Question
Issue: How to decrypt files encrypted by Gandcrab?
Hello, I think I got infected with some malware, and now I can't open any of my photos or other files. A text note is present on my desktop, and the wallpaper is changed to a black background with a message saying “ENCRYPTED BY GANDCRAB.” According to the memo, I need to pay digital currency for these people to restore my files. Is it the only way? Can you please help me? I am not a huge PC expert, so more detailed instructions on what to do would be appreciated…
Solved Answer
GandCrab ransomware originated in early 2018, and, within a little over a year of its lifespan, managed to release a few dozens of versions that lock up users' files with the help of Salsa20, AES and RSA-2048 encryption algorithms[1] and demands a ransom for the decryption key. However, you should not contact cybercriminals and rely on alternative methods that can help you decrypt files encrypted by Gandcrab.
While initial malware released appended .CRAB, .KRAB, and similar file extensions, Gandcrab v5 switched to a different, improved model of the virus. The latest variants use a random combination of characters as an extension, complicating GandCrab decryption procedure even further. Additionally, Gandcrab saw a collaboration with other malicious threats like Vidar[2] or Emotet.[3]
Throughout its reign, GandCrab ransomware used a variety of distribution techniques, such as:
- Rig, Magnitude, GradSoft and Fallout[4] exploits;
- Task Scheduler ALPC and Adobe Flash vulnerabilities;
- Malspam campaigns, such as “Love You”;
- Downloaded via backdoor malware, etc.
As evident, it is best not to get infected with GandCrab in the first place. Unfortunately, users are not that careful when it comes to cybersecurity: they open malicious spam email attachments, do not patch their systems, avoid anti-virus software, and similar. Therefore, make sure you use security measures to prevent ransomware infections in the future. Additionally, you can use GandCrab vaccine that would prevent the execution of the malicious script and, consequently, the file encryption.
The question that interests users the most is “Can I decrypt files encrypted by Gandcrab?.” The answer to this question is not that simple, as, it depends on the version of the malware, whether or not backups were prepared if malware failed to delete Shadow Volume Copies, etc.
If you had backups prepared before GandCrab ransomware attacked your computer, you should be able to copy and paste all your data without any problems. However, make sure you remove GandCrab virus before you proceed with file recovery, otherwise, all the backups will be locked as well.
If you do not have backups, several other options are available to decrypt files encrypted by Gandcrab. There are official decryptors available, as well as third-party tools. Please explore all the possible options below.
Before you proceed: remove GandCrab ransomware
As we already mentioned, you should remove GandCrab ransomware before you attempt to recover your files. First, you need to download and install security software that can detect the threat. There are plenty of applications available, so make sure you choose the one that suits you the best.
Once you install an AV engine, you will have to enter Safe Mode with Networking to perform a full system scan. More details on how to remove Gandcrab ransomware can be found in this video.
Option 1. Use GandCrab decryptor from BitDefender
Security researchers at Bitdefender released an official GandCrab decryptor that can be used for free.[5] Please follow these steps to download it (note: the app requires an internet connection to perform decryption process):
- Download the Official GandCrab decryptor.
- Run the application.
- Agree to terms and conditions.
- Pick Scan Entire System or select a specific folder you want the tool to decrypt files from.
The latest variant of the decryptor will work versions 1, 4, 5.0.1 through 5.1.
Option 2. Use alternative GandCrab decryptor
Independent security researchers are continually working on new methods to decrypt Gandcrab ransomware. Therefore, if the official tool from Bitdefender does not work for you and you are affected by GandCrab version 5.0 to 5.0.3, you can download an alternative decryptor here.
- Once you download the tool for your version of Windows (32bits or 64bits), extract the zip file.
- You will be asked to enter the password – type in Valthek and click OK.
- Once MasterCrab.exe opens, type in Y and hit Enter.
- The software will decrypt your files.
Note that you can find more detailed instructions in the README.txt file.
Option 3. Use Data Recovery Pro to restore files encrypted by GandCrab
In case official decryptors do not work, or you are infected with a version that is not decryptable (v5.04+), you should try third-party data recovery applications. You should try to decrypt your files encrypted by Gandcrab with the help of Data Recovery Pro:
- Download Data Recovery Pro software and then install it by following on-screen instructions.
- Once installed, open the program and start a scan – pick Full Scan option and seclect Start Scan.
- You can also look for specific files – just enter a keyword.
- Once the scan is complete, choose all the files you can to return and click Recover.
Option 4. Make use of ShadowExplorer when trying to recover files encrypted by GandCrab
Volume Snapshot Service (VSS) is an automated backup system in Windows and would provide data recovery without too much trouble. For that reason, most ransomware viruses are programmed to delete these automated copies. However, GandCrab, just as all the other similar viruses, might fail to perform this procedure, leaving Shadow Volume Copies behind. In such a case, tools like ShadowExplorer can get all of your data back:
- Download ShadowExplorer and install it by using on-screen instructions.
- Open the application and choose the drive you want to recover data from.
- Click Export (you may also specify where to export files).
Bonus: use GandCrab vaccine to avoid future infections
Independent security researcher Valthek[6] has been creating software dedicated specifically to GandCrab ransomware file encryption prevention:
- Go to the vaccine hosting site and download the appropriate tool.
- To extract the application, use Valthek as a password.
- When UAC pops up, click Yes.
- Double-click on the GandCrabSucksVaccine.exe
- The vaccine will be running in the background and you will be protected from GandCrab file infection.
Finally, after you remove GandCrab virus from your computer, scan it with FortectMac Washing Machine X9, as it can can clean Windows Registry and recover from other virus damage.
Recover files and other system components automatically
To recover your files and other system components, you can use free guides by ugetfix.com experts. However, if you feel that you are not experienced enough to implement the whole recovery process yourself, we recommend using recovery solutions listed below. We have tested each of these programs and their effectiveness for you, so all you need to do is to let these tools do all the work.
Prevent websites, ISP, and other parties from tracking you
To stay completely anonymous and prevent the ISP and the government from spying on you, you should employ Private Internet Access VPN. It will allow you to connect to the internet while being completely anonymous by encrypting all information, prevent trackers, ads, as well as malicious content. Most importantly, you will stop the illegal surveillance activities that NSA and other governmental institutions are performing behind your back.
Recover your lost files quickly
Unforeseen circumstances can happen at any time while using the computer: it can turn off due to a power cut, a Blue Screen of Death (BSoD) can occur, or random Windows updates can the machine when you went away for a few minutes. As a result, your schoolwork, important documents, and other data might be lost. To recover lost files, you can use Data Recovery Pro – it searches through copies of files that are still available on your hard drive and retrieves them quickly.
- ^ Encryption algorithm. Webopedia. Online Tech Dictionary for Students, Educators and IT Professionals.
- ^ Doug Olenick . Cybercriminals double up using Vidar and GandCrab in single attacks. SC Media. Cybersecurity News, analysis and Product Reviews.
- ^ The Emotet Survival Handbook. Barkly. Endpoint Protection Platform.
- ^ Manish Sardiwal, Muhammad Umair, Zain Gardezi. Fallout Exploit Kit Used in Malvertising Campaign to Deliver GandCrab Ransomware. FireEye. Threat research.
- ^ Linas Kiguolis. Free decryptor released for GandCrab versions 1, 4, and 5. 2-spyware. Cybersecurity news and articles.
- ^ Valthek. Private account. #malware analyst with 20+ years of experience Low and high programmer.. Twitter. Social Network.