Gandcrab Ransomware Removal (+Gdcb File Recovery)

How to Remove Gandcrab Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:


PC User
Pc Name
PC Group
PC Lang.
Date of encrypt
Amount of your files
Volume of your files

But don’t worry, you can return all your files! We can help you!

Below you can choose one of your encrypted file from your PC and decrypt him, it is test decryptor for you.
But we can decrypt only 1 file for free.

ATTENTION! Don’t try use third-party decryptor tools! Because this will destroy yourr files!

What do you need?

You need GandCrab Decryptor. This software will decrypt all your encrypted files and will delete GandCrab from your PC. For purchase you need crypto-currency DASH (1 DASH = 760.567$). How to buy this currency you can read it here.

How much money you need to pay? Below we are specified amount and our wallet for payment

Price: 1.5 DASH (1200 USD) 

Did you discover that all your precious files have the .Gdcb extension? No matter what kind of apps you try, none seem to be able to open your documents and pictures? Unfortunately, the news is very bad. Your computer is infected with a serious virus. You have the Gandcrab Ransomware on board. This virus enters your computer via trickery and wreaks havoc. Once on board, the parasite spreads around your entire system. It corrupts essential for your OS files and folders. It rewrites your System Registry and creates copies of itself. Then, the ransomware proceeds with a file encryption process. This parasite uses sophisticated algorithms to lock your personal files. Music, pictures, documents, databases, it locks your precious files and adds the .Gdcb extension at the end of each encrypted file. From this point onward, you can see your files but you cannot open or use them. To restore your access, Gandcrab Ransomware demands a hefty ransom. It asks for 1.5 DASH (about $1200 USD) paid within three days. If you don’t pay the demanded sum and the time runs out, the sum will double. Don’t panic! This is a classic psychological trick. The crooks want to scare you. They are luring you into impulsive actions. Do not contact them and do not pay the ransom. There is an alternative. Gandcrab Ransomware can be decrypted. Check out our detailed manual removal guide below this article. If you are not confident in your computer skills, however, you can also use an automated solution. You have options. Chose your method and act!

How did I get infected with?

Gandcrab Ransomware is a sophisticated virus. Yet, to reach its victims, it still uses the classic distribution methods. Torrents, malvertising, bogus software updates and drive-by downloads are just the most commonly used ones. However, there is one method that stands above all others. The good old spam emails are still the number one cause of virus infections. This method is genius in its simplicity. The crooks usually write on behalf of well-known companies, banks, post offices, and police departments. When you receive such a letter, don’t get too excited. Don’t open it. Verify the sender first. You can simply enter the questionable email address into some search engine. If it was used for shady business, someone might have complained online. You can also visit the organization’s official website. Compare the email addresses listed there with the one you have received a letter from. If they don’t match, delete the pretender. Even if you decide to open the questionable email, keep your guard up. Bear in mind that reliable companies would use your real name to address you. If the letter starts with “Dear Customer” or “Dear Friend,” proceed with caution. You might be dealing with an imposter. You know better than to download attached files. Yet, did you know that hyperlinks are also to be avoided? Links can also be corrupted. One click is all it takes for a virus to be downloaded. Therefore, don’t interact with questionable emails.

remove Gandcrab

Why is Gandcrab dangerous?

Gandcrab Ransomware sneaks into your computer in complete silence and locks your precious files. The nasty parasite demands $1200 USD to restore your access to your personal documents and pictures. Do not pay the ransom. No one can guarantee you that the hackers will keep their part of the bargain. They promise to send a decryptor, however, practice shows that in such situations, the hackers tend to ignore the victims. These people are criminals. They target your wallet. They know what to say in order to lure you into impulsive actions. What you should do is to immediately remove the virus. The more time it spends on your PC, the more dangerous will it become. This pest has proven to be able to alter your system settings. It is a capable spying device too. The crooks can use it to steal data from you. If you use your infected device to pay the ransom, for example, the hackers may steal your credit card details. Don’t follow criminals’ instructions. You cannot win against crooks. Focus your attention on the virus removal process.

Gandcrab Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Gandcrab Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

  • Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
  • Locate the process of the ransomware. Have in mind that this is usually a random generated file.
  • Before you kill the process, type the name on a text document for later reference.


  • Locate any suspicious processes associated with Gandcrab encryption Virus.
  • Right click on the process
  • Open File Location
  • End Process
  • Delete the directories with the suspicious files.
  • Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

  • Open any folder
  • Click on “Organize” button
  • Choose “Folder and Search Options”
  • Select the “View” tab
  • Select “Show hidden files and folders” option
  • Uncheck “Hide protected operating system files”
  • Click “Apply” and “OK” button

STEP 3: Locate Gandcrab encryption Virus startup location

  • Once the operating system loads press simultaneously the Windows Logo Button and the R key.


Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or

  • and delete the display Name: [RANDOM]

delete backgroundcontainer

  • Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

  • Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

windows system restore

  • Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
  • Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.

Leave a Comment