GandCrab is a new group of hazardous ransomware that is making its rounds since the beginning of the year 2018. It is now dubbed as the most prolific ransomware virus of the year due to its several updates and revisions that shows how serious it is in attacking systems. On this section, we have emphasized the changes on each version including adjustment on its encryption technique and dissemination campaign.
GandCrab v1 (.GDCB)
The initial version of GandCrab was discovered on January 2018. It encrypts files on victim’s computer appending the original file extension to .GDCB. The virus is using unique key for encryption and demand ransom payment in newer DASH crypto-currency. As we all know, most ransomware virus is using Bitcoin due to its popularity and wide availability. To inform user on file recovery, GandCrab v1 will drop a ransom note named GDCB-DECRYPT.txt
GandCrab v1 quickly spread over the internet by utilizing GrandSoft EK and RIG EK exploit, which allows attacker’s file to reside under AppData (%appdata%\Microsoft\Crypto) folder. The virus also injects malicious code onto the system process nslookup.exe.
GandCrab v1 Decryptor
Bitdefender immediately halted the damage extent due to the release of GandCrab v1 decryption tool. At the end of February 2018, users were able to decrypt files without having to pay the ransom. Thus, attacker immediately ceases the operation of GandCrab v1.
GandCrab v2 (.CRAB)
Cybercriminals came back a week after the release of decryptor tool for their initial version. GandCrab v2 was released with new sets of encryption algorithm making the Bitdefender tool ineffective. On this version, attackers append the infected file with .CRAB extension. Ways to spread GandCrab v2 can now also hit many users by taking advantage of vulnerable users through spam emails.
GandCrab v3 (.CRAB)
On first week of May 2018, GandCrab v3 was released with only few manifestations of changes and upgrades. This version aims to scare victims furthermore. Aside from ransom note, GandCrab v3 modifies desktop wallpaper on the computer reflecting ways to recover files.
Dissemination campaign was also improved and is now using various exploit kit aside from distributing a copy through email spam messages.
GandCrab v4 (.KRAB)
The fourth version of GandCrab comes up in July 2018 with major changes, including a new encryption method. This variant uses Tiny Encryption Algorithm (TEA) to conceal itself. In addition, infected files are appended with .KRAB extension instead of .CRAB. Attackers also revised the distribution channel for GandCrab v4 by utilizing malicious crack and piracy websites. When user downloads and runs the host file, the ransomware immediately integrate its code on the computer and commit encryption procedures.
After encrypting all important files on the computer, GandCrab v4 opens a ransom note named KRAB-DECRYPT.txt containing procedures, warnings, keys, and data.
GandCrab v5.0
It was on September of 2018 when primary version of GandCrab starts circulation of cyber world. Security experts’ notices that the extension is not associated with the ransomware name anymore. It appends the infected file with five random characters. Ransom note is now readable via web browser due to its HTML file association.
To infect web users, GandCrab v5 is spread via malicious advertising campaign that redirects browsers to sites hosting the Fallout exploit kit that targets vulnerabilities in VBSCript of some programs. Victims computer becomes infected discretely via simple redirects and hijacking techniques perpetuated by attackers.
How to Remove GandCrab Ransomware
IMPORTANT: Before proceeding with the clean-up process, it is important to save a copy of ransom note because there are valuable information on this file such as personal identifier (ID) and key. No need to worry, ransom note is only a text file that do not cause danger on the computer.
Ransomware files are placed deeply into the system and on various locations, thus, thorough scanning is vital to totally remove GandCrab Ransomware virus. Aside from our suggested tool, you may also run your own security program.
Though affected files may be impossible to decrypt due to complexity of the encryption, you can still try recovery method like Shadow Explorer or Previous Version as described below.
Stage 1: Scan the Computer with ESET Rogue Application Remover (ERAR)
1. Download the free scanner called ESET Rogue Application Remover.
Download Link for ERAR (this will open a new window)
2. Choose appropriate version for your Windows System. Save the file to a convenient location, preferably on Desktop.
3. After downloading the file, Windows will prompt that download has completed. Click Run to start the program. Another option is to browse the location folder and double click on the file ERARemover_.exe.
4. On ESET Rogue Application Remover SOFTWARE LICENSE TERMS, click Accept to continue.
5. The tool will start scanning the computer. It will prompt when it finds GandCrab Ransomware virus and other malicious entities. Follow the prompt to proceed with the removal.
Stage 2: Double-check for GandCrab Ransomware’s leftover with Microsoft’s Malicious Software Removal Tool
1. Download the free scanner called Malicious Software Removal Tool.
Malicious Software Removal Tool Download Link (this will open a new window)
2. The tool automatically checks the operating system and suggest appropriate download version. Click on Download button to begin. Save the file to a convenient location, preferably on Desktop.
3. After downloading the file, Windows will prompt that download has completed. Click Run to start scanning for GandCrab Ransomware. Another option is to browse the location folder and double click on the file to run.
4. The tool will display Welcome screen, click Next. Please note the message “This tool is not a replacement for an antivirus product.” You must understand that this program is made specifically to find and remove malware, viruses, Trojans, and other harmful elements on the computer. It was not designed to protect the computer.
5. Next, you will see Scan Type. Please choose Full Scan to ensure that all GandCrab Ransomware virus entities and other harmful files left on the computer will be found and removed. For advanced computer user, you can opt for Customized Scan, if there are other drives or folders you wanted to include in this scan.
6. Full scan may take a while, please wait for Malicious Software Removal Tool to complete the tasks. However, you may cancel the scan anytime by clicking on the Cancel button.
7. After scanning, the tool will reveal all identified threats. There may be other threats that our first scan fails to detect. Please remove/delete all detected items.
8. When removal procedure is complete, you may now close Malicious Software Removal Tool. We hope that GandCrab Ransomware have been completely deleted from the computer. Please restart Windows to proceed with the normal operation.
Stage 3 : Unlocking files with GandCrab Decryption Tool
GandCrab Decryption Tool is now made available by BitDefender. The utility automates the decryption process for files that were affected by GandCrab version 1, 4, and 5. These files can be easily recognized bearing the extensions .GDCB, .KRAB, and random alpha characters (ex .HGBYUS).
Option 1: Windows Previous Version Tool
Windows Vista and Windows 7 have a feature called Previous Versions. However, this tool is only usable if restore point was made prior to GandCrab Ransomware virus infection. To use this tool and recover files affected by the virus, please follow these steps:
1. Open My Computer or Windows Explorer.
2. Right-click on the affected files or folders. From the drop-down list, please click on Restore previous versions.
3. New window will open display all backup copy of files and folders you wanted to recover. Choose the appropriate file and click on Open, Copy, or Restore. Restoring selected files overwrites the current encrypted files on the computer.
Option 2: Use ShadowExplorer to restore files encrypted by GandCrab Ransomware
Just like Previous Version tool, ShadowExplorer is taking advantage of shadow copy created by Windows. This tool allows you to retrieve older version of files before it was encrypted by GandCrab Ransomware.
1. Download ShadowExplorer from the official web site.
2. Install the program with the default settings.
3. The program should run automatically after installation. If not, double-click on ShadowExplorer icon.
4. You can see the drop-down list on top of the console. Please select proper drive and the most recent point-in-time shadow copies of files you wish to restore prior to GandCrab Ransomware infection.
5. Right-click on the Drive, Folder, or File you wish to restore and click Export…
6. Lastly, ShadowExplorer will prompt for location where you want to save the copy of recovered files.
