GandCrab Ransomware

What is GandCrab Ransomware?

GandCrab Ransomware is yet another file encrypting infection that was created by cyber criminals to take your money. Just like most other threats of this kind, the ransomware could slither into the targeted system using corrupted spam emails and known security backdoors, but our Anti-spyware-101.com malware researchers have found that the threat can also be spread using the RigEK exploit kit. RigEK delivers malicious payload when the victim visits an unsecure website. After this, it employs Javascript to check for any vulnerable plug-ins that could be exploited. At the time of research, the ransomware was mostly affecting Windows users in South Korea, the United States, China, and Russia, but that does not mean that you are safe if you live in a different region. If you still have time, you need to protect your operating system as soon as possible, but if the malicious infection has already invaded, you need to focus on deleting it first. If you do not know how to remove GandCrab Ransomware, you will find useful information in this report.

How does GandCrab Ransomware work?

A complex AES encryption algorithm is employed by GandCrab Ransomware to corrupt your personal files. According to our research, at least 461 different types of files can be corrupted by this dangerous threat, and, of course, it is primarily targeted at documents, photos, media files, and other personal data. When the files are encrypted, you will find the “.GDCB” extension attached to their names. This extension is used solely for the purpose of easy identification, and you cannot recover files by removing it. In fact, recovering files is unlikely to be possible at all. Of course, the creator of GandCrab Ransomware wants you to believe something else. After the encryption, the infection creates a file named “GDCB-DECRYPT.txt.” This file is created in every folder where you can find encrypted files, and it informs that you need a “private key” to recover them. The instructions represented via the file suggest that you need to install the Tor Browser and visit one of the gdcbghvjyqy7jclk.onion/[ID] pages that are introduced to you. If you do that, you are shown instructions on how to pay the ransom of 1.5 DASH to XyQPEUnmKZLUicTYNKnDfEMhiMkAj9Q1pa. Dash is a cryptocurrency, and, at the moment, 1.5 Dash is nearly 1200 USD. The ransom note also informs that the ransom will double if you do not pay it in 4 days and 12 hours. You will not get a decryptor if you pay the ransom, which is why you should focus on deleting the threat.

Before the malicious GandCrab Ransomware strikes, it does a few different things. First of all, it creates a copy in the %APPDATA%\Microsoft\ folder. A point of execution of this executable is also created in the Windows Registry at HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce. The copy that was analyzed in our internal lab was named “wngtom.exe,” but it could have a unique name on your computer. The ransom note file (“GDCB-DECRYPT.txt”) is also placed in the %ALLUSERSPROFILE%\Start Menu\Programs\Startup folder to ensure that it opens up if you restart the computer. The infection also looks for specific processes. If they are active, it terminates them. This can be used to terminate anti-malware software that could delete GandCrab Ransomware. Furthermore, the threat records your location, the operating system’s version, PC username and name, PC workgroup, PC language, date of encryption, and the number of encrypted files. This data is not personal, but the attacker can showcase it via the payment website, which could intimidate you into paying the ransom. As discussed earlier, paying the ransom is the wrong move.

How to delete GandCrab Ransomware

If the malicious GandCrab Ransomware has slithered into your Windows operating system, you should realize that soon enough, but, unfortunately, not before the threat completes the encryption of files. The creator of this malware wants you to pay a ransom, which, allegedly, should grant you access to a decryption key. Unfortunately, cyber criminals can promise you anything just to get your money. Unless you have backups where you have the copies of your personal files stored safely, you will not be able to recover your files. Luckily, you should be able to delete GandCrab Ransomware regardless of the situation. It is best to employ trustworthy anti-malware software because it can automatically clean and protect your operating system. If you decide to delete the ransomware manually, use the instructions available below.

Removal Instructions

1. If the ransomware was launched using a malicious {random name}.exe file, you need to find and Delete it.
2. Launch Windows Explorer by tapping Win+E keys on the keyboard.
3. Enter %ALLUSERSPROFILE%\Start Menu\Programs\Startup into the bar at the top.
4. Delete the file named GDCB-DECRYPT.txt.
5. Delete all other copies of the GDCB-DECRYPT.txt file.
6. Enter %APPDATA%\Microsoft\ into the bar at the top.
7. Delete the malicious .exe file (could be named wngtom.exe, but if you are not sure, check the location revealed in the value data of the malicious value; see step 10).
8. Launch RUN by tapping Win+R on the keyboard and then enter regedit.exe into the dialog box.
9. Move to HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce.
10. Delete the {random name} value representing the ransomware.
11. Empty Recycle Bin to eliminate the malicious components.
12. Install a trusted malware scanner and perform a full system scan. If any threats remain active, figure out how to eliminate them as soon as possible. Download Removal Tool100% FREE spyware scan and
    tested removal of GandCrab Ransomware*

Stop these GandCrab Ransomware Processes: