GandCrab 5.1 ransomware (.CRAB files) decryption

Learn what kind of a cyber threat the GandCrab ransomware is, how it attacks computers and how to recover .CRAB files encrypted by this sophisticated infection.

The evolution of cybercrime has reached a point where blackmail viruses aren’t the most widespread menace in the threat landscape. There is also adware and cryptojacking malware that starts dominating this nefarious ecosystem. And yet, ransom Trojans are still alive and kicking. The recent GandCrab ransomware campaign demonstrates how intricate and effective online extortion can get these days. The original variant of this baddie didn’t pan out for the threat actors as a number of European law enforcement agencies seized its Command and Control servers. In the upshot of this move, the early victims got their decryption keys and were able to restore their data without coughing up the ransom. Shortly afterwards, though, the perpetrating program reemerged in a refined, yet more harmful shape.

Inaccessible .CRAB files plus CRAB-DECRYPT.txt ransom note inside a folder

The current version, GandCrab 5.1, is spreading like wildfire across the globe. It stains encrypted files with the .CRAB extension and drops ransom notes named CRAB-DECRYPT.txt. The malefactors in charge of this well-orchestrated campaign leverage a mix of different techniques to deposit their code onto Windows PCs. The main vector is malspam (malicious spam), where would-be preys receive emails masqueraded as some sort of customer support notifications. The ZIP file attached to these messages, when extracted, instantly executes the ransomware binary on the host. The threat actors are also known to be utilizing Office macros for remote code execution. One more method of payload delivery circles around exploit kits that cause users to be infected when they visit a compromised site.

GandCrab Decryptor page indicating current size of the ransom

When aboard a computer, the GandCrab ransomware first scans the local drive and network shares for potentially important data. Once this list has been formed, it establishes connection with its C2 server to obtain RSA public encryption key. If this phase goes smooth, the pest scrambles all personal files using the above-mentioned asymmetric cipher. The .CRAB extension is a byproduct of the data skewing routine, making an arbitrary data item transform from Sample.docx to Sample.docx.CRAB. Every single folder containing ransomed entities will be also complemented with CRAB-DECRYPT.txt ransom manual. This document instructs the victim to visit a specially crafted GandCrab Decryptor page via Tor Browser. An alternate workflow is to contact the attackers directly by means of Jabber messenger.

The data decryption challenge implies submitting a ransom that amounts to $400 worth of cryptocurrency. The victim can select from Dash or Bitcoin as their preferred payment means. The original sum doubles in case the plagued user doesn’t stick with a two-day deadline. The extortionists provide victims with test decryption option allowing them to recover one file for free, just to prove that their decryptor actually works. Instead of going the route imposed by the attackers, though, it’s strongly recommended to give forensic recovery methods a shot first. The sections below provide all the applicable techniques to try and resolve the GandCrab ransomware issue without doing what the crooks want.

GandCrab ransomware removal with automatic cleanup tool

Note: removing the GandCrab blackmail malware is not that hard in itself. In fact, the virus may even self-destruct after the files have been encrypted, leaving the victim face-to-face with the upsetting ransom payment options. Anyway, the ransomware should be removed from the computer as it may get you infected with other cyber threats. An optimal cleaning workflow is to leverage a security application which will identify all potentially malicious software on your computer and handle it the right way. This approach ensures thoroughness of the removal and system remediation, and allows avoiding unintended damage that might occur as a result of manual malware deletion.

1. Download and install GandCrab 5.1 ransomware removal software. Launch it and click the Start New Scan button. Wait for the application to check your computer for threats

For Windows

Download GandCrab 5.1 Ransomware remover

For Windows

2. When the app is done scanning your system, it will come up with an extensive list of detected objects. Click the Fix Threats option to have the utility completely remove this ransomware and affiliated infections found on your PC.

Alternative techniques to recover encrypted .CRAB files

Given that the GandCrab ransomware is an extremely complex and insidious malware, there is no guarantee that the files can be retrieved without submitting the Bitcoin ransom payment. There are some ways, however, that might be of help, even though they rely on a number of variables. Be sure to try the methods below.

1. Data backups
If you have been backing up your information, to the cloud for instance, you’re a lucky person. Just get the data restored using the respective features. It’s too bad not that many people can boast such prudence. All in all, this is the best case scenario.

2. Shadow Volume Copies
Even though the GandCrab ransomware tends to erase all Shadow Volume Copies of files on the compromised workstation, it might not cope with this task. If that’s the case, chances are you can recover your information. Note that this approach is applicable only if you had System Restore activated prior to the infection. Also, the files you can restore this way may not necessarily be the latest versions. Make sure you try one of the following methods though:

  • Take advantage of Previous Versions
    If you right-click a random file on your PC and select Properties in the drop-down menu, you will see the Previous Versions tab at the top of the window. Once you hit that tab, the operating system will display a list of file versions corresponding to the restore points that were made. Select the most recent one and click Copy to restore the file to a new location, or pick Restore to recover it to the directory it was originally in.
    Previous Versions
  • Use ShadowExplorer app
    The routine above can be accomplished with a tool designed specifically to restore Shadow Volume Copies for files and folders. To move on, download ShadowExplorer to your computer, install and launch it. Using the features in the top left-hand part of the GUI, select the drive name and the date. Rick-click on the file or folder you would like to be restored and choose Export.
    ShadowExplorer

3. File recovery tools
This ransomware deletes the original data objects, encrypting their copies instead. Since Windows still stores these eliminated items, which is common knowledge, why not try to recover them using software that was created for this purpose? One of the applications capable of doing this is Data Recovery Pro. Run the tool and see if it can pull your removed data out.

Double-checking never hurts

Last but not least, a quick reminder: the removal of GandCrab ransomware from a compromised system doesn’t mean the files will get decrypted. To try to recover your data, stick to the methods above. That notwithstanding, since the ransomware proper is dangerous it must be exterminated for good. To make sure the virus has been removed, consider running an additional security scan as a completion of the cleanup procedure.

For Windows

Download and install GandCrab 5.1 removal software

For Windows

Leave a Reply

Your email address will not be published. Required fields are marked *