What is GandCrab v5.2 and how to restore files encrypted by GandCrab v5.2? All you want to know about this deadly ransomware, its removal and free decryption tool.
GANDCRAB 5.2 Ransomware
GANDCRAB v5.2 is another version of GandCrab family of ransomware threats that is active since 2 years. This ransomware has been successful in infecting millions of computer users by encrypting their files with strong encryption algorithm. Like any other ransomware, GANDCRAB v5.2 targets documents, videos, images and other important files stored on the system. Later it leaves a ransom note that instructs users about the encryption and how to contact the authors of the ransomware to get the files back.
According to the ransom note, it asks users to install TOR browser and make the payment in Bitcoins. After that, the authors will provide the decryption key. But now there is good news for computer users as the news surfaced out that the GANDCRAB ransomware is officially being shut down by its authors. Thus, the security experts have now released the decryption tool for the files infected with GANDCRAB v5.2.
GANDCRAB 5.2 Ransomware virus Distribution methods:
GANDCRAB 5.2 uses the same mode of distribution like other variants of the GandCrab ransomware family. The most effective way of distribution is spam email attachments laden with malicious payloads. The attachment is embedded in the form of achieve that needs to be unzipped on the PC. The attachments can be a form of document that may contain malicious links or java script code that starts executing once the user downloads the infected document.
Other sources include: infectious website that distribute the payloads of the threat hidden within freeware downloads, software cracking tools, fraud activators for paid software programs, patches with wordpress plug-ins, fake media converter tools and so on.
Till now, the GANDCRAB ransomware has released various versions of the threat including GandCrab v1 (.GDCB), v2 (.CRAB), GandCrab v3, v4, v5. The newest version of which is GANDCRAB 5.2.
Once the target computer is infected with GANDCRAB 5.2 ransomware, it execute rlxsbp.exe file that also creates another child process within wmic.exe(Windows Management Instrumentation) process.
From then on, the GandCrab v5.2 ransomware beings scanning through the whole computer to locate files of various extension. The files include documents, images, videos, PDFs and more. The encryption algorithm used by GANDCRAB 5.2 ransomware is known as Salsa20. The infected files are locked with random extension and after that it drops the ransom note named as “-DECRYYPT.txt”.
The ransom note created by GANDCRAB 5.2 ransomware contains the following message:
—= GANDCRAB V5.2 =—
UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED
FAILING TO DO SO WIL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS
All your files, documents, photos, databases and other important files are encrypted and have the extension:
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
| 0. Download Tor browser – https://www.torproject.org/
| 1. Install Tor Browser
| 2. Open Tor Browser
| 3. Open link in TOR browser http://gandcrabmfe6mnef.onion/ b6314679c4ba3647/
| 4. Follow the instructions on this page
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW
From the above message, the authors of the ransomware asks the victim to follow the link to download the TOR browser. It redirects users to payment gateway asking users to pay in Bitcoins or Dash coins.
GANDCRAB 5.2 ransomware should be removed from the infected computer and then you should try recovery of encrypted files.
How To Remove GANDCRAB 5.2 Ransomware virus Without Paying Ransom
In this guide, you will find removal instruction of GANDCRAB 5.2 Ransomware virus both manually and using anti-malware tool. At times, virus does not allow the installation or scanning of anti-virus program, so you need to switch to “safe mode with networking”. After that you can try recovery of your data if you have any backup or we have listed some methods which may help you to recover some of your data.
Before removing the threat, you must copy the ransom note text file to some other computer or USB drive. It will help in the recovery process.
Use Ransomware Defender To Remove GANDCRAB 5.2 Ransomware(Recommended)”
Ransomware Defender Overview
ShieldApps’ Ransomware Defender is a specially designed security program for Ransomware threats. This anti-ransomware program detects and permanently blocks any ransomware prior to its attack on the protected system.
Ransomware Defender maintains its threat database and its related information which makes the program proactively detect any sort of threat and notifies users upon detection. This anti-ransomware program works well along with your primary anti-malware applications and does not interfere with its work.
Ransomware Defender is compatible with Windows 7, 8, 8.1 and 10. And is suitable for both home and business network. It has various prominent features like real-time ransomware detection, scan protection, history cleaner, file transfer tools and automated scans that helps in better detection of ransomware threat and blacklist them from your system permanently. Additionally, this anti-ransomware solution also provides firewall security, internet protection, mobile security, and virtual private network configuration. The solution also offers 24/7 customer support via email.
If you generally do not keep backups of your important files and documents or use your computer or device for storing financial and business details, then it is very important to keep them secure. Here Ransomware Defender is proved as a comprehensive anti-ransomware solution.
Do not compromise with your computer’s security.
Ransomware Defender solution comes with a subscription of $49.95.
Ransomware Defender Features
- Ransomware Protection: This ransomware solution effectively detects, removes and blacklists any ransomware that attempts to attack your system. And always keep monitoring the system within background for any possible attacks.
- Smart Ransomware Detection: Due to its advanced technology of threat detection, you can rest assured of system protection. It will give real-time updates and report of any suspicious activity.
- Internet Security: Protects from any unethical web activity, malicious attempts to breach your internet security, blocks any malicious websites and infected online scripts through ransomware generally enter.
- Scheduled Scan/Clean Action: It provides a user-friendly and fully automated solution for schedule scans at your preferred timings, thus even if you forgot to manually scan your computer you are still protected.
- Secure File Eraser: It’s a very important feature provided by Ransomware defender that empowers you to fix any of your files/applications that you suspect as infected.
- 24/7 PROTECTION: Ransomware Defender provides 24/7 real-time protection due to its auto and schedules scan mechanism that guards your system all the time.
Installing Ransomware Defender
- Click on the link to Download Ransomware Defender.
- Choose the location to save the installation file and click on “save”.
- After the download is completed, double-click on the downloaded file to open.
- If prompted by User Account Control: click on “Yes” button.
- This will open an installation wizard. Click on “Install“. Now simply follow the on-screen instructions to complete the installation procedure.
- After Ransomware Defender successfully installs, a new tab or window will open on your browser showing confirmation of the installation.
Run Scan To Detect GANDCRAB 5.2 Ransomware threat on your computer
Follow the steps to properly scan and remove GANDCRAB 5.2 ransomware threat from your computer:
- Start the scan: Once the installation is completed, the Ransomware defender application window will open. Here you have 3 options for scan: Quick, Deep, and Custom. We suggest doing Deep scanning for the first time for better detection of ransomware threats.
- Let the scanning process be completed: Scan will take a few minutes so be patient and let the scan be fully completed.
- Review the Scan Results and remove the threats: Review the scan results that will show all the threats and malware found during the scan process, you can manually choose to remove the threats one-by-one by clicking on the threat name and select “delete” or simply click on the “Clean All” button.
Manually Find And Remove GANDCRAB 5.2 (Recommended Only For Advanced Users)
The manual steps guided below are the links separately made with caution, to avoid any confusion to our readers. Please follow the links below and perform them one by one. If you are going for the manual removal process, then we recommend you to print/download these instructions or open it from another uninfected computer or laptop and follow step-by-step manual removal instruction. Windows OS PDF Guide.
Method 1: Remove GANDCRAB 5.2 Ransomware and its associated files from the computer through safe mode with command prompt.
- Reboot your computer to “Safe Mode with Command Prompt”
- End malicious process from “Task Manager“
- Deep Scan the infected computer to ensure complete removal (Recommended)
Method 2: Remove GANDCRAB 5.2 Ransomware virus using System Restore Procedure
After that, the ransomware threat should go, but if it is still there, then you need to try another method which is the “System Restore”. Click here to perform System Restore in Windows OS.
How to Restore the Encrypted Files?
Click here to know How you can restore the encrypted file. (Manual)
The security experts have released the decryption tools to restore the files encrypted by the GandCrab (v5.2) for free.
Note: Before attempting the decryption, you should free your computer from ransomware threat. And keep a copy of ransom note separately by coping it in a flash drive or elsewhere. Also make sure your computer is connected to network.