- Slow Computer
- System crashes
- Connects to the internet without permission
- Installs itself without permissions
GandCrab Ransomware is a new danger to your files as it can sneak onto your system and encrypt hundreds of file extensions. This ransomware program is coded in C++ and seems rather professional. Most victims are reported in South Korea, followed by the US, China, and Russia. Unlike most other ransomware infections, this one demands the ransom fee to be paid in DASH instead of the usual Bitcoin. You have to pay hundreds of dollars (depending on the current rate) in order to get the private key so that you can recover your encrypted files. Unfortunately, neither we nor your attackers can guarantee that your payment will be rewarded by this unique key. The truth is, in most cases it is more likely that you will never see your files again unless you have a backup or malware hunters can come up with a free file recovery tool. Since in this case we do not know of a free tool yet, you may lose all your important files if you have no recent backup. We advise you to immediately remove GandCrab Ransomware from your PC.
But this ransomware can also be spread in other ways. You may download it when downloading a software crack from a shady torrent or freeware website. You should stick with official and reputable sites whenever it comes to downloading software or updates. Yet another possibility to let this dangerous program on board is via spam e-mails. You need to be very careful when opening e-mails because this threat can show up as an intriguing file attachment. However, when you click to view this attachment, you will not be able to delete GandCrab Ransomware without the encryption of your files.
Upon execution, this dangerous ransomware program searches for dozens of .exe programs in the running processes list and terminates them, including sqlagent.exe, sqlbrowser.exe, sqlservr.exe, onenote.exe, outlook.exe, powerpnt.exe, winword.exe, and wordpad.exe. Once this termination of the targeted processes is done, it copies itself to "%APPDATA%\Microsoft\wngtom.exe" and starts operating from there. This ransomware infection also creates a PoE for the file in: "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce::[random string]" to start up automatically with Windows, which usually means the encryption of all your new files.
This beast of a ransomware uses the AES algorithm to encode your files, which get a ".GDCB" extension. The ransom note is called "GDCB-DECRYPT.txt" and it is dropped in every affected folder as well as in "%ALLUSERSPROFILE%\Start Menu\Programs\Startup", which means that the ransom note will open upon Windows startup. The ransom note instructs you to visit the payment site via TOR browser if possible for you but there are alternative addresses given for those who cannot use TOR. These criminals demand the ransom to be paid in DASH, which is a cryptocurrency similar to Bitcoin. In fact, you have to send 1.5 DASH (760 US dollars at the moment, even though the ransom note may claim 1,200 USD) to get the private key required to recover your files. If you fail to transfer the fee within 4 days and 12 hours, this price doubles. Still, we recommend that you remove GandCrab Ransomware as soon as possible.
If, after the initial shock, you are ready to take action, we suggest that you use our guide below. Of course, it is possible that manual removal is out of the question for you. Therefore, we also advise you to employ a trustworthy anti-malware application like SpyHunter, which can automatically take care of your system security issues, big or small. Please remember to update all your programs if you want to feel safe from cyber attacks aiming to exploit older software bugs.
How to remove GandCrab Ransomware from Windows