Depending on how GandCrab Ransomware slithers into your operating system, it might create a copy. Our malware researchers found the copy to be placed in the %APPDATA%\Microsoft\ folder. The name of the copy was “wngtom.exe,” and it had a point of execution created in the Windows Registry (in HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce). The infection also scans to check if any of 38 processes (e.g., synctime.exe, excel.exe, outlook.exe, powerpnt.exe, or wordpad.exe) are active. They are then terminated. GandCrab Ransomware can also record information about your operating system and your user identity (e.g., IP address, PC username, language, date of encryption, and the encrypted files). Once all is set in place, the infection starts encrypting files. They are encrypted using the AES algorithm, and the “.GDCB” extension is added to their names. According to our research, the infection corrupts over 400 different types of files (e.g., .doc, .zip, .pdf, .jpeg, and .avi). You are most likely to discover your files encrypted if you live in South Korea, but, of course, the infection spreads outside of this country too, and all victims are dealing with the same issues, including ransomware removal.
GandCrab Ransomware drops a file named “GDCB-DECRYPT.txt.” You will find it everywhere on your operating system, but it is most important that it is dropped to the Startup folder to ensure that you are introduced to it when you restart the computer. This file represents the ransom note, according to which, you need to download Tor Browser, and visit one of five pages on http://gdcbghvjyqy7jclk.onion for further instructions. A warning attached to the message suggests that your files would be deleted if you tried using an alternative decryption key or modifying your files on your own. The instructions on the page set up by ransomware creator suggest that you can obtain a file decryption key only if you send 1.5 DASH – which is around $1200 – to XyQPEUnmKZLUicTYNKnDfEMhiMkAj9Q1pa (DASH address). You are given 4 days and 12 hours to make the payment. It does not matter how much time you have got or what kind of sum is requested because, ultimately, you should NOT pay the ransom at all. Cyber criminals promise a decryption key, but it will not be given to you, and so instead of wasting your energy on that, figure out how to remove GandCrab Ransomware.
It is very important that you remove GandCrab Ransomware from your operating system as soon as possible because it is already clear that this infection can record data and transfer information over the Internet. If you do not know what to do because you want to recover your files, most likely, you will not be able to (unless your files are protected using external backups), and so you need to get over that and rush to eliminate the threat. You might be able to delete GandCrab Ransomware manually following the steps shown below, but it is much better if you install an anti-malware program. If it is legitimate, trustworthy, and up-to-date, it will automatically erase the ransomware from your system in no time. If other threats exist, they will be eliminated too. Most important, this program will detect any security backdoors and patch them right up. If this program is active, malware will not slither in again.
N.B. If GandCrab Ransomware was launched using a malicious .exe file, you must locate and delete it. If you cannot do it yourself, use an automated anti-malware program.
|#||File Name||File Size (Bytes)||File Hash|
|1||wngtom.exe||235520 bytes||MD5: 6866d8d8bf8565d94e0e1479978cf1e5|
|#||Process Name||Process Filename||Main module size|