GandCrab v4 ransomware. How to remove? (Uninstall guide)

[Matrix]

GandCrab v4 ransomware – the dangerous file locking virus that came back with its 4th version

GandCrab v4 ransomware is the newest variant of the GandCrab family and was first noticed by security experts^[1] at the start of July 2018. This crypto-virus uses AES-256 (CBC mode) and RSA-2048 encryption algorithm to encrypt data and then ads .KRAB appendix to each of the affected files. Soon after that, the malware drops a ransom note CRAB-DECRYPT.txt or KRAB-DECRYPT.txt, which explains to users that the only way to recover data is to pay cybercriminals in Bitcoin cryptocurrency. Security experts found evidence that Romanian-born hackers created the newest variant of the virus.

Although crooks behind previous versions of malware were stopped and file-decrypting tool was created, it is still not the case with GandCrab v4 virus. As the cyber threat is still brand new, security researchers might develop the decryptor in the future. Unfortunately, as of now, recovering your files without the key is almost impossible. Nevertheless, the first step to normal computer operation is GandCrab v4 ransomware removal.

The crypto-malware usually infiltrates machines via contaminated file attachments in spam e-mails, breaks in through a poorly protected RDP,^[2] using software vulnerabilities or via executables found on malicious websites (such as file-sharing or torrent sites). As soon as GandCrab v4 virus enters, it performs a full system scans, looking for files to encrypt. After that, it appends the .KRAB extension to all video, audio, photo, database, image files. Therefore, a picture.jpg is modified to picture.jpg.KRAB and becomes inaccessible.

The key that could unlock files is located on a server which is only reachable to GandCrab v4 cybercrooks. The worst part is that each of the keys is generated separately for each of the infected computers, making it impossible to re-use it. Nevertheless, security researchers^[3] do not recommend paying ransom under any circumstances.

Hackers are known to ignore victims and never send the promised key. Additionally, the bad actors could instead send more malware which could inflict further damage to your machine. Therefore, do not panic if KRAB extension locks your files. Simply download and install Reimage, Plumbytes Anti-Malware, Malwarebytes Anti Malware or any other reputable security software and run a full system scan. This will help you to remove GandCrab v4 ransomware effectively.

Only after elimination procedure, you can attempt file recovery. Unfortunately, the only safe way to get your files back is by using backups (either by using cloud services or a physical external storage device, such as USB stick or an external HDD). Thus, even if you do not think that you could get infected, still back-up your data regularly, as it can save your precious files from destruction.

GandCrab v4 is a non-decryptable crypto-virus that locks up all personal files on the computer and demands ransom in Bitcoins for its release

Avoid opening emails that look or feel suspicious

Contaminated attachments in phishing emails are usually the main culprit of the ransomware infection. Hackers often abuse the fact that users are careless when it comes to computer safety and employ bots to send out thousands of spam emails that may look very believable. As soon as the victim clicks on the malicious attachment, the payload of the virus is executed, and all files are locked. To avoid that, carefully examine emails and do not click any links or on the attachments if you are not 100% sure that they are legitimate.

Other ways dangerous malware can be injected into the machine include:

• Exploit kits;
• Unprotected RDP;
• Using botnets;
• Infected executable files on file-sharing sites and P2P networks;
• Cracked or re-packed software;
• Fake updates, etc.

Remove GandCrab v4 using reputable security software

To remove GandCrab V4 virus safely, you need to employ anti-malware software. Having a reputable security tool installed is mandatory if you want to protect yourself from dangers online. However, if you are still not using any protection, your computer is in imminent danger. Thus, download Reimage, Plumbytes Anti-Malware or Malwarebytes Anti Malware and bring it up to date. If malware is preventing from proper anti-virus program operation, enter Safe Mode with Networking, as explained below.

Only after full GandCrab v4 removal, you can attempt to recover your files. Otherwise, they will get encrypted again. Therefore, if you own a back up of your data, DO NOT CONNECT it before the virus is eliminated. If you do not have a back-up, you can attempt file recovery by using third-party software, which we explain how to apply below.

To remove GandCrab v4 virus, follow these steps:

• Method 1. Remove GandCrab v4 using Safe Mode with Networking
• Method 2. Remove GandCrab v4 using System Restore
• Bonus: Recover your data

 

Remove GandCrab v4 using Safe Mode with Networking

To get rid of GandCrab V4 virus safely, enter Safe Mode with Networking the following way:

• Step 1: Reboot your computer to Safe Mode with Networking
  
  Windows 7 / Vista / XP
  1. Click Start → Shutdown → Restart → OK.
  2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list
  
  Windows 10 / Windows 8
  1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
  2. Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
  3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window.
     
• Step 2: Remove GandCrab v4

  Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete GandCrab v4 removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

 

Remove GandCrab v4 using System Restore

You can try to eliminate the malware using System Restore:

• Step 1: Reboot your computer to Safe Mode with Command Prompt
  
  Windows 7 / Vista / XP
  1. Click Start → Shutdown → Restart → OK.
  2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
  3. Select Command Prompt from the list
  
  Windows 10 / Windows 8
  1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
  2. Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
  3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
• Step 2: Restore your system files and settings
  1. Once the Command Prompt window shows up, enter cd restore and click Enter.
  2. Now type rstrui.exe and press Enter again..
  3. When a new window shows up, click Next and select your restore point that is prior the infiltration of GandCrab v4. After doing that, click Next.
  4. Now click Yes to start system restore.
  Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that GandCrab v4 removal is performed successfully.

 

 

Bonus: Recover your data

Guide which is presented above is supposed to help you remove GandCrab v4 from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

Although for some paying the ransom seems like a good idea, we do not recommend doing that. Not only can you lose your money but also damage your PC even further. Besides, you will be funding cybercriminals and their malicious acts. Instead, try some alternative solutions be present below.

Use Data Recovery Pro

Data Recovery Pro can be a useful tool when it comes to ransomware-infected files. Although there is a change it won't work, you should try using it.

• Download Data Recovery Pro (https://www.2-spyware.com/download/data-recovery-pro-setup.exe);
• Follow the steps of Data Recovery Setup and install the program on your computer;
• Launch it and scan your computer for files encrypted by GandCrab v4 ransomware;
• Restore them.

 

Recover your files using Windows Previous Versions Feature

This method can only function if you had System Restore feature enabled before the ransomware locked up your files. Besides, only one file at the time can be recovered. Thus, getting back a large amount of data might be impossible.

• Find an encrypted file you need to restore and right-click on it;
• Select “Properties” and go to “Previous versions” tab;
• Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

 

You can try ShadowExplorer

ShadowExplorer can only be useful if the virus left Shadow Volume Copies intact.

• Download Shadow Explorer (http://shadowexplorer.com/);
• Follow a Shadow Explorer Setup Wizard and install this application on your computer;
• Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
• Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

 

Try using GandCrab decryptor

Although there is a low chance that the original decryptor will work, you can still download it and try using it.

 

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from GandCrab v4 and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-Malware or Malwarebytes Anti Malware

source

[Archanus]

Very nice tutorial  I will saved it to my phone, if something bad happens