GandCrab Ransomware Removal Guide

Your most precious personal files could be corrupted by GandCrab Ransomware if you are not careful enough. This malware does not just appear on an operating system, and the victim is involved in its execution. Was the threat executed using a malicious file that you opened yourself by opening a spam email attachment? Maybe this file was hidden along with malicious threats in a software bundle that you carelessly downloaded? If this file exists, you must remove it as soon as possible. If you are lucky, you could even erase this file before the malicious threat starts encrypting files. Unfortunately, the RigEK exploit kit can distribute this infection too, in which case, you are unlikely to recognize it. The exploit kit loads malware payload when you visit a set website, after which, Javascript is employed to check for vulnerable plug-ins. If any exist, they are exploited to execute the infection. Once that is done, you are unlikely to stop the threat in time. Most likely, you will realize that you need to delete GandCrab Ransomware only after you find your personal files encrypted.

Depending on how GandCrab Ransomware slithers into your operating system, it might create a copy. Our malware researchers found the copy to be placed in the %APPDATA%\Microsoft\ folder. The name of the copy was “wngtom.exe,” and it had a point of execution created in the Windows Registry (in HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce). The infection also scans to check if any of 38 processes (e.g., synctime.exe, excel.exe, outlook.exe, powerpnt.exe, or wordpad.exe) are active. They are then terminated. GandCrab Ransomware can also record information about your operating system and your user identity (e.g., IP address, PC username, language, date of encryption, and the encrypted files). Once all is set in place, the infection starts encrypting files. They are encrypted using the AES algorithm, and the “.GDCB” extension is added to their names. According to our research, the infection corrupts over 400 different types of files (e.g., .doc, .zip, .pdf, .jpeg, and .avi). You are most likely to discover your files encrypted if you live in South Korea, but, of course, the infection spreads outside of this country too, and all victims are dealing with the same issues, including ransomware removal.

GandCrab Ransomware drops a file named “GDCB-DECRYPT.txt.” You will find it everywhere on your operating system, but it is most important that it is dropped to the Startup folder to ensure that you are introduced to it when you restart the computer. This file represents the ransom note, according to which, you need to download Tor Browser, and visit one of five pages on http://gdcbghvjyqy7jclk.onion for further instructions. A warning attached to the message suggests that your files would be deleted if you tried using an alternative decryption key or modifying your files on your own. The instructions on the page set up by ransomware creator suggest that you can obtain a file decryption key only if you send 1.5 DASH – which is around $1200 – to XyQPEUnmKZLUicTYNKnDfEMhiMkAj9Q1pa (DASH address). You are given 4 days and 12 hours to make the payment. It does not matter how much time you have got or what kind of sum is requested because, ultimately, you should NOT pay the ransom at all. Cyber criminals promise a decryption key, but it will not be given to you, and so instead of wasting your energy on that, figure out how to remove GandCrab Ransomware.

It is very important that you remove GandCrab Ransomware from your operating system as soon as possible because it is already clear that this infection can record data and transfer information over the Internet. If you do not know what to do because you want to recover your files, most likely, you will not be able to (unless your files are protected using external backups), and so you need to get over that and rush to eliminate the threat. You might be able to delete GandCrab Ransomware manually following the steps shown below, but it is much better if you install an anti-malware program. If it is legitimate, trustworthy, and up-to-date, it will automatically erase the ransomware from your system in no time. If other threats exist, they will be eliminated too. Most important, this program will detect any security backdoors and patch them right up. If this program is active, malware will not slither in again.

How to delete GandCrab Ransomware

1. Simultaneously tap Win+E to launch Windows Explorer.
2. Enter %ALLUSERSPROFILE%\Start Menu\Programs\Startup into the bar at the top.
3. Right-click and Delete the file named GDCB-DECRYPT.txt (eliminate all copies of this file).
4. Enter %APPDATA%\Microsoft\ into the bar at the top.
5. Right-click and Delete the malicious {unknown name}.exe file (could be wngtom.exe).
6. Simultaneously tap Win+R to launch the RUN dialog box.
7. Type regedit.exe into the box and then click OK to launch Registry Editor.
8. Navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce.
9. Right-click and Delete the {random name} value that is linked to the file deleted in step 5.
10. Empty Recycle Bin and then immediately run a full system scan using a reliable malware scanner.

N.B. If GandCrab Ransomware was launched using a malicious .exe file, you must locate and delete it. If you cannot do it yourself, use an automated anti-malware program.