Initial Inspection Report on GandCrab2 Ransomware
Threat’s Name | GandCrab2 Ransomware |
Type | Crypto virus, Ransomware |
Variant of | GandCrab |
Risk Level | High |
Affected Computers | Windows OS |
File Extension | .CRAB |
Ransom Note | CRAB-DECRYPT.txt |
Redirects Victims to | TOR site |
Description | GandCrab2 Ransomware is another most aggressive ransomware infection that aims to encrypts user’s all crucial data and extorts money from victims. |
Occurrences | via RIG exploit kit, spam campaigns, torrent files, malvertising sites, malspam, bundling method, contaminated devices etc. |
Removal | Possible, download free scanner to find out and delete GandCrab2 Ransomware attack. |
GandCrab2 Ransomware – Another Version of GandCrab
These days, the security headlines are flooded with an alert about the new aggressive form of ransomware named GandCrab2 Ransomware. It is a newer version of GandCrab Ransomware which also known as GandCrab V2. Like its predecessor, it uses too much complex algorithm to encrypt user’s stored files. Doesn’t matter what OS you are using because this ransomware is capable to infect all System executing on Windows based Operating System. The locked file of such a ransomware can be easily notified by Computer users because it actually renamed the original filename by appending .CRAB file extension. Once performing the encryption procedure successfully, it generate a ransom note in text file entitled as “CRAB-DECRYPT.txt” which can be seen as below :
No Need To Believe on Ransom Message of GandCrab2 Ransomware
After displaying ransom note, GandCrab2 Ransomware often leads its victims to the TOR site which usually contains instructions for victims what they have actually to do to unlock files. Keep a point in your mind the the original version of GandCrab ransomware demanded the 1200 USD in the Dash coins whereas this version of ransomware asks victims to pay 500 USD in Dash coins. Before making contact with the creators of GandCrab2 Ransomware, you must know that ransom note is developed by ransomware developers to maximize the profit. According to it’s creators, GandCrab2 Ransomware can be decrypted using the GandCrab decryptor which is available at NoMoreRansom. On NoMoreRansom, hackers provide a link to the decryption tutorial and scare people by falsely claims. Therefore, it is highly advised by security analysts that victims must get rid of GandCrab2 Ransomware rather contacting with cyber criminals.
Transmission Preferences of GandCrab2 Ransomware
Likewise its predecessor, GandCrab2 Ransomware is also spread via malvertising campaigns that leads victims to the RIG exploit kit. The developers of such a malware infection uses combination of two exploit kits including RIG and GrandSoft. Generally hackers exposed to exploit kits by sending the malicious emails with the infected .doc attachments. At the first sight, Spam emails may mimics as a trusted one but when users open them intentionally or unintentionally their System automatically lead to such a notorious infection. Therefore, it is highly advised by security analysts that System users must not open any spam message that come to their inbox from unverified sources or unknown person.
Free Scan your Windows PC to detect GandCrab2 Ransomware
Remove GandCrab2 Ransomware From Your PC
Step 1: Remove GandCrab2 Ransomware in Safe Mode with Command Prompt
- First of all disconnect your PC with network connection.
- Click restart button and keep pressing F8 key regularly while system restart.
- You will see “Windows Advanced Options Menu” on your computer screen.
- Select “Safe Mode with Command Prompt” and press Enter key.
- You must login your computer with Administrator account for full privilege.
- Once the Command Prompt appears then type rstrui.exe and press Enter
- Now follow the prompts on your screen to complete system restore.
Step 2: Remove GandCrab2 Ransomware using MSConfig in Safe Mode:
- Power off your computer and restart again.
- While booting press the “F8 key” continuously to open “Windows Advanced Options Menu”.
- Use the arrow keys to select “Safe Mode” option and press Enter key.
- Once system get started go to Start menu. Type “msconfig” in the search box and launch the application.
- Go to the Startup tab and look for files from %AppData% or %Temp% folders using rundll32.exe. See an example below:
C:\Windows\System32\rundll32.exe C:\Users\username\appdata\local\temp\regepqzf.dll,H1N1
- Disable all the malicious entries and save the changes.
- Now restart your computer normally.
Step 3 : Kill Malicious Process Related To GandCrab2 Ransomware
- Press Alt+Ctrl+Del buttons together.
- It will open the Task manager on your screen.
- Go to Process Tab and find GandCrab2 Ransomware related process.
- Click the End Process Now button to stop the running process.
Step 4 : Remove GandCrab2 Ransomware Virus From Registry Entry
- Press “Windows + R” key together to open Run Box.
- Type “regedit” and click OK button.
- Find and remove GandCrab2 Ransomware related entries.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Now hopefully you have completely removed the GandCrab2 Ransomware virus from your computer. If you are still get ransom message from the threat or unable to access your files, then it means that virus still remain into your computer. In such situation you don’t have any other option except removing this virus using any powerful malware removal tool.
Whereas if you have any backup of your infected or encrypted files, then you can also reinstall your Windows OS. This will erase all your files and data as along with the GandCrab2 Ransomware infection. You will get a completely empty computer system with no files. Now you can use your backup to get your files. If you don’t have any backup then using malware removal tool is a better option for you.
If you have any query or question regarding your computer, then you can easily ask your problem to our experts. Go to the Ask Any Question page and get the answer for your query directly from out experts.