GandCrab Ransomware

GandCrab Ransomware is a new danger to your files as it can sneak onto your system and encrypt hundreds of file extensions. This ransomware program is coded in C++ and seems rather professional. Most victims are reported in South Korea, followed by the US, China, and Russia. Unlike most other ransomware infections, this one demands the ransom fee to be paid in DASH instead of the usual Bitcoin. You have to pay hundreds of dollars (depending on the current rate) in order to get the private key so that you can recover your encrypted files. Unfortunately, neither we nor your attackers can guarantee that your payment will be rewarded by this unique key. The truth is, in most cases it is more likely that you will never see your files again unless you have a backup or malware hunters can come up with a free file recovery tool. Since in this case we do not know of a free tool yet, you may lose all your important files if you have no recent backup. We advise you to immediately remove GandCrab Ransomware from your PC.

The most likely way for you to infect your machine with this dangerous ransomware program is via the RIG Exploit Kit. This means that you may get redirected to unsecure websites using Javascript to check for vulnerable plug-ins and exploit them. This is possible only when your browsers or drivers (Java and Adobe Flash) are not up-to-date. You can easily end up on such a page if you carelessly click on random third-party advertisements on suspicious gaming, betting, dating, file-sharing, and porn-related websites. One click on the wrong content and you could be taken to a new tab where such a malicious page could load. However, by the time you may realize that this page is not exactly reliable, this infection will have been dropped and activated. This also means that you cannot delete GandCrab Ransomware without possibly losing your files in this malicious attack.

But this ransomware can also be spread in other ways. You may download it when downloading a software crack from a shady torrent or freeware website. You should stick with official and reputable sites whenever it comes to downloading software or updates. Yet another possibility to let this dangerous program on board is via spam e-mails. You need to be very careful when opening e-mails because this threat can show up as an intriguing file attachment. However, when you click to view this attachment, you will not be able to delete GandCrab Ransomware without the encryption of your files.

Upon execution, this dangerous ransomware program searches for dozens of .exe programs in the running processes list and terminates them, including sqlagent.exe, sqlbrowser.exe, sqlservr.exe, onenote.exe, outlook.exe, powerpnt.exe, winword.exe, and wordpad.exe. Once this termination of the targeted processes is done, it copies itself to "%APPDATA%\Microsoft\wngtom.exe" and starts operating from there. This ransomware infection also creates a PoE for the file in: "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce::[random string]" to start up automatically with Windows, which usually means the encryption of all your new files.

This beast of a ransomware uses the AES algorithm to encode your files, which get a ".GDCB" extension. The ransom note is called "GDCB-DECRYPT.txt" and it is dropped in every affected folder as well as in "%ALLUSERSPROFILE%\Start Menu\Programs\Startup", which means that the ransom note will open upon Windows startup. The ransom note instructs you to visit the payment site via TOR browser if possible for you but there are alternative addresses given for those who cannot use TOR. These criminals demand the ransom to be paid in DASH, which is a cryptocurrency similar to Bitcoin. In fact, you have to send 1.5 DASH (760 US dollars at the moment, even though the ransom note may claim 1,200 USD) to get the private key required to recover your files. If you fail to transfer the fee within 4 days and 12 hours, this price doubles. Still, we recommend that you remove GandCrab Ransomware as soon as possible.

If, after the initial shock, you are ready to take action, we suggest that you use our guide below. Of course, it is possible that manual removal is out of the question for you. Therefore, we also advise you to employ a trustworthy anti-malware application like SpyHunter, which can automatically take care of your system security issues, big or small. Please remember to update all your programs if you want to feel safe from cyber attacks aiming to exploit older software bugs.

How to remove GandCrab Ransomware from Windows

1. Press Win+R and enter regedit in the box. Click OK.
2. Locate and delete the PoE: "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce::[random string]"
3. Exit the editor.
4. Press Win+E.
5. Delete the downloaded malicious file. (Check all your default download folders for suspicious files.)
6. Delete "%APPDATA%\Microsoft\wngtom.exe" as well as all ransom notes ("GDCB-DECRYPT.txt"), including the one in "%ALLUSERSPROFILE%\Start Menu\Programs\Startup"
7. Empty your Recycle Bin.
8. Restart your computer.