How to decrypt files encrypted by Gandcrab?

by Julie Splinters - -
12

Question

Issue: How to decrypt files encrypted by Gandcrab?

Hello, I think I got infected with some malware, and now I can't open any of my photos or other files. A text note is present on my desktop, and the wallpaper is changed to a black background with a message saying “ENCRYPTED BY GANDCRAB.” According to the memo, I need to pay digital currency for these people to restore my files. Is it the only way? Can you please help me? I am not a huge PC expert, so more detailed instructions on what to do would be appreciated…

Solved Answer

GandCrab ransomware originated in early 2018, and, within a little over a year of its lifespan, managed to release a few dozens of versions that lock up users' files with the help of Salsa20, AES and RSA-2048 encryption algorithms[1] and demands a ransom for the decryption key. However, you should not contact cybercriminals and rely on alternative methods that can help you decrypt files encrypted by Gandcrab.

While initial malware released appended .CRAB, .KRAB, and similar file extensions, Gandcrab v5 switched to a different, improved model of the virus. The latest variants use a random combination of characters as an extension, complicating GandCrab decryption procedure even further. Additionally, Gandcrab saw a collaboration with other malicious threats like Vidar[2] or Emotet.[3]

Throughout its reign, GandCrab ransomware used a variety of distribution techniques, such as:

  • Rig, Magnitude, GradSoft and Fallout[4] exploits;
  • Task Scheduler ALPC and Adobe Flash vulnerabilities;
  • Malspam campaigns, such as “Love You”;
  • Downloaded via backdoor malware, etc.

Decrypt files infected by GandCrab

As evident, it is best not to get infected with GandCrab in the first place. Unfortunately, users are not that careful when it comes to cybersecurity: they open malicious spam email attachments, do not patch their systems, avoid anti-virus software, and similar. Therefore, make sure you use security measures to prevent ransomware infections in the future. Additionally, you can use GandCrab vaccine that would prevent the execution of the malicious script and, consequently, the file encryption.

The question that interests users the most is “Can I decrypt files encrypted by Gandcrab?.” The answer to this question is not that simple, as, it depends on the version of the malware, whether or not backups were prepared if malware failed to delete Shadow Volume Copies, etc.

If you had backups prepared before GandCrab ransomware attacked your computer, you should be able to copy and paste all your data without any problems. However, make sure you remove GandCrab virus before you proceed with file recovery, otherwise, all the backups will be locked as well.

If you do not have backups, several other options are available to decrypt files encrypted by Gandcrab. There are official decryptors available, as well as third-party tools. Please explore all the possible options below.

Before you proceed: remove GandCrab ransomware

Recover now! Recover now!
To recover needed system components, please, purchase the licensed version of Reimage Reimage recovery tool.

As we already mentioned, you should remove GandCrab ransomware before you attempt to recover your files. First, you need to download and install security software that can detect the threat. There are plenty of applications available, so make sure you choose the one that suits you the best.

Once you install an AV engine, you will have to enter Safe Mode with Networking to perform a full system scan. More details on how to remove Gandcrab ransomware can be found in this video.

Option 1. Use GandCrab decryptor from BitDefender

Recover now! Recover now!
To recover needed system components, please, purchase the licensed version of Reimage Reimage recovery tool.

Security researchers at Bitdefender released an official GandCrab decryptor that can be used for free.[5] Please follow these steps to download it (note: the app requires an internet connection to perform decryption process):

  • Download the Official GandCrab decryptor.
  • Run the application.
  • Agree to terms and conditions.
  • Pick Scan Entire System or select a specific folder you want the tool to decrypt files from.

The latest variant of the decryptor will work versions 1, 4, 5.0.1 through 5.1. Use Bitdefender's decryptor

Option 2. Use alternative GandCrab decryptor

Recover now! Recover now!
To recover needed system components, please, purchase the licensed version of Reimage Reimage recovery tool.

Independent security researchers are continually working on new methods to decrypt Gandcrab ransomware. Therefore, if the official tool from Bitdefender does not work for you and you are affected by GandCrab version 5.0 to 5.0.3, you can download an alternative decryptor here.

  • Once you download the tool for your version of Windows (32bits or 64bits), extract the zip file.
  • You will be asked to enter the password – type in Valthek and click OK.
  • Once MasterCrab.exe opens, type in Y and hit Enter.
  • The software will decrypt your files.

Note that you can find more detailed instructions in the README.txt file.

Use alternative decryptor

Option 3. Use Data Recovery Pro to restore files encrypted by GandCrab

Recover now! Recover now!
To recover needed system components, please, purchase the licensed version of Reimage Reimage recovery tool.

In case official decryptors do not work, or you are infected with a version that is not decryptable (v5.04+), you should try third-party data recovery applications. You should try to decrypt your files encrypted by Gandcrab with the help of Data Recovery Pro:

  • Download Data Recovery Pro software and then install it by following on-screen instructions.
  • Once installed, open the program and start a scan – pick Full Scan option and seclect Start Scan.
  • You can also look for specific files – just enter a keyword.
  • Once the scan is complete, choose all the files you can to return and click Recover.

Make use of Data Recovery Pro

Option 4. Make use of ShadowExplorer when trying to recover files encrypted by GandCrab

Recover now! Recover now!
To recover needed system components, please, purchase the licensed version of Reimage Reimage recovery tool.

Volume Snapshot Service (VSS) is an automated backup system in Windows and would provide data recovery without too much trouble. For that reason, most ransomware viruses are programmed to delete these automated copies. However, GandCrab, just as all the other similar viruses, might fail to perform this procedure, leaving Shadow Volume Copies behind. In such a case, tools like ShadowExplorer can get all of your data back:

  • Download ShadowExplorer and install it by using on-screen instructions.
  • Open the application and choose the drive you want to recover data from.
  • Click Export (you may also specify where to export files).

ShadowExplorer

Bonus: use GandCrab vaccine to avoid future infections

Recover now! Recover now!
To recover needed system components, please, purchase the licensed version of Reimage Reimage recovery tool.

Independent security researcher Valthek[6] has been creating software dedicated specifically to GandCrab ransomware file encryption prevention:

  • Go to the vaccine hosting site and download the appropriate tool.Download GandCrab vaccine
  • To extract the application, use Valthek as a password.
  • When UAC pops up, click Yes.
  • Double-click on the GandCrabSucksVaccine.exe
  • The vaccine will be running in the background and you will be protected from GandCrab file infection.Launch GandCrab vaccine

Finally, after you remove GandCrab virus from your computer, scan it with Reimage, as it can can clean Windows Registry and recover from other virus damage.

Recover files and other system components automatically

To recover your files and other system components, you can use free guides by ugetfix.com experts. However, if you feel that you are not experienced enough to implement the whole recovery process yourself, we recommend using recovery solutions listed below. We have tested each of these programs and their effectiveness for you, so all you need to do is to let these tools do all the work.

Offer
do it now!
Download
recovery software Happiness
Guarantee
do it now!
Download
recovery software Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
Do you have any trouble?
If you are having problems related to Reimage, you can reach our tech experts to ask them for help. The more details you provide, the better solution they will provide you.
Reimage - a patented specialized Windows repair program. It will diagnose your damaged PC. It will scan all System Files, DLLs and Registry Keys that have been damaged by security threats.Reimage - a patented specialized Mac OS X repair program. It will diagnose your damaged computer. It will scan all System Files and Registry Keys that have been damaged by security threats.
This patented repair process uses a database of 25 million components that can replace any damaged or missing file on user's computer.
To repair damaged system, you have to purchase the licensed version of Reimage malware removal tool.
Press mentions on Reimage

About the author

Julie Splinters - Computer optimization specialist

When it comes to computer optimization, Julie Splinters is the expert. Whether it is a slow smartphone, Windows, Mac or Linux operating system, she will find a solution within minutes.

Contact Julie Splinters
About the company Esolutions

References

What you can add more about the problem: "How to decrypt files encrypted by Gandcrab?"