Gandcrab2 Ransomware

Gandcrab2 Ransomware is most likely a new version of a threat called GandCrab Ransomware. Our researchers say this malicious program should encrypt user’s files and then mark them with .crab extension. Unfortunately, for the decryption of such data the malware’s developers want to get 800 US dollars from each victim. No doubt, it is not exactly a small sum, and we do not think a lot of users would want to risk losing it in vain. As you see even if the hackers who created Gandcrab2 Ransomware guarantee they will deliver the promised decryption tool, in reality, there is not knowing whether they will be willing or able to do so. Therefore, instead of risking your savings we recommend erasing this malicious program. Its removal will not decrypt any files, but it will clean up your system, and once it is secure you could use backup copies if you have them. To learn how to eliminate this threat, you should not only read the rest of the text but also see the instructions placed below it.

The first malware’s version was being spread while using a particular exploit kit called RigEK. Apparently, with its help, the malicious program’s creators were able to exploit vulnerable plugins that they recognized while using JavaScript. It is entirely possible Gandcrab2 Ransomware might be distributed this way too, but there are other options as well. For instance, the threat could travel with malicious email attachments, software installers, and so on. The mentioned data could be encountered by users who carelessly open attachments from unknown senders or download installers from potentially harmful web pages. Since all of these scenarios look entirely possible, we feel we should list a few different tips and extra precautions for you to consider. First of all, it might be a good idea to update old plugins or other outdated software on your computer. Next, our researchers would recommend avoiding suspicious email attachments and potentially malicious web pages. Also, you may want to consider acquiring a reliable antimalware too if you do not have it or the one you have is out of date because a trustworthy tool could warn you about various threats and help you keep the system safe.

Soon after, Gandcrab2 Ransomware enters the system it might create a few new files or copies of its launcher (the suspicious file you opened before the system got infected). Then the malicious program should start the encryption process during which it might lock various documents, photographs, pictures, archives, and other private files. All of them should be marked with .crab extension, for example, roses.jpg.crab, speech.docx.crab, family_trip_photos.zip.crab, etc. Needless to say, files marked with this extension become unusable as the computer cannot recognize them. Removing the extension will not change anything, except if volunteer IT specialists manage to create a free decryption tool, it may not work on files that do not have the malware’s extension. Thus, if you do not have any backup copies and the threat damaged a lot of valuable data you would like to get back, it might be best to leave locked data be and see if someone from volunteer IT specialists will manage to create a decryption tool you could use.

Users who have no other way to recover encrypted data could also consider paying the ransom. Right after Gandcrab2 Ransomware locks all targeted files, it should drop a ransom note claiming the user can get his files back if he follows the provided instructions. Completing these steps should get the victim to the malware’s web page where the user can find learn what to do to pay the ransom. The asked price at the moment of writing seems to be 800 US dollars. It is not a sum one could easily throw out, and if you are among the people who do not want to waste their savings, we would recommend not to put up with any demands. There are always cases when users who pay the ransom and follow all instructions still end up being tricked as you can never know if the hackers are telling you the truth. Consequently, instead of risking your savings, we advise erasing it manually by following the instructions located a bit below this text or with a reliable antimalware tool of your choice.

Eliminate Gandcrab2 Ransomware

1. Press Ctrl+Alt+Delete.
2. Go to the Task Manager.
3. Find the malware’s process.
4. Mark this process and click End Task.
5. Exit Task Manager.
6. Tap Win+E.
7. Navigate to:
   %TEMP%
   %USERPROFILE%\desktop
   %USERPROFILE%\downloads
8. See if you can find the malicious file you opened before the threat appeared.
9. Right-click the suspicious file and press Delete.
10. Go to %APPDATA%\Microsoft
11. Locate a suspicious executable file, for example, wngtom.exe, right-click it and select Delete.
12. Look for a ransom note, for example, GDCB-DECRYPT.txt, right-click it and press Delete.
13. Exit File Explorer.
14. Tap Win+R.
15. Insert Regedit and press Enter.
16. Find this location: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
17. Search for a suspicious value name with a random title, right-click it and select Delete.
18. Exit Registry Editor.
19. Empty Recycle bin.
20. Reboot the PC.