GandCrab 3 Ransomware - How to remove

The famous GandCrab virus has recently (as of late April, 2018) released a 3rd version of its crypto-malware called GandCrab 3.  This new GandCrab iteration still uses the same .CRAB extension to encrypt victim’s data and can be detected in a system as PUP.AD.GANDCRAB.3. To know more about this ransomware you can read our articles about earlier .CRAB versions: GandCrab and GandCrab 2. 

In March 2018 after a tight cooperation with NoMoreRansom project and a few law enforcement agencies BitDefender has came up with the free decryptor for GandCrab virus affected users, however this didn’t stop the persistent Romanian malware creators, and even encouraged them to improve their masterpiece to a higher level.

GandCrab3 just like other ransomware encrypts most or all personal files with an intricate algorithm adding a .CRAB extension to a file’s name and sends a message to an affected user to pay a certain amount of money in order to get the data back or else it will be deleted permanently.

How does the GandCrab 3 spread?

Primarily the GandCrab 3 spreads through spam messages which carry a directly attached or hyperlinked virus in the text’s body part. It also has an ability to deliver payloads.

Another way GandCrab can be distributed is through browser hijackers and web scripts. While web scripts deliver the virus to various sites including notifications, banner, redirects, pop-ups, browser hijackers use web plugins to spread the threat by changing the default settings of home page, search engine, tabs and put the dangerous files into the victim’s computer.

Cyber criminals include the malware code into various software installers, such as computer utility tools, games, apps, and once the victim installs the infected program the virus starts. The initial infection happens once the user opens an included document file (text file, spreadsheet or presentation) which has the rest of the payload. The note appears and asks for victim to enable the built-in scripts (macros). After that the virus takes full affect on the system. 

How the GanCrab 3 works?

Compared to previous versions of the GanCrab, newest iteration is even more persistent and after getting the virus files into the system uses a difficult  AES-256 (CBC mode) + RSA-2048 encryption to lock the user’s documents, images, videos, music, archives or even backups. Then this crypto-ransoware executes a note called CRAB-DECRYPT.txt on victim’s screen and asks for a US $998 fee paid in Bitcoins in 72 hour range to get a decriptor. 

The note victim sees:

— = — = V3 GANDCRAB 

the Attention!
Your documents files is the All, this photos, databases and files is by important OTHER are encrypted and have the extension: .CRAB
of The only method of Recovering files is to purchase a is the private key. It is on our server and only we  can recover your files.
The server with your key is in a closed network TOR. CAN the get there You by the the following ways: 

0. Download the Tor browser – https://www.torproject.org/
1. the Install the Tor browser
2. the Open the Tor Browser
3. the Open link in browser TOR:
4. Classifieds Follow the instructions on the this page  the on Our page you see will of instructions on payment and the get the Opportunity to decrypt the 1 file for free.
The alternative way to contact us is to use Jabber messenger. How to the Read:
0. Download Psi-Plus is the Jabber Client: https://psi-im.org/download/
1. the Register new account: http://sj.ms/register.php
    0) Enter “username”: xxxxxxxxxx
    1) the Enter “password”: your password
2. the Add new account in Psi
3. the Add and the write the Jabber ID: [email protected] the any message
4. Classifieds Follow bot instruction 

ATTENTION!
It is a bot! It’s fully automated artificial system without human control!
To contact us use TOR links. We can provide you all required proofs of decryption availability anytime. We are open to conversations.
You can the read instructions You how to use the install and jabber found here http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf 

CAUGHTION!
Do not try to modify files or use your own private key. This will result in the loss of your  data forever!

Virus starts by collecting machine’s and personal user’s data in order to overcome the interfering applications, so that the virus files could be executed properly and undetected. This ransomware uses the harvested information about the system and victim’s credentials to trick anti-virus software, virtual machine hosts or sandbox environments. Then GanCrab goes after the Windows registry and modifies the operating systems and user-installed programs so they would stop working as they suppose to. After that virus tries to take over the recovery menu so that user would not be able to access it and GandCrab would be executed ever time system starts up.

If this malware defeats all the protection and gets fully installed it can even create a strong network connection with hacker servers which allows crooks to send even more malware, spy and take over the victim’s machine.

How to remove GanCrab 3?

Since there is not much you can do to prevent such attack because it spreads though so many sources it is necessary to know what to do once .GANDCRAB gets into your system. First of all it is necessary to remove it before it spreads any further. GandCrab 3 is a very stubborn virus which makes it hard to remove manually, therefore it is best done with malware removal tools like SpyHunter .

Malware removal programs are good not only because they are easy to use and manage, but they also get rid of all the other infections that your computer is affected by. Most likely if you are already seeing a ransomware note, your system has been a prey for other malware programs as well. Another thing that is important to get back your files before the infection spreads further are routine system backups which allow to restore your files and OS before the attack.

The manual removal includes these steps:

1. Rebooting your computer in Safe Mode (Enable Safe Mode with Command Prompt)
2.  Once Command Prompt launches, type in cd restore and press enter.
3. Enter rstrui.exe and press enter again.
4. Click “Next” in the Window which appeared.
5. Select one of the Restore Points which would suggest a date before Magniber ransomware infected your device.
6. Click “yes” to start a system restore.

To read more about the system restore, please read our detailed guide.

The GandCrab 3 is the newest, most difficult to remove version of GandCrab family, therefore the current Bitdefender’s decryption tool may not work on it, unfortunately, but it does’t hurt to try. 

Automatic Malware removal tools