What is GandCrab V5.0.5 Ransomware
Update from October 29, 2018: Version 5.0.5 of GandCrab Ransomware was released soon after BitDefender announced decryption tool for previous versions of GandCrab v5.0 Ransomware. It appends 8 randomly generated letters (in capital letters) as extension to encrypted files, and has slightly modified ransom note. No decryption tool available.
Update from October 14, 2018: Version 5.0.4 of GandCrab Ransomware released. It appends 8 randomly generated letters (in capital letters) as extension to encrypted files, and has slightly modified ransom note. Can be decrypted with BitDefender GandCrab Decryption Tool. Download it below.
Update from October 11, 2018: Version 5.0.3 of GandCrab Ransomware released. It adds 8 randomly generated letters (in lower case) as extension to encrypted files. Content of ransom note was changed. Can be decrypted with BitDefender GandCrab Decryption Tool. Download it below
Update from October 1, 2018: Version 5.0.2 of GandCrab Ransomware released. Affected files get extension in form of 9 randomly generated letters. Ransom note is little bit different from initial v5.0 variation. Can be decrypted with BitDefender GandCrab Decryption Tool. Download it below.
GandCrab V5.0.5 Ransomware is subversion of the fifth generation of high-risk GandCrab Ransomware. Probably, this virus was developed in Russia. This crypto-extortor encrypts user and server data using the Salsa20 algorithm, and RSA-2048 is used for auxiliary key encryption. 5-th version appends .[5-8-7-8-9-random-letters] extension to encrypted files and creates ransom note called [5-6-7-8-9-random-letters]-DECRYPT.txt. Examples of ransom notes: VSVDV-DECRYPT.html, FBKDDP-DECRYPT.html, IKJBAGX-DECRYPT.html, QPJBIKKA-DECRYPT.html. Here is the content of this html-file:
---= GANDCRAB V5.0.5 =---
***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED***********************
*****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS*****
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: .OBKBTXTN
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
---------------------
| 0. Download Tor browser - hxxps://www.torproject.org/
| 1. Install Tor browser
| 2. Open Tor Browser
| 3. Open link in TOR browser: hxxp://gandcrabmfe6mnef.onion/113737081e857d00
| 4. Follow the instructions on this page
-----------------
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW
---BEGIN GANDCRAB KEY---
-
---END GANDCRAB KEY---
---BEGIN PC DATA---
-
---END PC DATA---
GandCrab V5.0.5 Ransomware demands $800 ransom in BitCoins or DASH cryptocurrencies for decryption. Using cryptocurrencies and websites hosted in the TOR network makes hackers untraceable. However, often, malefactors deceive users and don’t send keys. Thus, victim won’t recover her/his files, but put credentials at risk on doubtful exchange of cryptocurrencies. After the encryption is complete, it deletes the shadow copies with the command: WMIC.exe shadowcopy delete. Unfortunately, at the moment we write this article, actual specialized decryption tools cannot decrypt GandCrab V5.0.5 Ransomware, but we will still provide links to this utilities as they can be updated by vendors at any day. It is strongly recommended, that users don’t pay ransom and wait for release of decryptor or try recover files using instructions below and suggested file recovery software. Read this tutorial carefully to remove GandCrab V5.0.5 Ransomware and decrypt .[5-random-letters] files in Windows 10, 8/8.1, Windows 7.
How GandCrab V5.0.5 Ransomware infected your PC
One of the most popular way of distribution of GandCrab V5.0.5 Ransomware are e-mail spam campaigns with infectious attachments (as a rule, MS Office documents) that, right after opening, download and run malware on the system. For proliferation, the methods of fraudulent downloads with hacked, unpacked and infected installers of popular programs, games and other software are used. When the user downloads and runs these programs, they install GandCrab V5.0.5 Ransomware on the PC. Also, attackers use hacked sites created on the WordPress platform. Virus assigns certain ID with the victims, that is used to name those files and supposedly to send decryption key. In order to prevent infection with this type of threats in future we recommend you to use SpyHunter 5, HitmanPro with Cryptoguard or any reputable antivirus program.
Download GandCrab V5.0.5 Ransomware Removal Tool
To remove GandCrab V5.0.5 Ransomware completely we recommend you to use Norton Antivirus from Symantec. It detects and removes all files, folders and registry keys of GandCrab V5.0.5 Ransomware.
How to remove GandCrab V5.0.5 Ransomware manually
It is not recommended to remove GandCrab V5.0.5 Ransomware manually, for safer solution use Removal Tools instead.
GandCrab V5.0.5 Ransomware files:
[8-random-letters]-DECRYPT.html
pidor.bmp
GandCrab V5.0.5 Ransomware registry keys:
HKCU\SOFTWARE\keys_data\data
Mutex added:
Global\8B5BA8B9F369050F5F4C.lock
Global\XlAKFoxSKGOfSGOoSFOOFNOLPE
How to decrypt and restore .[5-6-7-8-9-random-letters] files
Use automated decryptors
Use following tool from BitDefender called BitDefender GandCrab Decryptor, that can decrypt .[5-6-7-8-9-random-letters] files. Download it here:
There is no purpose to pay the ransom, because there is no guarantee you will receive the key, but you will put your bank credentials at risk.
If you are infected with GandCrab V5.0.5 Ransomware and removed it from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:
Use Stellar Phoenix Data Recovery Pro to restore .[5-6-7-8-9-random-letters] files
- Download Stellar Phoenix Data Recovery Pro.
- Select location to scan for lost files and click Scan button.
- Wait until Quick and Deep scans finish.
- Preview found files and restore them.
Using Windows Previous Versions option:
- Right-click on infected file and choose Properties.
- Select Previous Versions tab.
- Choose particular version of the file and click Copy.
- To restore the selected file and replace the existing one, click on the Restore button.
- In case there is no items in the list choose alternative method.
Using Shadow Explorer:
- Download Shadow Explorer program.
- Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
- Select the drive and date that you want to restore from.
- Right-click on a folder name and select Export.
- In case there are no other dates in the list, choose alternative method.
If you are using Dropbox:
- Login to the DropBox website and go to the folder that contains encrypted files.
- Right-click on the encrypted file and select Previous Versions.
- Select the version of the file you wish to restore and click on the Restore button.
How to protect computer from viruses like GandCrab V5.0.5 Ransomware in future
1. Get special anti-ransomware software
Use ZoneAlarm Anti-Ransomware
Famous antivirus brand ZoneAlarm by Check Point released a comprehensive tool, that will help you with active anti-ransomware protection, as an additional shield to your current protection. The tool provides Zero-Day protection against ransomware and allows you to recover files. ZoneAlarm Anti-Ransomware is compatible with all other antiviruses, firewalls, and security software except ZoneAlarm Extreme (already shipped with ZoneAlarm Anti-Ransomware) or Check Point Endpoint products. The killer features of this application are: automatic file recovery, overwrite protection that instantly and automatically recovers any encrypted files, file protection that detects and blocks even unknown encryptors.
2. Back up your files
Regardless of success of protection against ransomware threats, you can save your files using simple online backup. Cloud services are quite fast and cheap nowadays. There is more sense using online backup, than creating physical drives, that can get infected and encrypted when connected to PC or get damaged from dropping or hitting. Windows 10 and 8/8.1 users can find pre-installed OneDrive backup solution from Microsoft. It is actually one of the best backup services on the market, and has reasonable pricing plans. Users of earlier versions can get acquainted with it here. Make sure to backup and sync most important files and folders in OneDrive.
3. Do not open spam e-mails and protect your mailbox
Malicious attachments to spam or phishing e-mails is most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications, and provides very high level of anti-spam protection.