Infected with GandCrab 5.0.5 Ransomware? Need to decrypt your files?
What is GandCrab 5.0.5 Ransomware
In this article, we will analyze in detail the GandCrab 5.0.5 whose developers are not standing still and are constantly modifying it. This is part of the GandCrab family (Gandcrab v5.0.4, GANDCRAB V5.0, GANDCRAB 4, GANDCRAB V3, GandCrab2, GandCrab), and this is exactly the cryptovirus is like previous versions, encrypting user files of various formats: video, photo, audio, and other multimedia and much more. It should be noted that the virus deletes all system restore points and shadow copies of files in order to completely exclude the possibility of self-encrypting files. Moreover, it changes the file extension to .[random-5]. Surely files become unusable for further use after encryption. Any attempt to open these files will open a special note file named [random_5]-DECRYPT.txt that contains information about the purchase. Below are the screen and text contained in this note:
—= GANDCRAB V5.0.5 =—
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: {5 random letters}
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
———————————————————————–
| 0. Download Tor browser – https://www.torproject.org/
| 1. Install Tor Browser
| 2. Open Tor Browser
| 3. Open link in TOR browser http://gandcrabmfe6mnef.onion/{victim’s unique ID}
| 4. Follow the instructions on this page
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
• DO NOT MODIFY ENCRYPTED FILES
• DO NOT CHANGE DATA BELOW
As in previous versions, scammers require you to download a special browser and click on the link provided for later payment of the ransom. It is worth noting that the ransom can reach several hundred dollars. Of course, there is no guarantee that the scammers will really return your files to their original state, so we strongly advise you not to pay anything to the attacker. Better to carefully read our recommendations, which we have indicated below.
Update: Use following service to identify the version and type of ransomware you were attacked by: ID Ransomware. If you want to decrypt your files, please follow our instruction below or, if you have any difficulties, please contact us: submit@securitystronghold.com. We really can help to decrypt your files.
How GandCrab 5.0.5 infected your PC
Developers change the name of the virus file extension and more, However, the path of penetration of the computer remains unchanged. As a rule, this comes in the form of an attachment to a spam mailing list or as a false update for a program. The main reason for such penetrations is that users very rarely resort to using antiviruses rather than paid versions. Try to use proven antivirus software to prevent the attack of crypto viruses, in particular, GandCrab 5.0.5. In case it has already encrypted your data, then we strongly recommend using our guides to remove this virus on your own and decrypt your files.
First of all, don’t panic. Follow these easy steps below.
1. Start your computer in Safe Mode with networking. To do that, restart your computer before your system starts hit F8 several times. This will stop system from loading and will show Advanced boot options screen. Choose Safe mode with networking option from the options list using up and down arrows on your keyboard and hit Enter.
2. Log in to the system infected with the GandCrab 5.0.5 virus. Launch your Internet browser and download a reliable anti-malware program and start a full system scan. Once the scan is complete, review scan results and remove all entries detected.
Recommended Solution:
Norton – fully removes all instances of GandCrab 5.0.5 – files, folders, registry keys.
You may find more detailed information about antivirus products in our article – Top 5 Antivirus Software for Windows
Restore your files using shadow copies
- Download and run Stellar Data Recovery.
- Select type of files you want to restore and click Next.
- Select the drive and folder where your files are located and date that you want to restore them from and press Scan.
- Once the scanning process is done, click Recover to restore your files.
Step 2: Remove following files and folders of GandCrab 5.0.5:
Related connections or other entries:
No information
Related files:
No information
How to decrypt files infected by GandCrab 5.0.5?
You can try to use manual methods to restore and decrypt your files.
Decrypt files manually
Restore the system using System Restore
Although latest versions of GandCrab 5.0.5 remove system restore files, this method may help you partially restore your files. Give it a try and use standard System Restore to revive your data.
- Initiate the search for ‘system restore‘
- Click on the result
- Choose the date before the infection appearance
- Follow the on-screen instructions
Roll the files back to the previous version
Previous versions can be copies of files and folders created by Windows Backup (if it is active) or copies of files and folders created by System Restore. You can use this feature to restore files and folders that you accidentally modified or deleted, or that were damaged. This feature is available in Windows 7 and later versions.
- Right-click the file and choose Properties
- Open the Previous Version tab
- Select the latest version and click Copy
- Click Restore
Protect your computer from ransomware
Most modern antiviruses can protect your PC from ransomware and crypto-trojans, but thousands of people still get infected. There are several programs that use different approach t protect from ransomware and lockers. One of the best is HitmanPro.Alert with CryptoGuard. You may already know HitmanPro as famous cloud-based anti-malware scanner. Check out ultimate active protection software from SurfRight.
Written by Rami Douafi