This past week brought some memorable moments in regards to the infamous GandCrab ransomware. As you may know, this cryptovirus has been bothering the cyber world for a while now, despite united malware experts’ efforts. Up until recently, users were able to decrypt locked files up to GandCrab v5, but on February 19th, 2019 hardworking virtual security experts pleasantly surprised everyone with a new decrypting tool for GandCrab v5.1. And although such great news made a lot of compromised computer owners very happy, this victory did not last long since a new GandCrab 5.2 ransomware variant was caught in the wild almost at the same time.
Gandcrab 5 2 Ransomware quicklinks
- Features of GandCrab 5.2 ransomware
- How is GandCrab 5.2 ransomware spreading
- Remove and decrypt GandCrab 5.2 virus
- Automatic Malware removal tools
- How to recover GandCrab 5.2 ransomware encrypted files and remove the virus
- Step 1. Restore system into last known good state using system restore
- 1. Reboot your computer to Safe Mode with Command Prompt:
- 2.Restore System files and settings.
- Step 4. Use Data Recovery programs to recover GandCrab 5.2 ransomware encrypted files
Actually, such immediate reaction of GandCrab developers has happened before in October, when the new updated ransomware’s code was released right after the Bitdefender’s decryptor came out. Such deliberate hackers’ preparation makes everyone wonder how many times will the cyber world have to deal with new GandCrab ransomware variants and if there’s ever going to be an end because already this cryptovirus is guessed to be holding around 40% of ransomware market. However, until then, let’s analyze one variant at the time, and see what the GandCrab 5.2 virus has to offer and how to solve it.
Features of GandCrab 5.2 ransomware
Since GandCrab 5.2 ransomware came out right away when the decryptor for a previous version was released, there weren’t any major changes, which would distinguish this virus from its predecessors, except for a different code. The machines infected with the new specimen demonstrated the exact same behaviour as, for example, Gandcrab 5, Gandcrab 4/3 and etc. Since the first decryptor was developed by Bitdefender, company claims to have helped nearly 10,000 GandCrab victims which Saved more than $5 million dollars of ransom, therefore it is irrational for crooks to take time off to make major changes in the virus and waste more money.
It is yet not confirmed by malware researchers but potentially, once the GandCrab 5.2 ransomware enters the system it uses RSA-2048 or Salsa20 cipher algorithms to encrypt victim’s personal files. The latter cipher was added to GandCrab’s processes since the 4th version. Then all the data, apart from crucial system files, is encrypted and marked with a ‘.[unique-ID]’ extension, which is later repeated in the ransom note called ‘[uniqueID]-DECRYPT.txt’ where crooks explain of your computer’s current situation and further steps you need to take in order to get your files back:
—= GANDCRAB V5.2 =—
UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED
FAILING TO DO SO WIL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS
All your files, documents, photos, databases and other important files are encrypted and have the extension:
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
| 0. Download Tor browser – https://www.torproject.org/
| 1. Install Tor Browser
| 2. Open Tor Browser
| 3. Open link in TOR browser http://gandcrabmfe6mnef.onion/ b6314679c4ba3647/
| 4. Follow the instructions on this page
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW
Not only the ransom note and renamed files, give away the infection with GandCrab 5.2 ransomware. Victims’ desktops also get changed to a dark background that says:
ENCRYPTED BY GANDCRAB 5.2
DEAR [USER NAME],
YOUR FILES ARE UNDER STRONG PROTECTION BY OUR SOFTWARE IN ORDER TO RESTORE IT YOU MUST BUY DECRYPTOR
For further steps read [unique-ID]-DECRYPT.txt that is located in every encrypted folder.
If the user follows these directions and goes to the Tor link, which GandCrab 5.2 cryptovirus sends one to, more information is given on how to perform the payment, the amount and etc. At first, $1200 are requested from the victim in Dash or Bitcoin cryptocurrencies, and if the given time ends (which is around 24 – 48 hours) the amount doubles to $2400. Since this is a large amount of money, crooks also offer to decrypt one file for free, just to show that they are not bluffing and actually can unlock your data, as long as you are willing to pay. Despite GandCrab 5.2 ransomware actors are fully capable of decrypting your affected virtual data, that does not mean that they will, even after payment. We highly suggest Not giving in to this terror and simply continuing with the virus removal and waiting for the cyber professionals to release a new free decrypter.
How is GandCrab 5.2 ransomware spreading
If you’ve read about some other ransomware, you probably know that typically these threats are spreading via socially engineered emails, that make the user press on the malicious link that sends them to the installer or compile the executive file into .doc or .pdf file Macros, that release the ransomware once the victim enables it. On this Valentines day (February 14th, 2019), cybersecurity provider Mimecast reported that they’ve seen GandCrab being distributed via romantic email greetings in English, Chinese and Korean languages. It was also noted that GandCrab ransomware was avoiding Russian users by detecting their Pc language/area. This spreading technique is convenient since it doesn’t require much technical knowledge and allow to quickly reach out to thousands of potential threats, but GandCrab ransomware developers have other, more improved dissemination methods as well.
It is also noticed that GandCrab cryptovirus has been targeting companies and regular users via Remote Desktop Protocols and infecting all computers connected to the same network of the primarily compromised PC, also through Remote IT support firms which have access to their customers’ workstations. Unfortunately, what makes this malware so widespread is that there is an affiliate program that this ransomware offers, which says that anyone who will participate in distributing GandCrab successfully will get a certain commission from the ransom if the victim pays. Knowing that one demanded ransom amount can range from $600 to $2400, this can make tons of people fall for the tempting offer and continue proliferating the notorious GandCrab virus.
All in all, as you can understand, there are multiple of tricky ways which can lead to GandCrab 5.2 ransomware, despite how safe you act online. We strongly suggest to Backup your system before it’s too late and read this Ultimate Guide for the Protection Against Ransomware to make sure that you are doing everything you can to prevent this attack from happening.
Remove and decrypt GandCrab 5.2 virus
At the moment GandCrab 5.2 is not decryptable, yet the cybersecurity experts are working on it, but before they do release the new tool to help the victims, there’s plenty of actions to take in order to get closer to getting your files back. First of all, it is imperative for you to clean your system and get rid of GandCrab 5.2 ransomware so that it won’t continue locking new files and you’d be able to use your computer safely. This cryptovirus is well detected by Almost all antivirus programs, therefore it’s up to you which one you’ll choose to use for the elimination, however, we’ve noticed that Spyhunter or Malwarebytes seem to do a wonderful job when it comes to getting rid of ransomware. Mind you, the successful removal of GandCrab v5.2 does not mean that your encrypted data will be unlocked, and for that, you need a special decryptor. Therefore, simply store your inaccessible files and keep checking Nomoreransom.org for updates.
Of course, there are responsible users who backup their data constantly, so their hard work and mindfulness pays off in situations like this. If you are sure that you have the necessary copies of your GandCrab 5.2 cryptovirus locked data, please, continue with our restore guide below, which will assist in recovering the data from the recovery point made back in the past. What is important to remember, only the files that you made copies of will be brought back.
Automatic Malware removal tools
How to recover GandCrab 5.2 ransomware encrypted files and remove the virus
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2.Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before GandCrab v5.2 has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
Step 2. Complete removal of GandCrab 5.2 ransomwareAfter restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to GandCrab v5.2. You can check other tools here.
Step 3. Restore GandCrab 5.2 ransomware affected files using Shadow Volume CopiesIf you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually GandCrab v5.2 tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover GandCrab 5.2 ransomware encrypted filesThere are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download a data recovery program.
- Install and scan for recently deleted files.