GandCrab Ransomware Removal Guide

Do you know what GandCrab Ransomware is?

If you find GandCrab Ransomware on your computer, you need to know that it is too late to save your files as most of them have just been encrypted. All this to extort money from you, hundreds of your hard-earned dollars, for the private key that enables you to recover your encrypted files. Unfortunately, our researchers have not found yet any possible way for you to restore your files for free. But there is also no guarantee that if you pay, you will get the private key. In fact, experience show that it almost never happens. It is more likely to get hit again by another dangerous threat than to get files decrypted. This ransomware was programmed in C++ and is one of the more dangerous threats. We advise you to remove GandCrab Ransomware right now if you would like to use your computer again. Please continue reading our article to understand how such a beast may have entered your system without your knowledge so that you can possibly defend your PC from the next malicious attack.

Our researchers tested and inspected this ransomware program in our internal lab, and they found that it is mainly distributed by the RIG Exploit Kit. This kit can infect you when your browsers and your drivers, such as Adobe Flash and Java, are not kept up-to-date. This enables this kit to exploit older security bugs to drop this dangerous infection behind your back. It is also important to know that you can easily land on a malicious page that is armed with RIG or any other Exploit Kit, if you click on the wrong content on a suspicious page or when your computer is infected with malware. You need to be very careful third-party advertisements on questionable websites associated with gaming, betting, file-sharing, online video streaming, and porn, because these are generally the ones that tend to promote potentially unsafe third-party content. One click is just enough for you to get redirected and end up on a malicious page that can infect you with this ransomware or any other. Remember that this mistake may cost you all your important files. Even if you delete GandCrab Ransomware in the end, it does not mean that your encrypted files will be decrypted.GandCrab Ransomware Removal GuideGandCrab Ransomware screenshot
Scroll down for full removal instructions

It is also possible that you infect your system with this malware threat after opening a spam e-mail with an attachment. This attachment could be disguised as a picture or a text document, and claim to contain vital information about an urgent matter. Of course, this alleged matter is all made up and false, but there may be no way telling when you find this spam in your inbox or even in your spam folder. This mail can seem totally harmless and authentic based on its sender and the subject like. What's more, there will be a feeling of rush to see its content because you may not believe your eyes, yet, you will want to see out of pure curiosity. This attachment will not get you too far since this whole matter (e.g., unpaid invoice, wrong credit card details, problematic online booking, etc.) is fake. However, by the time you realize that this attached file is not what it claims to be, you have already initiated this dangerous attack. This also means that even if you delete GandCrab Ransomware as fast as you can, it will not be fast enough to save your files from encryption.

It seems that this ransomware program is mostly spreading in South Korea, the USA, China, and Russia. When you run the malicious executable, it first creates a copy as "%APPDATA%\Microsoft\wngtom.exe" from which it will operate. It also creates a Run registry entry ("HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce::[random string]") to start up automatically when you start up Windows. This is to make sure that your newly created or saved files get encrypted as well.

This malware infection applies the good old AES algorithm and targets hundreds of file extensions to cause the most possible damage to you. The encrypted files will have a ".GDCB" extension. The ransom note ("GDCB-DECRYPT.txt") is dropped in all the folders where this beast takes hostages. In addition to that, it also creates a startup entry in "%ALLUSERSPROFILE%\Start Menu\Programs\Startup" with this note to display it upon system startup. This note instructs you to visit a website using the Tor browser preferably. This site contains information about the payment. You have to transfer 1.5 DASH, which is around 660 USD at the moment, to a given address within 4 and a half days, or else, this price doubles. As we have said already, we do not advise you to pay; although, it is obviously your choice to make. We recommend that you remove GandCrab Ransomware right away.

If you have made up your mind, you can follow our instructions below to successfully eliminate this dangerous ransomware program. But it is also possible that you do not have the necessary skills to manually hunt down such a threat. Therefore, we recommend that you install a professional anti-malware application, such as SpyHunter, to automatically defend your PC against current and future malicious attacks as well.

Remove GandCrab Ransomware from Windows

  1. Tap Win+R and type regedit. Hit Enter.
  2. Delete the "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce::[random string]" Run registry value name.
  3. Close the editor.
  4. Tap Win+E.
  5. Delete the malicious executable file you saved from the spam or other ways. (Check all your default download folders for suspicious files.)
  6. Delete "%APPDATA%\Microsoft\wngtom.exe"
  7. Bin every ransom note ("GDCB-DECRYPT.txt") from the affected folders, including "%ALLUSERSPROFILE%\Start Menu\Programs\Startup"
  8. Empty the Recycle Bin and reboot your PC.

In non-techie terms:

GandCrab Ransomware can be your biggest nightmare as this vicious ransomware program can encrypt hundreds of your file extensions once it crawls onto your system without your realizing it. Unlike most other ransomware infections, this one demands the ransom fee to be paid in DASH. This fee can be hundreds of dollars even reaching around a thousand depending on the current exchange rate. Are your files worth that much to you? Well, the truth is, even if they are, you should consider the plain fact that cyber criminals rarely keep their word. In other words, there is no guarantee for you to get the private key to recover your files. We advise you to remove GandCrab Ransomware immediately after you notice it on board. Hopefully, now you understand why it is safer to store a backup on a removable hard disk or cloud. If you want proper protection for your PC, we suggest that you install a trustworthy anti-malware program right now.