copies from the Windows operating system with the help of the following command:

→vssadmin.exe delete shadows /all /Quiet

In case the above-stated command is executed that will make the effects of the encryption process more efficient. That is due to the fact that the command eliminates one of the prominent ways to restore your data. If a computer device was infected with this ransomware and your files are locked, read on through to find out how you could potentially restore some files back to their normal state.

Remove GANDCRAB v5.0.4 Virus and Try to Restore Data

If your computer system got infected with the GANDCRAB v5.0.4 ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Note! Your computer system may be affected by GANDCRAB v5.0.4 and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as GANDCRAB v5.0.4.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove GANDCRAB v5.0.4 follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove GANDCRAB v5.0.4 files and objects
2. Find files created by GANDCRAB v5.0.4 on your PC

IMPORTANT!
Before starting the Automatic Removal below, please boot back into Normal mode, in case you are currently in Safe Mode.
This will enable you to install and use SpyHunter 5 successfully.

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by GANDCRAB v5.0.4
Tsetso Mihailov

Tsetso Mihailov

Tsetso Mihailov is a tech-geek and loves everything that is tech-related, while observing the latest news surrounding technologies. He has worked in IT before, as a system administrator and a computer repair technician. Dealing with malware since his teens, he is determined to spread word about the latest threats revolving around computer security.

More Posts

85 Comments

  1. panda842

    GANDCRAB V5.0.4 *.tncmnygcon

    Reply
  2. Awais Khan

    Data is encrypted with “GANDCRAB V5.0.4 having extension of .EUPXEH.

    Please help.

    Reply
  3. TENTENIGUADA

    Hola buenos días me tocó el GANDCRAB V5.0.4 con la extensión ( odokubbgw )
    he conseguido eliminar el bicho, pero necesito ayuda para la recuperación de los
    archivos.
    Gracias TENTENIGUADA

    Reply
  4. Asim Javed

    Data is encrypted with “GANDCRAB V5.0.4 having extension of .FKVVQQCE

    Please help.

    Reply
  5. Tsetso MihailovTsetso Mihailov (Post author)

    Hello panda842, Awais Khan, TENTENIGUADA and Asim Javed.

    As said in the article encrypted files will receive a random 8-letter extension. You can try the decryption tool available for previous GandCrab versions and hope it to work – https://sensorstechforum.com/decrypt-gandcrab-ransomware-files/

    Reply
    1. Asim Javed

      I have tried but it says “Intionalization failed”

      Reply
      1. Tsetso MihailovTsetso Mihailov (Post author)

        Have you tried more than once?

        Reply
  6. Awais Khan

    I have already tried this tool but didn’t worked out. It does not identify this type of encryption and display message ” No Encrypted files found”.

    This tools work on GANDCRAB v 5.0.3 while new encryption is of GANDCRAB v 5.0.4.I have searched on different forum and found that decryption tol for this ransomware is not yet developed.

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      That is very unfortunate, Awais Khan. However, if there is a decryption method for the previous versions, maybe the newer variants could get decrypted as well…

      Reply
  7. Nate Kerley

    What if I said “to hell” with all my files and did a system restore? I didn’t have much on my laptop and know how to find whatever was lost.. But will it be gone for good this ransomness?

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      If you do a system restore, you might restore the ransomware’s files as well. I wouldn’t advise that, but if you don’t care about losing files, use an anti-malware tool and then re-install your computer system. But know that if you do a reinstall, you won’t be able to use a data recovery program later, if you change your mind. Good luck!

      Best Regards

      Reply
  8. Georgios Michalopoulos

    .LIAUZG

    But the key is important, the extension is random

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      True – the extension is indeed random, but thanks for reporting. Very unfortunate how this version proves to be so tough to decrypt. All of you will be notified if there is a decryptor found or another method to recover files.

      Reply
  9. Sven Käufer

    Hallo,
    bin neu hier und leider bin ich auch betroffen. Meine ganzen Bilder ca.45GB sind verschlüsselt mit Gancrab v5.0.4 es wäre echt super wenn es eine Lösung gibt.

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      You can try the decryption tool available for previous GandCrab versions and hope it to work – https://sensorstechforum.com/decrypt-gandcrab-ransomware-files/

      However, users report that they get errors, so you can be unlucky.

      Reply
    2. JF

      Es gibt für GandCrab 5.0.4 noch keine Entschlüsselung. Ich hoffe, die kommt bald…

      Reply
  10. Bud

    I find it interesting that an entire industry has evolved professing they have the cure to this Gabdcrab Ransomware. If only you purchase my malware removal tool, you will be saved.

    After so very many charlatans have created so much malware and caused so much grief why would we simply believe that a Saviour can cure your computer if only we provide them with money, rather than the GandCrab Cabal?

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      Hey Bud,
      there are charlatans, but we don’t make malware,
      and we don’t lie. A malware removal tool will remove the malware, but it won’t decrypt the files.

      Plus, users have a choice on whether they want the malware to stay on their machines, or to remove it, either manually or using an anti-malware program (regardless of which program they choose, as long as it is legitimate). Nobody is telling you what to do. And there is a GandCrab decryption tool made by BitDefender, but it doesn’t work for all versions (yet).

      Reply
  11. kish

    NLJKZMQMNF v5.0.4 malware bytes stopped it a little late i got infected i don’t mind i just switch to another computer and carry on what i was doing

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      The threat keeps on spreading it seems. Sad to hear that you are also a victim of it. You will be notified of the decrypter gets updated to properly work with v 5.0.4. For now you can try it, but people report they even have problems with v 5.0.3.

      Anyway, thanks for the update and I wish you luck in the future to not get hit by any malware. Make backups of your important files on another device, so you can recover them if you get hit by ransomware again.

      Reply
  12. Man

    Just infected today.The malware has encrypted all my files in one drive folder linked to the pc,not much can I do except formatting the pc and let all files gone .

    Reply
  13. Tsetso MihailovTsetso Mihailov (Post author)

    Hey Man,
    formatting is an option, but you will lose your files that way.
    Before doing that, you could also make a backup of the encrypted files and ransom note in case a decrypter program is released. In case you would like to have some files back, that is.

    Reply
  14. Amr Helmy

    Hi, Mr Ventsislav Krastev

    On November 2018, I discovered that my PC was affected by GANDCRAB V5.0.4 by referring to HRMGI. It seems to be everywhere in my computer. I have downloaded Bitdefender GandCrab V1, V4, V5 .
    I have also followed the steps properly. Each time I try to scan using Bitdefender GandCrab V1, V4, V5 Decryptor – system looking for encryption key. After a while, it is shown that initialization failed.

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      Hi, Amr Helmy.
      I am not Mr Krastev, but I know that the current BitDefender’s decryptor does not work with version 5.0.4 of GandCrab and some people even have problems with v5.0.3.

      V4 means v4.0.0 (and maybe v4.xx) and not 5.0.4. BitDefender might develop a decryptor soon, but that is uncertain.

      Best Regards,
      Tsetso Mihailov from STF

      Reply
  15. Triet Tran

    My PC has infected by GANDCRAB V5.0.4 – extension: MLKOL. They ask me for $450 to provide the decrypt tools, and start count down from 7 days.

    Any work around to get back some files?

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      Hello Triet Tran,

      Currently, there is no remedy for that version of the virus. However, malware researchers might make a decryption tool soon. Keep your files for a few months and see whether such a tool gets developed.

      Reply
  16. Todd Wantz

    I got the GandCrab v5.0.4 on Nov 27. with the Encryption extension of .pkwxuuzxut. Hopefully a decryptor will become available soon. As of right now, I am transferring all my files 2+TBs to and external for saving until I can decrypt them. I hope I will be notified when a decryptor comes available for this version

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      Hello Todd Wantz,

      hopefully you are right and the current BitDefender tool gets further developed to decrypt files for GandCrab versions 5.0.3 and above.

      You have done the right thing to save your files. You will be notified if such a tool becomes available.

      Reply
  17. Denis

    My PC has infected by GANDCRAB V5.0.4 – extension: FAAEYA . Hopefully a decryptor will become available soon .

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      We at SensorsTechForum are hoping for that as well.

      Reply
  18. Angelo

    Infettato da GANDCRAB V5.0.4 estensione .emchw. Nessun tool funziona nel decriptare i file..

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      Hello Angelo.

      Unfortunately, yes, no tools work in decrypting GandCrab V5.0.4 files for now.

      Reply
  19. Bernardo

    Mi PC se ha infectado por V5.0.4 GANDCRAB – Extensión: OAFCHZES. He probado la utilidad de bitdefender pero al scanear sale el mensaje de initializacion failed. Por favor me podrían dar algún consejo que no sea pagar al delincuente?

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      Hello Bernardo.

      Wait 1-2 months. If BitDefender has made a decryption program for the previous variants, they should be able to make one for the newer 5.0.3 and above. Let’s hope a newer tool is released soon.

      Reply
  20. Eugene

    Locked with GandCrab 5.0.4 (extension: KRPWPQLU)
    Please help

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      The extension of GandCrab v5.0.4 is random for each user. Currently there is no decryptor, but one might be made soon. Just wait – help might be on its way soon.

      Reply
  21. Bernardo

    Muchas gracias Tsetso

    Reply
  22. Andy Loran

    I also have been encrypted with Gandcrab V5.0.4 with the suffix ‘.rflnsfdbuo’. Will I be informed when and if a decryptor is found please?

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      Yes, Andy Loran.
      We will try to inform everybody as best we can.

      Reply
  23. ferry

    ik heb een grandcrab decryptor 5.0.4 bemachtigd na kleine betaling te doen, werkt dit voor alle gehackte personen of alleen die van mij?

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      I don’t know. The decryption program might be universal, but the key for each individual PC to be different… You can share the decryption program if you want.

      Reply
  24. Amsha

    We got the Gandcrab 5.04 Ransomware last week. (w/e 14/12/2018). We decided not to pay and just reset Windows 10. The Windows 10 system reset didn’t work. This might have been the plan of the ransomware developers, but we don’t know. However, we had recently done a Windows 10 reboot on a USB stick, and we used this to do a compete reset. The result was very good. Afterwards, we searched our drives for all files and folders with the random encryption string. We found several minor folders and files still encrypted and left on the system – eg drivers, intel log files, etc. We added “old” to the folder names, put these into a separate folder, where they will wait until we see what will happen, if anything. They’ll be deleted after a month or so if they prove to be not needed. The reset procedure left the old ransomware-encrypted Windows 10 system files on the system and it put them all into a folder called Windows – old. After the reset procedure, we deleted this folder immediately. Then we simply set about re-installing all our programs again. Overall, we were very happy with the reset procedure. We took a really good lesson from it all – be careful what we download from dubious sources, and be extra careful about false positives!! This was our story. We hope that it might help you. The souls who are involved in this ransomware are simply playing silly games, and don’t realize the consequences that their actions will bring them. Universal law of cause and effect cannot be gainsaid!

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      Hello Amsha,

      thank you for sharing this story.

      It proves that you really have to be careful from where you download files and do more research on the source and files.

      It also proves that having a backup is the best bet to prevent your files from being lost forever. Ransomware is really hard to remove, so I am not surprised you found the ransomware files after the reset. I won’t be surprised if there are more files left, including registry entries and whatnot.

      Happy that you have recovered the system and can re-install the programs you need.

      Happy holidays!

      Reply
      1. Amsha

        Hello Tsetso,

        Thank you for your sympathetic comment. You are quite correct about having a good backup to save files being lost. Our backup system saved us from a catastrophe with this Ransomware.

        To add further: we searched the Registry for the encryption string and found only one instance of the string, and that was just the existence of the string in file extensions (FileExt) in Internet Explorer, and we deleted it straight away. This is an important realization when trying to be rid of this Ransomware. It means that a Windows reset does in fact get rid of almost everything associated with the Ransomware files. The few remaining instances of it in both the file system and the Registry were harmless – lame ducks with no power or mojo.

        Reply
        1. Tsetso MihailovTsetso Mihailov (Post author)

          I am happy that you fully exterminated the ransomware, Amsha!

          Yes, a reset could really help if it works properly, when you have backups and don’t care about the encrypted files. Deleting everything related to the ransomware is important, as the threat might find itself in your PC system somehow. Better be safe than sorry… 🙂

          Reply
  25. Evan

    I’m going to find this cock sucker, cut his face off, then wear it when I murder his entire family starting with the youngest member.

    anyways, I have 5.0.4 . how will I know when the decryptor can decrypt this version? I hope its soon, but Im willing to wait!

    Thanks guys!

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      Hey Evan,
      your frustration is understandable. We at STF also hope that the new version of the decryptor will be released soon. You will be informed here on the comment section and the article will have an update message.

      Reply
  26. Rens

    Bonsoir

    moi c est GANDCRAB V5.0.4 extension WRMUUI , tout mes fichiers ont été cryptés les photos de ma mère morte y a 1 mois plus des vidéos elle était malade …..je n`ai plus rien j`ai essayé l’outil BitDefender mais rien , j`attends j`espère…..

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      Bonsoir Rens,

      never lose hope! I strongly believe that researchers should be able to crack the 5.0.3 and 5.0.4 versions of the ransomware soon. Just wait and maybe in January there will be a decryptor. I really can’t give a prediction, but I hope we will see good news in the near future.

      Reply
      1. Vinod

        Hello friends, I have been hit with good old Gandcrab 5.0.4. Managed to remove the adware/malware/ransomware programs using malwarebytes and EEK.

        I have an Asus laptop and all the encrypted files are in my C:\eSupport folder. This folder appears to contain the laptop hardware drivers and recovery software.

        I’ve got most stuff backed up and am happy to format but does the location of the encrypted files mean a full format is likely to not work and destroy the laptop altogether?

        I thought the recovery software would be on a partition? Sorry I don’t know a great deal about this and don’t have a recovery disk unfortunately.

        Any advice appreciated.

        Reply
  27. Jim

    i also have been encrypted with Gandcrab V5.0.4 with the suffix ‘.PHAEUMI’. Will await for decryptor

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      Yes, there is no working decryptor for v5.0.4 yet, so that is your best option – save your files and wait.

      Reply
  28. PUTRI

    i have been encryted with GandCrab 5.0.4 with .DJAWTN. Hopefully the decryptor available soon… but for a while, what should i do ? do this save if i just waiting without do anything to my pc and keep to do some work as ussual with it?

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      That is your option – save the files that are important to you and wait for a decryptor. The previous decryptor needed 1 encrypted file and its non-encrypted original equivalent to decrypt files. So you could remove the virus and continue to work.

      Reply
  29. Fredy Martir

    Que les puedo decir tambien fui de alguna manera contagiado de GandCrab v5.0.4 y mi maquina es de contabilidad ya se imaginaran que dolor de cabeza me esta dando ahorita mas que es fin de año…. pues ya probe todas las herramientas disponibles….pero ninguna funciono es de seguir esperando entonces…….

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      Yes, version 5.0.4 is not decryptable yet. You just have to wait, although no one really knows how long it is going to take for a working tool to be available.

      Reply
  30. Dung Cao

    i also have been encrypted with Gandcrab V5.0.4 with the suffix ‘.myqtqrz’. Will await for decryptor

    Reply
  31. Di

    Hi,
    I was infected at 11:20 am on December 26, 2018 with GandCrab 5.0.4 with extension QXFCEHV (extension is in caps). Many files are encrypted and some files are not. I cleaned/killed the virus with scans from Malwarebytes and Avast, however, I notice that there appears to be something, remnants or something that tends to return with every restart or boot because I have removed the same file over and over again and now I notice I am not removing it, but I haven’t restarted either. Right now I am going through every file to see and a QXFCEHV-DECRYPT.txt file or the ransom note. Prior to understanding this crap a little better, I attempted to reinstall my OS and guess what? I could not as it stated things such as my user profile was missing. I tried to boot into safe mode and I couldn’t it kept giving me a wrong password message when I would go into safe mode and sign in. So, right now at this moment, I am trying to recover anything that I can recover. My first recovery run was sort of a test run to see if I could do it since it seems that there are things I cannot do. I used Disk Drill once and now I am using EaseUS recovery once. I am going to get an external drive and recover all I can to this drive to hold. Afterward, I am going to contact the PC manufacturer–talk to them–then I’m taking it to be professionally wiped clean and have the OS reinstalled since I cannot do it. I am praying for a new decryptor soon and until then I have kept those encrypted files so I can decrypt them later. One thing I do know is, no matter how bad something is, there is always someone that can find something to defeat that bad something. Nothing is original, better manipulated and mixed up, but not original. A working decryptor will be released. I wish the infected family nothing but the best. Keep your heads up! Reply with anything you’d like to tell me or add. Thanks so much!

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      It appears that GandCrab 5.0.4 is much more dangerous than its previous variants. We at SensorsTechForum are sorry to hear that this misfortune has happened to you and your computer. You are on the right track. It might be some registry settings that the cryptovirus made, which make the virus re-adding files on every boot. To remove them, you usually need to be in safe mode or find a tool that removes such. However, it could be that another, harder to detect, malware is on your PC helping the GandCrab ransomware.

      Nobody knows for sure that there will be a decryption tool released, but hopefully there will be.

      Reply
      1. Di

        Hi again…oh yes, registry yes, I tried to rip them out using Regassassin…and no success…it told me that it could not remove the key(s). So I am truly baffled so I will stick to the plan I am working now. I don’t know what else to do but pray every day, so I will continue. Thanks so much!

        Di

        Reply
        1. Tsetso MihailovTsetso Mihailov (Post author)

          No problem! And if one counter-part of the virus is not working, the thing as a whole shouldn’t work either. Maybe the registries are over-written and there aren’t bad ones left. Hopefully, you have eradicated the threat and you won’t have problems after this point.

          Reply
  32. Di

    Hi again…I have a question…is every ransom note the same in which only the extension is changed? or are keys different for everyone? I am trying to understand a little better.
    And another question… does it help to post the ransom notes received since they contain keys? Helping..in a way to spread information and to educate others or no?

    Thanks!

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      The extension and ID are different for each infected computer system. Therefore keys should be different, too. You can post the ransom note if you think it might help, but the general text should be the same as in the article. The keys inside the ransom notes might help researchers differentiate versions and if a decryptor is made, to help for the tool to recognize the specific version. So, if you want – you can share, of course.

      Reply
  33. H. Nguyen

    My computer was infected with GranCrab 5.0.4 too with the extension URZDT on Dec 28. It encrypted about 540G of my data! I moved all encryted files into one subfolder. The reason it did so much on my computer was I did not know how to stop it. Could not kill it from Task Manager, every time I reboot my computer it ran again and windows prevented me to delete the source files. I finally shut down windows and booted it into safe mode, deleted new folders created by malware, removed all suspicious executable lines in Run>Start, registry Run & RunOnce. Then I rebooted windows and installed a malware tools. My computer is now clear of the ransomware but I have a big scar from that. Hopefully, there will be a decryption tool soon for this GrandCrab 5.0.4

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      Sorry to hear that the virus took such a big toll in your case. We at STF are waiting on a decryption tool as well. You will be notified if such a program is released.

      Reply
  34. Tony Cheung

    extension GGCEGFLQ

    Is it decryptable?

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      If it’s GandCrab 5.0.4 – it is not decryptable (yet). By judging the length of the extension, I’d say this is 5.0.4 but there is a chance it could be an earlier variant. Try with this decryption program: https://www.sensorstechforum.com/decrypt-gandcrab-ransomware-files/

      Reply
  35. Masterhipoly

    Bonjour je viens d’être infecté aussi et l’extension est ZLUZQQS. S’il vous plait que puis je faire pour récupérer mes donnés ( des fichiers 3D à rendre avant fin février 2019 ) .

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      Try the decryption tool of BitDefender : https://www.sensorstechforum.com/decrypt-gandcrab-ransomware-files/

      If it doesn’t work, then you will have to wait for a new version of the decryption program.

      Reply
  36. Rhire

    gandcrab 5.04 extension .zsodezbz.
    Please help me.

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      Unfortuantely, GandCrab 5.0.4 is undecryptable at the moment.

      Reply
  37. Adam

    My GandCrab version is also v5.0.4

    The extension I got was .GCIPKJSOBT

    I am hoping that you can help us all.

    Thank you so much and more power

    Reply
    1. Milena Dimitrova

      Hi Adam, unfortunately, there still isn’t a decryption tool available for this ransomware. We will update our article once such a tool is released.

      Reply
  38. Ayhan

    As a GandCrab 5.04 victim, I became a victim because of Kaspersky.

    I don’t think Kaspersky doing or planning to do something about it. I shared my experience and files with Kaspersky for the problem but the answer was not satisfactory.

    There was an .exe file in my Laptop. Before clicking and running the file, I check the file with Kaspersky. After scanning the file Kaspersky reported the result as “There is no threat”. So after being sure with the updated Kaspersky, I clicked on the file and it destroyed my files. After communicating with Kaspersky, the representative said “Kaspersky is working on it and planning to continue to study about it”. Funny, isn’t it ? I told them that these type of malvares exist since 2013 and you tell me that Kaspersky is still planning to do something ? When you sell your product you say it is the best software for Ransomewares, but you don’t have anything for any version of GandCrab. And after I scanned the file, giving a report like “there is no threat” was not acceptable. Your software may not clean it but at least, it should detect the malware instead of saying “there is no threat”.

    So I’m very pissed of with Kaspersky because it misled me and caused this problem.

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      For starters, I don’t know how kaspersky operates, but that is strange indeed.

      The GandCrab ransomware is still widely spread and there can be from 30 different samples to many more per day for this cryptovirus alone. Maybe you were unlucky and got a really new sample of the virus that infected your computer.

      I am really sorry to hear about your experience. You should run a second layer of defense, like a specific anti-malware tool, anti-ransomware tool, a firewall software, a sandbox… anything that adds another layer of protection.

      Most of all, you should make backups of your important files on an external device that is not connected to your main computer system. If your files become encrypted, you can always recover from backups. Note that even cloud backups have reportedly failed from time to time, so having more than just 1 backup is recommended.

      Reply
  39. Jacques

    Bonjour, ayant toujours monté et installé windows moi-même j’ai toujours fait des partitions pour ne pas mélanger system et les divers documents. Donc infecté par gandcrab 5.04 le 19/12 avec extension BGUBOEJG, j’ai d’abord désinfecté mon ordinayeur et formater les 2 partition systeme et windows. réinstallé windows 10 avec tant qu’à faire la version 1809. Mes documents cryptés seront donc récupérable pour le jour ou bit défendeur aura créé ce décrypteur pour cette version 5.04.
    Presque tous mes documents et photos et films (environ 70 %) ont été crypté, il n’a pas eu le temps de tout crypter avant que j’éradique le ramsonware mais il a quand même fait du mal.
    J’espère donc qu’un décrypteur verra le jour bientôt et que vous pourrez m’aider..
    Merci

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      Bonjour, Jacques!

      We cannot help you at this time, as GandCrab 5.0.4 is still undecryptable. We hope that a newer version of the BitDefender decryptor program is released soon, too.

      Reply
  40. steph

    bonjour a ts meilleur vœux!!! infecte comme beaucoup .NSVDQN mais peut apres avoir fait une reinstallation compléte donc pc vide mais disque dur externe branche fuck
    pour savoir si j’ai “bien” fait pour virer le virus
    j’ai debranché le hdd externe “contaminé” ou plutôt “CRYPTE”
    j’ai formaté et reinstallé win 7 a l’aide de ma clé usb ts les driver maj ok
    installation Kaspersky essai scan il ne me trouve aucun virus meme sur l’externe
    contrôle avec spyhunter 5 idem aucun virus trouvé meme sur le disque externe
    mais les video photo sont tjs crypter sur le disque externe
    sinon mon pc tourne bien pas de fenetre qui souvre ou quoi que se soit donc j’aimerai savoir si pour mon pc c’est bon il est clean et si pour le hdd externe je peut le concervé comme ca jusqu’à se qu’une solution soit trouvé?

    Reply
    1. Milena Dimitrova

      Hi steph,

      You should be good after the re-installation, but make sure to do a thorough scan and check the registry for leftover files.

      Reply
  41. Tomas

    gandcrab 5.04 extension .EODFVWZIU pls HELP

    Reply
    1. Tsetso MihailovTsetso Mihailov (Post author)

      Unfortunately, there is nothing we can do to help you at this time.

      GandCrab 5.0.4 is undecryptable at the moment. We are all waiting for a decryption tool to be released. If that happens, the article will get duly updated and you notified of the good news.

      Reply
  42. Stefano

    Gandcrab 5.0.4 con estensione .uwneb
    Non si può fare niente, nessun rimedio per recuperare i files.

    Reply
  43. Marc Antoniu

    Hi!
    I was infected with Grandcrab 5.0.4, extension .KXRPAQD.
    I’m sure there is nothing what can be done, right now, but I hope for great news in the future. I realy hope that a newer version of the BitDefender decryptor program will be released soon.

    Reply
  44. Bha

    GANDCRAB V5.0.4 extension.YGLAX
    my computer was affected yesterday and I made a reset to my local disk C. But it also affected my other local disk can I get those decrypted when the new version decryption tool is released.

    Reply
  45. R. Albert

    Hello,
    My PC was infected in mid-November 2018 with the Grand Grab 5.0.4 Cryptovirus. Many data were encrypted with the random 8-letter extension “aszljtm”. Many data was not backed up at this time and can not be recovered. It takes a lot of time to recreate the essentials. For example, images can not be recovered.
    I spent a lot of time and money decrypting the files. Unfortunately without success. Also the usig of the “BitDefenderGandCrabDecryptTool” is without success. Will there be any possibility of decryption in the near future – is there be working on it or will I rather have to accept the loss of the data? Thank’s a lot. Please excuse my not perfect english.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...