How to Remove GandCrab 5.1 Ransomware (+File Recovery)

How to Remove GandCrab 5.1 Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:

—= GANDCRAB V5.1 =—

UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED
FAILING TO DO SO WIL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS

Attention!

All your files, documents, photos, databases and other important files are encrypted and have the extension:

The only method of recovering files is to purchase an unique private key. Only we can give you this key and only and only we can recover your files.

The server with your key is in a closed network TOR. You can get there by the following ways:

—————————————————————————————–

| 0. Download Tor browser – https://www.torproject.org/

| 1. Install Tor Browser
| 2. Open Tor Browser
| 3. Open link in TOR browser http://gandcrabmfe6mnef.onion/ b6314679c4ba3647/
| 4. Follow the instructions on this page

—————————————————————————————–

On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.

ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW

GandCrab 5.1 Ransomware is a nasty cryptovirus. It sneaks into your system through trickery and corrupts everything. It alters settings, corrupts essential directories, drops malicious files, and starts dangerous processes. Without wasting any time, the virus gets control of your system and starts working. This parasite follows programming to make your data inaccessible. GandCrab 5.1 targets the user-generated data. It is after your pictures, databases, documents, archives, music, videos. This nasty parasite detects and corrupts all known file formats. And it does this in complete silence. Without having any noticeable symptoms, this virus gets your data under lock and key. You cannot catch the ransomware in time to prevent the corruption. Once it encrypts your data, though, the virus reveals itself. It displays a scary ransom note. The ransomware promises to restore your files if you pay $1200. If you don’t pay up, GandCrab 5.1 increases the price. Don’t swing into action, though. You are dealing with cybercriminals. They promise a lot, but they don’t guarantee results. Practice shows that the criminals tend to ignore the victims once they get what they want. Do not become their sponsor. Do not follow their instructions. And most importantly, do not pay the ransom. Do what’s best for you and your system; remove the virus!

How did I get infected with?

GandCrab 5.1 Ransomware relies on the classic distribution strategies. The virus lurks behind corrupted links, spam emails, fake updates, and malicious software copies. There are myriads of ways for the virus to reach your system. But these methods succeed only if you let them to. The ransomware preys on your carelessness and naivety. It strikes when you let your guard down. Do not throw caution to the wind. No anti-virus app can protect you if you give into naivety. Only your caution is powerful enough to keep your device secure and virus-free. Even a little extra vigilance can spare you an avalanche of problems. Stay away from shady websites. Download software and updates from reliable sources only. And be very careful with your inbox. Treat all unexpected messages as potential threats. Always take the time to verify the senders before you interact with their messages. If the unexpected email, is supposed to be from an organization, your bank, for example, go to their official website. Compare the email addresses listed there to the questionable one. If they don’t match, delete the pretender. You can also enter the suspicious email addresses into a search engine. If they were used for questionable business, someone might have complained online.

Why is GandCrab 5.1 dangerous?

GandCrab 5.1 is a nasty virus. It slithers into your system and corrupts your data. This menace uses strong encryption algorithms which are currently unbreakable by third-party software. The virus is also known to delete shadow volume copies which make the file recover even more complicated. Paying the ransom, however, is not advisable. The cybercriminals demand Bitcoin. This cybercurrency is untraceable. Once you transfer the money, you cannot get them back if something goes wrong. And that’s inevitable. You, after all, are dealing with liars. These people promise a lot, but they don’t deliver results. Before you make up your mind, be aware that there are cases where the victims paid, just to be blackmailed for more. There are also instances where the victims received partly-working decryptors. And let’s not forget that the decryption process removes the lock, but it doesn’t delete the virus. How would you feel if you restore your data only to have it re-encrypted hours later? GandCrab 5.1 is a complete and utter menace. Do not become a sponsor of its crafty creators. Consider discarding your files. Of course, if you have backups saved on external devices, you can use them to restore your data. Just make sure that the virus is completely removed before you attempt any such processes.

GandCrab 5.1 Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover GandCrab 5.1 Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

• Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
• Locate the process of the ransomware. Have in mind that this is usually a random generated file.
• Before you kill the process, type the name on a text document for later reference.

• Locate any suspicious processes associated with GandCrab 5.1 encryption Virus.
• Right click on the process
• Open File Location
• End Process
• Delete the directories with the suspicious files.
• Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

• Open any folder
• Click on “Organize” button
  
• Choose “Folder and Search Options”
• Select the “View” tab
• Select “Show hidden files and folders” option
• Uncheck “Hide protected operating system files”
• Click “Apply” and “OK” button

STEP 3: Locate GandCrab 5.1 encryption Virus startup location

• Once the operating system loads press simultaneously the Windows Logo Button and the R key.

• A dialog box should open. Type “Regedit”
• WARNING! be very careful when editing the Microsoft Windows Registry as this may render the system broken.

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

• and delete the display Name: [RANDOM]

• Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

• Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

• Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
• Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.