Remove Gandcrab v5.3 Ransomware (+File Recovery)

How to Remove Gandcrab v5.3 Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:

—= GANDCRAB V5.3 =—
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: {5 random letters}
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
———————————————————————–
| 0. Download Tor browser – https://www.torproject.org/
| 1. Install Tor Browser
| 2. Open Tor Browser
| 3. Open link in TOR browser http://gandcrabmfe6mnef.onion/[unique_ID]
| 4. Follow the instructions on this page
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
• DO NOT MODIFY ENCRYPTED FILES
• DO NOT CHANGE DATA BELOW


Gandcrab v5.3
is yet another variant of the Gandcrab ransomware. You are in serious trouble. As soon as this cryptovirus invade your OS, corruption follows. The virus wastes no time and infects your entire operating system. It drops malicious files, modifies the registry, alters settings, and starts dangerous processes. This, of course, happens without any noticeable symptoms. You cannot catch the virus in time to limit the corruption. Gandcrab v5.3 works in the shadows without triggering any alarms. It gets your OS under control and starts its encryption operations. The ransomware is after your personal data. It targets your pictures, databases, archives, documents, music. The virus locates the user-generated files and puts them under lock and key. Gandcrab v5.3 encrypts your files with advanced encryption algorithms. It doesn’t damage the files, nor delete them. It simply makes them inaccessible. You can still see the icons of your files, but you cannot view or edit them. To restore your access, Gandcrab v5.3 demands and astonishing ransom paid in Bitcoin. Do not swing into action! Paying the ransom is not advisable. The threat actors promise a lot. These criminals are, however, notorious for double-crossing their victims. Heed the experts’ advice: act against the virus. Don’t become a sponsor of cybercriminals.

How did I get infected with?

Gandcrab v5.3 lurks behind spam messages, corrupted links, and fake updates. This virus hides in the shadows and waits for you to let your guard down. Do not make that mistake! The virus infects your computer when you throw caution to the wind. No anti-virus app can protect you. Only your action can keep your PC secure and virus-free. Even a little extra attention can spare you an avalanche of problems. So, don’t be lazy. Always take the time to do your due diligence. Don’t visit questionable websites. Download software and updates from reliable (preferably official) sources. And be very careful with your inbox. Whether it’s an instant message or an email, treat all unexpected messages as potential threats. Always verify the senders. If, for example, you receive an unexpected email from an organization, go to their official website. Compare the email addresses listed there to the suspicious one. If they don’t match, delete the pretender. You can also enter the suspicious addresses into a search engine. If they were used for questionable activities, someone might have complained online.

Remove Gandcrab v5.3

Why is Gandcrab v5.3 dangerous?

Gandcrab v5.3 is a havoc-wreaking menace. It slithers into your OS and wrecks everything. The virus locks your files and prevents you from viewing their content. Creating new files is also pointless. The ransomware locks everything you save. The nasty virus makes your device as good as useless. It promises a solution if you pay up. Don’t do it, though! Such actions are not advisable. The cybercriminals behind the virus will use the money to develop their criminal activities. Don’t sponsor them! Such actions may not result in the way you expect them to. Practice shows that the hackers tend to ignore their victims once they receive the money. There are also cases when the victims paid just to be blackmailed for more. Do not give into naivety. Don’t open your wallet. Look for a solution elsewhere. There are third-party decryptors for Gandcrab v5.3. Although some users report that the decrypting tools are not flawless, they can still help you. Also, bear in mind that the threat actors recently published the decryption keys for their Syrian victims. This data can hopefully aid the malware researchers to create better decryptors!

Gandcrab v5.3 Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Gandcrab v5.3 Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

  • Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
  • Locate the process of the ransomware. Have in mind that this is usually a random generated file.
  • Before you kill the process, type the name on a text document for later reference.

end-malicious-process

  • Locate any suspicious processes associated with Gandcrab v5.3 encryption Virus.
  • Right click on the process
  • Open File Location
  • End Process
  • Delete the directories with the suspicious files.
  • Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

  • Open any folder
  • Click on “Organize” button
  • Choose “Folder and Search Options”
  • Select the “View” tab
  • Select “Show hidden files and folders” option
  • Uncheck “Hide protected operating system files”
  • Click “Apply” and “OK” button

STEP 3: Locate Gandcrab v5.3 encryption Virus startup location

  • Once the operating system loads press simultaneously the Windows Logo Button and the R key.

win-plus-r

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

  • and delete the display Name: [RANDOM]

delete backgroundcontainer

  • Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

  • Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

windows system restore

  • Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
  • Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.

Leave a Comment