How to remove GandCrab virus and restore encrypted files

If you've encountered a ransomware and have causes to suppose that it’s the GandCrab program – on this website you will receive help. We offer easy and tested tips for GandCrab elimination and potential manners to recover the corrupted data.

What is GandCrab


Gandcrab virus


Encryption virus is the worst kind of malware and we all know that if you see the inscription “files are encrypted” – the things are turning bad. It is a correct reaction, by the way. An encrypting virus is the worst thing that might happen to you on the Internet since a regular man has no resources to delete it. The exclusive case when you can defeat an encrypting virus is if you are not facing a true virus, but an imitation, that covers the display and attempts to lure your money. In any other case, if a virus was developed and maintained in a proper method – you can only hope that malware researchers will deal with it. If scammers made a mistake, and there are any vulnerabilities, that give you an ability to restore files – we will explain to you what to do on this page.


Let's find out, what we'd see if we take a glance inside a GandCrab? It consists of a legal cryptography algorithm, which ciphers all data on user’s computer and makes them unreadable if you have no key. Of course, a key is encrypted too, but with another algorithm. In most cases, fraudsters prefer RSA and AES methods that are known for their complicacy and fail-safety. The mentioned algorithms and the software built upon them are freely available on the Internet, so swindlers only have to add defensive mechanisms, to block an admittance to a program, and make the reliable control and update scheme. Some encrypting tools can act on their own, and fraudsters know of a new "client" only when he approaches them and sets off the funds. Other ransomware are work in another manner, and transmit data to thousands addresses, to puzzle the researchers and maximize the work needed to beat a ransomware.


Virus kind is not significant, as the RSA and AES algorithms are too tricky difficult to decipher them directly. It can take thousands of years to make all necessary calculations on a modern home PC and, possibly, twenty or thirty years if you have an access to a super-powerful gear. We know only two basic ways to defeat a ransomware: to hack into it, or hack its server, to receive a master key. Some viruses also have a switch, allowing to cease virus' operation totally or to drive it off the infected machine. If anyone finds that switch for this ransomware, or publish a decryptor, we will provide you with full info in this guide.


Gandcrab ransomware


Here we've gathered several methods to check, before yielding and looking for a decryptor. As we said earlier, web-criminals also fail, and some characteristics of the system can serve you to recover files.


  • If you have a copy of the system, stored on an external media – just uninstall a ransomware and use it. Ensure that GandCrab is deleted totally, since if it isn't – all data will be spoiled again, including those that are on a flash drive.
  • If you do not use the OS from an admin account – you're really lucky. The point is that the Windows duplicates any data before their deletion or change. Those copies are called SVC, and the malware knows how to destroy them. If you are working from the usual account – the OS asks for a authorization at the very second GandCrab starts to delete those copies. In case you saw such confirmation and declined it – your copies are safe, and you can download a specific program to restore the files.


If all of these hints didn't work and there is no chance to restore encrypted data – you have to remove GandCrab from your computer and wait until a decryptor will be developed.

How to remove GandCrab

Unfortunately, there’s no chance to totally escape an automatic mode. GandCrab is very sly and there is a chance miss some elements and then suffer from it (it might happen if you connect an outer data storage with the saved files to a not-really-cleared machine). It also hides very good, so you just can't uninstall it completely in manual mode. Knowing this, we’ve made a solid removal guide which can suit all your needs. It has a few manual phases and one extra antivirus software step.

Removal instruction

If you are MAC user, follow this guide: how to decrypt files on MAC.




Step 1. Boot the system into safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Boot tab

Safe mode. Step 2



  • Select Safe boot and press Ok

More information about Safe mode: What is Safe Mode and how to boot computer in Safe Mode


Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1


  • Select Appearance and Personalization

Show hidden files. Step 2


  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3


  • Press Ok


Step 3. Remove virus files


Check next folders to find suspicious files:

  • %TEMP%
  • %ProgramData%


Step 4. Fix hosts file

  • Go to %SystemRoot%\System32\drivers\etc\ folder



  • Open hosts file using Notepad or other text editor
  • Delete suspicious elements
  • Basic hosts file looks like this:



Step 5. Clean registry (for experienced users)

  • Click Start
  • Type Regedit.exe and press Enter
  • Clean startup registry keys
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Step 6. Scan computer with antivirus

Here's Spyhunter anti-viral program which is not simply efficient, but is swift and constantly advancing antivirus which is able to clear your PC of all suspicious programs. Push the button under this paragraph to try it and remove GandCrab.


Special Offer

Download Spyhunter - Anti-malware scanner

We advise downloading SpyHunter to see, if it can detect malware for you.

Spyhunter has a biggest malware database

It protects the system against all kinds of threats: Trojans, adware and hijackers

24/7 Free Support Team

SpyHunter scanner detects threats and malware for free, but to remove infected elements you need to purchase a full version of program for 39.99$. More information about Spyhunter, EULA and Privacy policy.


Step 7. Disable Safe Mode and restart computer

  • Press Start
  • Type Msconfig and press Enter
  • Select Boot tab
  • Remove the check near Safe boot

How to restore files

Since you cleared your PC of the virus, you should try to do some info recovery. As we said before, if you use an administrator entry and you granted the ransomware an access into the computer – there is no manner to recover your information save for the previously saved copies. If you use a common account – you have feeble chances for file recovery, but you will need peculiar recovery software. We suggest you to try Recuva or ShadowExplorer programs. You can get these tools easily on their official websites, with close instructions.

  • Click Start
  • Click Control Panel

Decrypt files. Step 1


  • Click System and Security

Decrypt files. Step 2


  • Select Backup and Restore

Decrypt files. Step 3


  • Select Restore files from backup
  • Select checkpoint to restore


Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 0.00 [0 Votes]

Add comment

Security code



Acronis suggestion to CrashPlans users

Around a month ago, there was an accident with CrashPlans backup software.

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

This website uses cookies to improve your experience