An infection with the dangerous GandCrab 5.0.2 ransomware virus leads to serious security issues. With our removal guide, victims can try to restore and protect their computers.
Manual Removal Guide
Files Recovery Approaches
Skip all steps and download anti-malware tool that will safely scan and clean all harmful files it detects on your PC.
SpyHunter is a Windows application designed to scan for, identify, remove and block malware, potentially unwanted programs (PUPs) and other objects. By purchasing the full version, you will be able to remove detected malware instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
Distribution of GandCrab 5.0.2 Ransomware
The GandCrab 5.0.2 ransomware is the latest iteration of the GandCrab malware family. The primary distribution tactic relies on exploit kits that use bulk email messages. They impersonate widely used Internet services or notifications that may be of interest to the target users. Once they are opened by them the file will be placed either as an attached form or linked in the body contents. A common tactic is to use infected payloads. Two of the most popular types are the following:
- Infected Documents — The hackers can create malicious documents of the most popular file types: presentations, databases, text files and spreadsheets. However once they are opened by the users a notification prompt will appear asking the targets to enable the built-in scripts (macros). Once this is done the infection will begin.
- Malware Installers — The criminals can take the legitimate setup files of popular software and embed them with the malicious code. When the installers are executed the virus will also be deployed.
Additionally GandCrab 5.0.2 ransomware files can be spread over file-sharing networks such as BitTorrent where popular pirate contents is usually spread. This is particularly effective when used in combination with the malicious software installers.
In some cases the hackers can also utilize browser redirect plugins — thy are made by the criminals with the aim of impersonating real-world plugins made for the most popular web browsers. They are uploaded to the relevant repositories using fake user reviews and developer credentials. They are advertised as improving the work of the browsers and adding new functionality. However once they are installed the built-in code will manipulate the infected browser to redirect the users to a designated web address. When this process is complete the virus will be deployed and the infection will follow.
Impact of GandCrab 5.0.2 Ransomware
The GandCrab 5.0.2 ransomware iteration follows the same behavior patterns as previous versions of the family. It follows a step-by-step process of launching components that all seek to help deliver the infection and launch the ransomware engine when the appropriate conditions have been met.
The virus is delivered by a payload dropper which will deliver the components one-by-one. This is done as one of the first actions that is run is the stealth protection procedure. It will scan for any security software that can interfere with the proper malware execution. Usually this targets anti-virus software, sandbox (debug) environments and virtual machine hosts. Both their real-time engines and main software can be bypassed or entirely removed.
When this process is complete the GandCrab 5.0.2 ransomware strain will be able to take over complete control of the infected system — this is very important as it will allow the engine to create its own processes (many of them at once) and gain administrative privileges.
Following this another component is run which will extract sensitive data found on the compromised machines. The security experts typically categorize it in two main groups:
- Personal Information — The module can search for strings that can reveal the person’s name, address, telephone number, location and any stored account credentials.
- Campaign Metrics — The data collection utility can harvest hardware device parameters which are used to detect generate the unique user ID assigned to each infected host.
As the GandCrab 5.0.2 virus sample has attained total control of the systems it can also access any service or user-installed applications, including the contents of office documents and web browsers.
The security analysis also shows that the infection module installs the threat as a persistent malware. This means that it will automatically start every time the computer is booted and it may also affect operating system services and access to the recovery boot menu. Following this Windows Registry modifications can follow. If it affects the operating system it may cause serious performance issues, changes to individual applications can render certain functions non-accessible.
A network connection is also established to a hacker-controlled server. Depending on the configuration this can be used to either report the infection or activate a Trojan module. It will establish a secure connection to the hackers. This allows the criminals to spy on the users, take over their files and control the infected machines at any given time. An additional measure used by the GandCrab virus family is its ability to delete system data — both the Shadow Volume Copies and System Restore Points are affected.
When every module is run and their execution is complete the ransomware component will run. Like previous versions it will use a strong cipher in order to encode the target data. By using a built-in list of target file extensions the encryption engine will process them. An example list includes the following:
- Archives
- Backups
- Documents
- Images
- Videos
- Music
Previous versions of the GandCrab 5 ransomware are known to process the following extensions:
1st, .602, .7z, .7-zip, .abw, .act, .adoc, .aim, .ans, .apkg, .apt, .arj, .asc, .asc, .ascii, .ase, .aty, .awp, .awt, .aww, .cab, .doc, .docb, .docx, .dotm, .gzip, .iso, .lzh, .lzma, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .rar, .sldm, .sldx, .tar, .vbo, .vdi, .vmdk, .vmem, .vmx, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xps, .z, .zip
The files will be renamed with a 10-leter random extension. The appropriate ransomware note is crafted according to the following template: XXXXXXXXXXX-DECRYPT.txt. The first part of the note will be replaced with the extension. The wallpaper will be changed with a black background with red letters:
ENCRYPTED BY GANDCRAB 5.0.2
DEAR XXXXXXXXXXXXXXX,
YOUR FILES ARE …. STRONG PROTECTION BY OUR SOFTWARE. IN ORDER TO RESTORE IT YOU MUST BUY DECRYPTOR
For further steps read XXXXXXXXXX-DECRYPT.txt that is located in every encrypted folder
Remove GandCrab 5.0.2 Ransomware Virus and Restore PC
Please note that paying the requested ransom fee to cyber criminals does not really solve your problem with GandCrab 5.0.2 crypto virus. In fact, you only encourage hackers to continue spreading ransomware of this kind. Instead, you must remove the threat immediately, and only then look for optional ways to recover your data.
WARNING! Manual removal of GandCrab 5.0.2 ransomware virus requires being familiar with system files and registries. Removing important data accidentally can lead to permanent system damage. If you don’t feel comfortable with manual instructions, download a powerful anti-malware tool that will scan your system for malware and clean it safely for you.
DOWNLOAD SpyHunter Anti-Malware ToolGandCrab 5.0.2 Ransomware Virus – Manual Removal Steps
Start the PC in Safe Mode with Network
This will isolate all files and objects created by the ransomware so they will be removed efficiently. The steps below are applicable to all Windows versions.
1. Hit the WIN Key + R
2. A Run window will appear. In it, write msconfig and then press Enter
3. A Configuration box shall appear. In it Choose the tab named Boot
4. Mark Safe Boot option and then go to Network under it to tick it too
5. Apply -> OK
Show Hidden Files
Some ransomware threats are designed to hide their malicious files in the Windows so all files stored on the system should be visible.
1. Open My Computer/This PC
2. Windows 7
- – Click on Organize button
– Select Folder and search options
– Select the View tab
– Go under Hidden files and folders and mark Show hidden files and folders option
3. Windows 8/ 10
- – Open View tab
– Mark Hidden items option
4. Click Apply and then OK button
Enter Windows Task Manager and Stop Malicious Processes
1. Hit the following key combination: CTRL+SHIFT+ESC
2. Get over to Processes
3. When you find suspicious process right click on it and select Open File Location
4. Go back to Task Manager and end the malicious process. Right click on it again and choose End Process
5. Next, you should go folder where the malicious file is located and delete it
Repair Windows Registry
1. Again type simultaneously the WIN Key + R key combination
2. In the box, write regedit and hit Enter
3. Type the CTRL+ F and then write the malicious name in the search type field to locate the malicious executable
4. In case you have discovered registry keys and values related to the name, you should delete them, but be careful not to delete legitimate keys
Click for more information about Windows Registry and further repair help
Recover Encrypted Files
WARNING! All files and objects associated with GandCrab 5.0.2 ransomware virus should be removed from the infected PC before any data recovery attempts. Otherwise the virus may encrypt restored files. Furthermore, a backup of all encrypted files stored on external media is highly recommendable.
SpyHunter is a Windows application designed to scan for, identify, remove and block malware, potentially unwanted programs (PUPs) and other objects. By purchasing the full version, you will be able to remove detected malware instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
1. Use present backups
2. Use professional data recovery software
Stellar Phoenix Data Recovery – a specialist tool that can restore partitions, data, documents, photos, and 300 more file types lost during various types of incidents and corruption.
3. Using System Restore Point
- – Hit WIN Key
– Select “Open System Restore” and follow the steps
4. Restore your personal files using File History
- – Hit WIN Key
– Type restore your files in the search box
– Select Restore your files with File History
– Choose a folder or type the name of the file in the search bar
– Hit the “Restore” button
