How to remove GandCrab virus and restore encrypted files (April 2018)

If you've encountered a ransomware and have causes to assume that it is the GandCrab virus – in our guide you'll receive help. We offer plain and tested advice on GandCrab elimination and potential methods how to get back the encrypted data.


Gandcrab virus


What is GandCrab

Back in 2005, the first virus-extortionists were born. All kinds of TROJ.RANSOM.A, Cryzip, Krotten and other ransom software - became the progenitors of modern cryptographers and gave rise to confrontation between the creators of the first malware and the developers of antivirus software. It has been relatively long since the emergence of extortion programs that encrypt data, but to this day, they do not lose their relevance. The technique of unlocking the computer and all the user data in exchange for redemption has been developed by intruders for a long time, and brings a stable profit to its owners, so the number of extortion viruses is steadily growing. GandCrab - a bright representative of their number. For the first time it became known on January 26, 2018, after which his activity began to grow rapidly, and to date GandCrab is one of the most notorious virus-extortioners of this year. It works on the same classical principle - it encrypts user data and requires a ransom after that, but its structure of penetration and further action is technically very complex and intricate. It is distributed through a set of exploits, such as GrandSoft and RIG, and the initial stage of infection is due to the specially created for this malicious advertising company Seamless. These data were found out by Malwarebytes specialists after a long analysis. Unlike most counterparts of extortion viruses, GandCrab, the first of its kind, uses the DASH payment system instead of Bitcoin to redeem, as all transactions in it are completely confidential due to the PrivateSend payment shuffling service. This guarantees an already good anonymity for the extortioner operators, which the virus creators reinforced by placing control servers on .bit domains using Namecoin's arbitrary name-value storage system (censorship-resistant domains). Therefore, these servers can not be renamed or taken under the control of the main governing body of the ICANN domain names. In addition, the developers of the virus gave their domain names similar to the names of the largest companies and resources: esetnod32 [.] Bit, bleepingcomputer [.] Bit, emsisoft [.] Bit, nomoreransom [.] Bit, and others, unobtrusively gandcrab [.] bit. Virus-encrypted files get the .GDCB extension and need a very complex decryption. The buy-out for decrypting the data from the virus developer is 1.5 DASH (about $ 1100 at the current rate), and 3 DASH if the payment was not received within the first days of the infection. In the UK alone and in Scandinavia, more than 50,000 computers were infected, and the total ransom of criminals was more than $ 600,000. Infection occurs, as in most cases, through redirecting links, emails, pop-up advertisements, etc. Also there is an opinion that the virus can get on the computer, disguised as a font update.


Regardless of ransomware’s type, the RSA and AES algorithms are too complex to brute force them. To perform all required operations on a standard computer, it will require for a hundreds years, or, possibly, 2-3 decades, if you can use a mega-efficient computer. There are two basic methods to beat a ransomware: to hack it, or break into the Command & Control website, to get a master key. Rare ransomware examples also have a breaker that can cease virus' operation in full or to drive it off a particular machine. If anyone discovers that switch for this virus, or publish a decryptor, we'll update this guide.


GDCB files


A specialist from Bitdefender, with the assistance of the Romanian police, required a lot of effort to find vulnerabilities in the malicious program and create tools for decrypting data. But as soon as they announced their success, the creators of the virus renewed their "brainchild". Now he got the designation GandCrab v2 and began to use even more sophisticated means for encryption reliability. [.] Bit - sending to the Romanian police, malwarehunterteam [.] Bit - sending to the experts of the MalwareHunterTeam team to find and fix various malicious programs, and gdcb [.] Bits. Also, the final extension of the encrypted files was modified. Now it is called .CRAB and has several other encryption algorithms. The means of communication with extortionists has also changed. Now, the attackers switched to the Tox message service, which is unattended, does not require registration for use and protected use of SOCKS proxy servers.


To date, several solutions have been released to decrypt data after GandCrab infection, but, unfortunately, they will all help only those affected by the obsolete type of virus that encrypts with the final file extension. Naturally, in the updated version of the virus, the currently available methods for decrypting data are no longer valid. We will have to be patient and hopeful for an early solution of the problem.

How to remove GandCrab

Here you can find several things to check, until you can search for a decryptor. As we said before, scammers make failures, and certain features of the Windows may help you to recover data.


  • If you do not employ the system via an administrator's profile – today is your fortunate day. The thing is that Windows duplicates any information before it is eliminated or modified. These files are known as the SVC, and the malware has the manners to destroy them. If you are working from the usual entry – the OS requests for a permission when GandCrab tries to remove SVC. If you saw suchlike window and cancel it – your SVC are secure, and you should use a topical tool to get back the data.
  • If you've made a copy of your data, and placed it on an outer drive – you should remove virus and upload old version of the files. Make sure that GandCrab is deleted in full, since if it isn't – all data can be messed up one more time, including the files that are on a flash disc.


If all of written above hints didn't work and you have no possibility to recover the data – you better delete GandCrab from your PC and wait until a decryptor will be developed.


As for the uninstalling – there’s no chance to completely escape an installation of an antiviral program. GandCrab is incredibly stealthy and you can skip some dangerous elements and then regret it (it might happen if you connect an outer data storage with your saved information to a not-totally-cleared PC). It knows how to lurk very well, and you just can't uninstall it fully on your own. Here's your removal specification which will suit your needs. It contains some manual stages and an extra anti-viral tool phase. Of course, you can use any other antivirus, but do it.

Removal instruction

If you are MAC user, follow this guide: how to decrypt files on MAC.




Step 1. Boot the system into safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Boot tab

Safe mode. Step 2



  • Select Safe boot and press Ok

More information about Safe mode: What is Safe Mode and how to boot computer in Safe Mode


Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1


  • Select Appearance and Personalization

Show hidden files. Step 2


  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3


  • Press Ok


Step 3. Remove virus files


Check next folders to find suspicious files:

  • %TEMP%
  • %ProgramData%


Step 4. Fix hosts file

  • Go to %SystemRoot%\System32\drivers\etc\ folder



  • Open hosts file using Notepad or other text editor
  • Delete suspicious elements
  • Basic hosts file looks like this:



Step 5. Clean registry (for experienced users)

  • Click Start
  • Type Regedit.exe and press Enter
  • Clean startup registry keys
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Step 6. Scan computer with antivirus


We offer you to try Spyhunter AV program that is not simply effective, but is modern and continuously progressing program that can clear the computer of all viruses. Push the button below to use Spyhunter and eliminate GandCrab.


Special Offer

Download Spyhunter - Anti-malware scanner

We advise downloading SpyHunter to see, if it can detect malware for you.

Spyhunter has a biggest malware database

It protects the system against all kinds of threats: Trojans, adware and hijackers

24/7 Free Support Team

SpyHunter scanner detects threats and malware for free, but to remove infected elements you need to purchase a full version of program for 39.99$. More information about Spyhunter, EULA and Privacy policy.


Step 7. Disable Safe Mode and restart computer

  • Press Start
  • Type Msconfig and press Enter
  • Select Boot tab
  • Remove the check near Safe boot

How to restore files

Since you cleared your PC of GandCrab, it's time for the data restoration. As we said before, if you use an admin account and you let the virus an access to the device – you have no trick to recover your files except for the backups. If you use a usual profile – you have faint odds for data restoration, but it needs peculiar recovery program. The most effective ones of them are Data Recovery Pro, ShadowExplorer and Recuva tools. They're simple to get on their official websites, with step-by-step guides. To download Data Recovery by Pareto, click the next button:

Download Data Recovery Pro

Data Recovery Pro advantages:

Recover a variety of file types, including deleted emails

Scans for deleted files on peripheral storage devices

Has user-friendly interface

Alternative way is to use system backups.

  • Click Start
  • Click Control Panel

Decrypt files. Step 1


  • Click System and Security

Decrypt files. Step 2


  • Select Backup and Restore

Decrypt files. Step 3


  • Select Restore files from backup
  • Select checkpoint to restore


Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 5.00 [1 Vote]

Add comment

Security code



Acronis suggestion to CrashPlans users

Around a month ago, there was an accident with CrashPlans backup software.

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

This website uses cookies to improve your experience