Remove GandCrab v5.2 Ransomware (+File Recovery)

How to Remove GandCrab v5.2 Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:

—= GANDCRAB V5.0.2 =—
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: {5 random letters}
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:

———————————————————————–
| 0. Download Tor browser – https://www.torproject.org/

| 1. Install Tor Browser
| 2. Open Tor Browser
| 3. Open link in TOR browser http://gandcrab{random}/{random}
| 4. Follow the instructions on this page

On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.

ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
• DO NOT MODIFY ENCRYPTED FILES
• DO NOT CHANGE DATA BELOW

GandCrab v5.2 is the newest variant of the infamous GandCrab Ransomware. This version, just like its predecessors, is a havoc-wreaking menace. It sneaks into your system through trickery and corrupts everything. It wrecks both your system and saved data. The virus alters settings, modifies the registry, corrupts essential directories, drops malicious files, and starts dangerous processes. This, of course, happens in silence. The infiltration process has no obvious symptoms. GandCrab v5.2 has mechanisms which prevent detection. You cannot catch the ransomware in time to limit its corruption. The virus wastes no time. It takes control of your system and gets to work. The ransomware follows programming to lock your files. It uses strong encryption algorithms to seal your personal files. Pictures, databases, archives, documents. The ransomware detects the user-generated files and puts them under lock and key. The virus corrupts your files and displays a ransom note which explains the situation you are in. The note urges you to buy decrypting key which can restore your data. Such actions, of course, are not advisable. You are dealing with experiences crooks. They promise a lot, but they don’t always deliver. Sponsoring their criminal operations it’s the worst thing you can do. Do not play games with these criminals. Your best course of action is the immediate removal of the virus. Find where GandCrab v5.2 lurks and delete it upon detection!

How did I get infected with?

Fake updates, corrupted links, malicious bundles, infected websites. The Internet is a dangerous place. You can never know where a parasite might strike from. GandCrab v5.2 lurks in the shadows and waits for you to let your guard down. Do not make that mistake. No anti-virus app can protect you if you toss caution to the wind. Only your vigilance is powerful enough to keep your system secure and virus-free. Always take the time to do your due diligence. Don’t visit shady websites. Download software from reputable sources only. And, of course, be careful how you interact with your inbox. The good old spam messages are still the number one cause of virus infections. The distribution method is the same, but the tactics are not what they used to be. The crooks no longer rely on corrupted attachments. They use them, but they also employ corrupted links. One click on the wrong hyperlink and the virus sneaks into your system. Do not give into naivety. Treat all unexpected messages as potential threats. Always verify the senders. If, for example, you receive an email from an organization, go to their official website. Compare the email addresses listed there to the questionable one. If they don’t match, delete the pretender. You can also enter the suspicious email addresses into a search engine. If they were used for shady business, someone might have complained. Even a little extra attention can spare you an avalanche of problems!

Why is GandCrab v5.2 dangerous?

GandCrab v5.2 is a complete and utter menace. It sneaks into your system and throws you in a whirlwind of problems. This parasite corrupts your files and prevents you from accessing their content. You can still see the icons of your pictures, databases, and documents, but you cannot view or edit them. Creating new files is also pointless. The ransomware locks everything you save. The nasty virus makes your device as good as useless. Well, you can browse the web, but that, too, is limited. You should not trust your corrupted system. GandCrab v5.2 lurks in the shadows. This advanced virus might be spying on you. The virus is a nightmare. It leaves you no choice. This nasty menace pushes you to pay the ransom. Do not swing into action, though. GandCrab v5.2 asks for Bitcoin. This currency is untraceable. Once you transfer the money, there is no going back. No one, not even the police can help you get your money back. You cannot ask for a refund if something goes wrong. And that’s inevitable. Practice shows that the hackers tend to ignore the victims once they receive the ransom. There are cases when the victims received nonfunctional decryption keys. There are also instances when the victims paid just to be blackmailed for more. Do not test your luck! Spare yourself many future headaches. Remove GandCrab v5.2 right now! Clean your system the first chance you get!

GandCrab v5.2 Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover GandCrab v5.2 Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

• Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
• Locate the process of the ransomware. Have in mind that this is usually a random generated file.
• Before you kill the process, type the name on a text document for later reference.

• Locate any suspicious processes associated with GandCrab v5.2 encryption Virus.
• Right click on the process
• Open File Location
• End Process
• Delete the directories with the suspicious files.
• Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

• Open any folder
• Click on “Organize” button
  
• Choose “Folder and Search Options”
• Select the “View” tab
• Select “Show hidden files and folders” option
• Uncheck “Hide protected operating system files”
• Click “Apply” and “OK” button

STEP 3: Locate GandCrab v5.2 encryption Virus startup location

• Once the operating system loads press simultaneously the Windows Logo Button and the R key.

• A dialog box should open. Type “Regedit”
• WARNING! be very careful when editing the Microsoft Windows Registry as this may render the system broken.

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

• and delete the display Name: [RANDOM]

• Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

• Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

• Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
• Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.