Crab Virus Removal (+ Restore Files)

How to Remove Crab Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:

—= GANDCRAB V4 =—
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
____________________________________________________________________
| 0. Download Tor browser – https://www.torproject.org/
| 1. Install Tor browser
| 2. Open Tor Browser
| 3. Open link
| 4. Follow the instructions on this page

If your files have the .crab extension, prepare for trouble. The news is bad! Very bad! Your system is infected with a devastating virus. The infamous .crab Ransomware (also known as Gandcrab Ransomware) lurks in the shadows of your system. The virus follows instructions to lock your files and to blackmail you. This nasty ransomware was first discovered in January 2018, and it has been actively developed ever since. Each new version of the virus is more advanced and havoc-wreaking than the previous one. The researchers at Comodo labs discovered that the newest version, v4.0, uses one of the most officiant encryption algorithms out there – the Tiny Encryption Algorithm (TEA). TEA allows the virus to encrypt your files undisturbed by anti-virus software. In complete silence, the parasite locks your precious files. You can identify the locked files by the .crab extension. These files are visible, they have normal icons, but when you try to open them, they don’t load. No matter what apps you use, you cannot open nor use them. You can only see their icons. To restore your files, .crab Ransomware demands a hefty ransom paid in cyber currency. The virus displays a ransom note once it’s finished with the encryption. The note contains the criminals’ demands, as well as detailed instructions on how you should pay the ransom. The criminals play psychological games with you. They threaten to increase the sum if you refuse to follow their instructions. Do not fall victim to this simple tarp. Don’t act impulsively! You are dealing with criminals. You can never win against them. Don’t contact them, and most importantly, don’t sponsor them. Your best and only course of action is the immediate removal of the virus. .crab Ransomware should be stopped before it gets a chance to become even more devastating.

How did I get infected with?

Crab Ransomware uses mass-distribution methods to reach a broad spectrum of potential victims. It hides in torrents, fake updates, corrupted files, and spam emails. The parasite lurks in the shadows and waits for a chance to strike. Do not make its job easier. Don’t let your guard down. Your caution can prevent these methods from succeeding. Don’t visit shady websites. Download your software from reputable sources only. Think twice before opening an unexpected message. All unexpected messages should be treated as potential threats. Before you open them, verify their senders. If you, for example, receive an email from an organization, go to their official website. Compare the email addresses listed there to the questionable one. If they don’t match, delete the pretender immediately. Choose caution over carelessness. One keeps the parasites away, the other – invites them in. Don’t let parasites like the .crab ransomware trick you ever again. Always take the time to do your due diligence!

Why is Crab dangerous?

You are dealing with criminals. These people target your wallet. To reach their goals, they won’t hesitate to cheat. Their promises are not warranted. Do not believe them. No one can guarantee you that the hackers will fulfill their promises. Don’t jump into impulsive actions. Practice shows that when one deals with ransomware such as the .crab virus, the criminals tend to ignore the victims once the ransom is paid. There are even cases, where the hackers demanded second ransom. Don’t test your luck. Remove the ransomware as soon as possible. The more time this virus spends on board, the worse your situation becomes. These parasites are quite capable spying tools. The hackers may manage to steal sensitive information through the .crab ransomware. If you, for example, use your infected computer to pay the ransom, the criminals may steal your financial details. Do not risk it! Remove the .crab virus ASAP!

Crab Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Crab Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

• Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
• Locate the process of the ransomware. Have in mind that this is usually a random generated file.
• Before you kill the process, type the name on a text document for later reference.

• Locate any suspicious processes associated with Crab encryption Virus.
• Right click on the process
• Open File Location
• End Process
• Delete the directories with the suspicious files.
• Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

• Open any folder
• Click on “Organize” button
  
• Choose “Folder and Search Options”
• Select the “View” tab
• Select “Show hidden files and folders” option
• Uncheck “Hide protected operating system files”
• Click “Apply” and “OK” button

STEP 3: Locate Crab encryption Virus startup location

• Once the operating system loads press simultaneously the Windows Logo Button and the R key.

• A dialog box should open. Type “Regedit”
• WARNING! be very careful when editing the Microsoft Windows Registry as this may render the system broken.

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

• and delete the display Name: [RANDOM]

• Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

• Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

• Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
• Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.