Remove “Encrypted by Gandcrab v5.1” Ransomware (+File Recovery)

How to Remove “Encrypted by Gandcrab v5.1” Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:

—= GANDCRAB V5.1 =—

***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED***********************

*****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS*****

Attention!

All your files, documents, photos, databases and other important files are encrypted and have the extension: .HJNAKLIQ

The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.

The server with your key is in a closed network TOR. You can get there by the following ways:

—————————————————————————————-

| 0. Download Tor browser – https://www.torproject.org/

| 1. Install Tor browser
| 2. Open Tor Browser
| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/da9ad04e1e857d00
| 4. Follow the instructions on this page

—————————————————————————————-

On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.

ATTENTION!

IN ORDER TO PREVENT DATA DAMAGE:

* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW

—BEGIN GANDCRAB KEY—
******
—END GANDCRAB KEY—

—BEGIN PC DATA—
******
—END PC DATA—


Gandcrab
Ransomware is a notorious cryptovirus. Active since January 2018, this destructive virus has infected thousands of users worldwide. Its newest variant (v5.1) corrupts files faster than ever. Gandcrab v5.1 slithers into your system unnoticed and corrupts everything. It alters settings, modifies the Registry, drops files, and starts malicious processes. The virus follows programming to locate and corrupt the user-generated data. And it does so without wasting any time. Databases, multimedia, archives, documents; Gandcrab v5.1 encrypts all known file formats. It gets your files under lock and key and changes your desktop wallpaper to a warning. The virus displays a short message which explains that your PC is infected and that you can find more information in a text file that is copied in every folder on your HDD. This file is the ransom note. It lists the hackers’ demands. They demand $500 paid in either Bitcoin or DASH. In exchange, the cybercriminals promise a decryption tool that can restore your files. They also offer free decryption of one file as proof of their competency. There is a catch, though. The free-detected file must be an image file, because, as the note explains, these files are usually “not valuable.” As for your “important” documents, they remain locked until you pay. Do not swing into action, though. The crooks promise a lot, but the fire-recovery is not guaranteed. You are dealing with cybercriminals. These people are notorious for double-crossing their victims.

How did I get infected with?

Gandcrab v5.1 is spread through a massive spam email campaign. The scammers write on behalf of well-known organizations and companies. They use deceptive language and misleading visual to lure you into downloaded their malicious attachments. You, of course, know better than to open suspicious files. You scan everything with a powerful anti-virus program. You open the attachments only if the scan results are clean. Well, the scammers know how to bypass your anti-virus app. Their attachments don’t trigger alarms. The scheme with these files is a bit more complicated. The files are harmless. If you open them in “Editing mode,” however, malicious macros execute and download the virus in the background. Be careful how you interact with your inbox. Treat all unexpected messages as potential threats. Always take a minute to verify the senders. If the message is from an organization, go to their official website. Compare the email addresses listed there yo the questionable one. If they don’t match, delete the pretender. You can also enter the suspicious email address into a search engine. If it was used for shady business, someone might have complained online. Even a little extra vigilance can spare you many headaches. Always take the time to do your due diligence!

Remove “Encrypted by Gandcrab v5.1”

Why is “Encrypted by Gandcrab v5.1” dangerous?

If your files have been “Encrypted by Gandcrab v5.1,” brace yourself. Currently, there is no third-party decryption tool for this lock. Paying the ransom, however, is not advisable. The hackers demand DASH and Bitcoin. Both currencies are untraceable. Once you transfer the money, you cannot get a refund if something goes wrong. And that’s almost certain. Practice shows that the hackers tend to ignore the victims once they get the ransom. There are cases where the victims paid only to get blackmailed for more. There are also instances where the victims received partly-working decryptors. Also, bear in mind that the file-decryption process restores your files. It does not disable the virus. How would you feel if you restore your data only to get it re-encrypted hours later? Gandcrab v5.1 is a complete and utter menace. It holds your files as hostages and threatens to destroy them. You can see the icons of precious files, but you cannot view or edit them. The nasty virus makes your system unusable. You cannot create new files as they get locked immediately. You only browse the Web, but that’s quite risky. Gandcrab v5.1 might be spying on you. This virus is created by crafty criminals. You cannot win against them. Your best course of action is the immediate removal of the ransomware.

“Encrypted by Gandcrab v5.1” Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover “Encrypted by Gandcrab v5.1” Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

  • Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
  • Locate the process of the ransomware. Have in mind that this is usually a random generated file.
  • Before you kill the process, type the name on a text document for later reference.

end-malicious-process

  • Locate any suspicious processes associated with “Encrypted by Gandcrab v5.1” encryption Virus.
  • Right click on the process
  • Open File Location
  • End Process
  • Delete the directories with the suspicious files.
  • Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

  • Open any folder
  • Click on “Organize” button
  • Choose “Folder and Search Options”
  • Select the “View” tab
  • Select “Show hidden files and folders” option
  • Uncheck “Hide protected operating system files”
  • Click “Apply” and “OK” button

STEP 3: Locate “Encrypted by Gandcrab v5.1” encryption Virus startup location

  • Once the operating system loads press simultaneously the Windows Logo Button and the R key.

win-plus-r

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

  • and delete the display Name: [RANDOM]

delete backgroundcontainer

  • Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

  • Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

windows system restore

  • Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
  • Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.

Leave a Comment