GandCrab 5.0.9 Ransomware Removal Guide

Do you know what GandCrab 5.0.9 Ransomware is?

As you can tell by the name of GandCrab 5.0.9 Ransomware, this is not the first version of this malware. On the contrary, there are quite a few variants, some of the latest which are 5.0.6, 5.0.7, and 5.0.8. It is known that some of the earlier versions of this malware were not invincible and, in fact, a free file decryptor was created to assist the victims of this malware. Hopefully, if your files were corrupted by v5.0.9, you can recover them without spending a dime too. Unfortunately, we cannot help you with decryption, but we can help you delete GandCrab 5.0.9 Ransomware. Our team of malware experts has inspected this infection thoroughly, and the removal tips you will find in this report should help you.

Did you execute GandCrab 5.0.9 Ransomware yourself by opening a corrupt spam email attachment? If that did not happen, maybe a malicious loader executed the threat, or maybe an exploit kit was employed? It is hard to say how exactly this threat got in, and it is possible that you will never find out. According to our research team, it is possible that Trojan.Ascentor Loader is the culprit. If that is the case, you need to access the %ALLUSERSPROFILE% directory and delete a malicious .exe file with a random name. Additionally, we recommend scanning the operating system because you want to make sure that no threats stay hidden. A reliable malware scanner will do the job just right.

You are unlikely to notice GandCrab 5.0.9 Ransomware itself until a ransom note file is created. The older versions of the infection, created HTML files to represent the ransom note; however, the later samples create TXT files. “[random]-DECRYPT.txt” is the file that you should face, and the name of this file includes five random characters at the beginning that also match the five random characters added at the end of encrypted files. So, for example, a file named “kitten.jpg” after encryption could be named “kitten.jpg.abcde.” Unfortunately, the extension is not the only thing that changes. GandCrab 5.0.9 Ransomware also changes the data within the file, so as to ensure that victims cannot open it. The purpose is to ensure that the victim would think that paying the ransom is the only option.

At first, GandCrab 5.0.9 Ransomware does not instruct to pay a ransom at all. Instead, the ransom note orders to download and install the anonymous Tor Browser, visit a linked website, and follow the instructions that are available on the said website. Ultimately, a request for a ransom is revealed, and it appears that the initial price is set as $800, but it could go up to $1600. Should you pay it? As we discussed already, the chances are that a free decryptor exists, and so you should look into that first. However, even if it is not possible to decrypt files for free, paying the ransom is a terrible idea. Why? That is because the attackers cannot be trusted to help you in any shape or form.

We cannot point you to the launcher of GandCrab 5.0.9 Ransomware because every victim might find it with a unique name, and even the location could be unique depending on the installation process. The manual removal guide below presents a few locations where the launcher could be found, but we cannot guarantee that you will find it. Due to this, removing GandCrab 5.0.9 Ransomware manually is not the recommended option. Instead, we advise implementing anti-malware software that will erase the treat automatically and will also give you the peace of mind in regards to Windows security.

Delete GandCrab 5.0.9 Ransomware

  1. Kill suspicious process in the Task Manager (tap Ctrl+Shift+Esc keys to access).
  2. Delete recently downloaded files from these directories (tap Win+E keys to launch Explorer and enter the paths below into the field at the top to access them):
    • %USERPROFILE%\Desktop
    • %USERPROFILE%\Downloads
    • %TEMP%
  3. Delete the ransom note files ([random]-DECRYPT.txt).
  4. Empty Recycle Bin.
  5. Install a legitimate malware scanner and initiate a full system scan.

In non-techie terms:

Whether you face GandCrab 5.0.9 Ransomware or an older version of GandCrab Ransomware, you want to initiate removal as soon as possible. Do not worry about the demands made by cyber attackers because, most likely, you can decrypt your personal files for free. If that is not the case, maybe you can replace encrypted files with backup copies stored someplace else. Whatever you do, do not follow the instructions of cyber attackers. Also, do NOT ignore the security issues you are clearly facing. You need to ensure that your operating system is strong and guarded at all times, and reliable anti-malware software can take care of that the best. It even can remove GandCrab 5.0.9 Ransomware automatically, and so we recommend it installing it right away.