GandCrab 5.0.9 Ransomware

GandCrab 5.0.9 Ransomware is the latest variant of the GandCrab Ransomware, a malicious file-encryptor that goes after personal files. The files are encrypted so that the victim – the owner of these files – could be pushed into paying the ransom. According to our malware researchers, the attackers promise a decryptor in exchange for this ransom, and it can range anywhere from $800 to $1600. That, allegedly, depends on how fast the victim reacts. This is a lot of money, and paying the ransom is not only financially disadvantageous but also extremely risky. The chances of you getting a decryptor in the process are slim to none, and so even if the ransom was $10, we would not recommend paying it. Of course, you are the one who needs to make a choice and, hopefully, you will be more confident once you read this report. We discuss the distribution and activity of the threat and, of course, we also show how to remove GandCrab 5.0.9 Ransomware.

According to our malware experts, GandCrab 5.0.9 Ransomware is most likely to be spread using spam emails and exploit kits. When it comes to spam emails, the messages are set up to trick you into opening a link or a file attachment to execute the threat. The exploit kits (e.g., the Rig Exploit Kit) rely on existing security vulnerabilities that can be exploited to drop malware onto the computer. As it turns out, malware loaders might be involved in the process. A malware loader is a tool that contains basic functionality, which, in most cases, is limited to downloading, executing, updating, and deleting files. Of course, that is all that attackers need to execute something like GandCrab 5.0.9 Ransomware. One of the loaders that have been linked to this infection is Trojan.Ascentor Loader, but, at the time of analysis, we could not confirm this. Of course, to ensure that no stone is left unturned, we include steps that show how to delete this malware loader in the manual removal instructions below.

Since GandCrab Ransomware operates as RaaS (Ransomware-as-a-Service), anyone can use the base malware code and build upon it. That is why the different versions of this malware have more similarities than differences. GandCrab 5.0.9 Ransomware – just like its predecessors – encrypts files and adds a random 5-character extension to their names. The extension is also included in the name of a ransom note file ([5 characters]-DECRYPT.txt or [5 characters]-DECRYPT.html) that should be easily accessible. Copies of this file might even be dispersed throughout the operating system. The message inside the file informs that the victim must obtain a “unique private key” (a.k.a., the decryptor) to restore files. To obtain the key, they are instructed to download the Tor Browser and follow a special link. Information within this link provides more details regarding the payment of the ransom. According to our malware experts, the files corrupted by previous versions of GandCrab Ransomware could be decrypted for free, and our hope is that GandCrab 5.0.9 Ransomware is decryptable too.

Whether or not you successfully decrypt files corrupted by GandCrab 5.0.9 Ransomware, you must not forget the two most important tasks. First of all, you need to remove the infection. Second, you need to find the security backdoors and patch them appropriately to ensure that malicious threats cannot attack and wreak havoc in the future. Taking care of this manually is not easy. While deleting GandCrab 5.0.9 Ransomware might not be too complicated if you can discover the launcher file, protecting the operating system could be extremely difficult. Fortunately, anti-malware software can both remove malware and ensure further protection against it. As you can guess, we recommend installing this software as soon as possible. There is one more thing you can do in preparation for facing ransomware – backup your personal files. While your files should be safe as long as anti-malware software is set in place, you do not want to take any chances because most file-encryptors are NOT decryptable. Use an external drive or a cloud storage service to create backup copies of all valuable files.

GandCrab 5.0.9 Ransomware Removal

1. Tap Ctrl+Alt+Delete.
2. Click Start Task Manager.
3. Click the Processes tab.
4. Look for malicious processes that belong to the ransomware and Trojan.Ascentor Loader.
5. Before you End process, right-click the process and click Open file location to access the malicious [random name].exe file.
6. Possible locations of where you will need to Delete the ransomware [unknown name].exe file:
   • %USERPROFILE%\Desktop
   • %USERPROFILE%\Downloads
   • %TEMP%
7. The location where you should find and Delete the Trojan.Ascentor Loader [random name].exe file:
   • %ALLUSERSPROFILE%
8. Launch Run (tap Win+R keys) and enter regedit.exe into the dialog box.
9. Go to HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run.
10. If it exists, Delete the [random name] value that represents the Trojan.Ascentor Loader’s .exe file.
11. Finally, Delete [5 characters]-DECRYPT.txt or [5 characters]-DECRYPT.html files.
12. Empty Recycle Bin and then inspect your operating system using a legitimate malware scanner.