Remove GandCrab v5.0.3 Ransomware (+File Recovery)

How to Remove GandCrab v5.0.3 Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:

—=GANDCRAB V5.0.3=—
***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED***********************

*****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS*****
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: .ZKFFJMIP
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
—————————————————————————————-

| 0. Download Tor browser – hxxps://www.torproject.org/

| 1. Install Tor browser
| 2. Open Tor Browser
| 3. Open link in TOR browser: hxxp://gandcrabmfe6mnef.onion/113737081e857d00
| 4. Follow the instructions on this page

—————————————————————————————-
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:

* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW

—BEGIN GANDCRAB KEY—
—END GANDCRAB KEY—

—BEGIN PC DATA—
—END PC DATA—

GandCrab v5.0.3 is the newest variant of the notorious GandCrab Ransomware. This virus is a complete and utter menace. It slithers into your system and corrupts your personal files. The ransomware uses advanced encryption algorithms to lock your data. It targets user-created files, such as music, pictures, databases, documents, etc.. The ransomware scans your HDD for the targeted files and locks them. This, of course, happens in complete silence. The ransomware doesn’t have any symptoms. You cannot notice the parasite in time to prevent its corruption. Once it wrecks your system, however, everything changes. GandCrab v5.0.3 changes your wallpaper to a brief message which explains that your files are compromises and that you must open the [random letters]-DECRYPT.txt file (conveniently saved on your desktop, as well as in every folder on your HDD). This file is a ransom note which explains your situation, as well as list several requirements. The cybercriminals demand a ransom paid in either Bitcoin or Dash. The exact sum varies between $200-2500 USD. Do not rush into impulsive actions. You are dealing with criminals. They know how to manipulate you. Do not follow the hackers’ instruction. Do not call them, do not pay them, do not do a thing. No one can guarantee you that these criminals will keep their part of the bargain. If you provide them with a way to contact you, they will only blackmail you for more money. Consider discarding your files. Cut the losses, and clean your system!

How did I get infected with?

GandCrab v5.0.3 does not target individual victims. This virus relies on mass-distribution strategies to reach a broad spectrum of potential victims. The key word is “potential.” The virus preys on your naivety. This trickster lurks in the shadows and waits for you to let your guard down. It hides in torrents, spam emails, fake updates, and corrupted links. All it needs to succeed is one moment of carelessness. Do not make its job easier. Do not give into naivety. No anti-virus app can protect you if you act recklessly. Only your caution can keep your device secure and virus-free. Viruses like GandCrab v5.0.3 are usually spread mainly through spam emails. The crooks write on behalf of well-known and trusted organizations. They seal logos and fabricate stamps to create legitimate-looking messages. So, be very careful with your inbox. Thus, treat all unexpected messages as potential threats. If, for example, you receive an unexpected email from your bank, go to their official website. Compare the email addresses listed there to the questionable one. If they don’t match, be sure: you are dealing with a pretender. Delete this deceiver ASAP!

Why is GandCrab v5.0.3 dangerous?

GandCrab v5.0.3 is a nasty ransomware. This parasite slithers into your system and wrecks everything. Before you know it, the virus throws you into a whirlwind of problems. Your files are locked, and your system – corrupted. There is nothing you can do to restore your system back to normal. The nasty ransomware is fatal. Say goodbye to your precious files. The virus promises decryption tools, yet, the experts advise against paying the ransom. The thing is, you are dealing with criminals. These people tend to ignore the victims once they get what they want. Also, very often, they send “decryptors” that don’t work properly. You may restore some of your files, but others will remain locked. Also, the decryption removes the lock from your files. It doesn’t delete the GandCrab virus. There are cases where the victims restored their files only to have them re-locked hours later. How many times are you willing to pay for your own files? Do not play games with the hackers. Your best course of action is the immediate removal of GandCrab v5.0.3.

GandCrab v5.0.3 Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover GandCrab v5.0.3 Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

• Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
• Locate the process of the ransomware. Have in mind that this is usually a random generated file.
• Before you kill the process, type the name on a text document for later reference.

• Locate any suspicious processes associated with GandCrab v5.0.3 encryption Virus.
• Right click on the process
• Open File Location
• End Process
• Delete the directories with the suspicious files.
• Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

• Open any folder
• Click on “Organize” button
  
• Choose “Folder and Search Options”
• Select the “View” tab
• Select “Show hidden files and folders” option
• Uncheck “Hide protected operating system files”
• Click “Apply” and “OK” button

STEP 3: Locate GandCrab v5.0.3 encryption Virus startup location

• Once the operating system loads press simultaneously the Windows Logo Button and the R key.

• A dialog box should open. Type “Regedit”
• WARNING! be very careful when editing the Microsoft Windows Registry as this may render the system broken.

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

• and delete the display Name: [RANDOM]

• Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

• Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

• Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
• Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.