Need Help For Ransomware Gandcrab 5.0.4

[narou21]

Hello
i need help to decrypt the files infected by GandCrab 5.0.4 ransomware virus. it is possible and thank you

 

[Mirkec]

Recently, Bitdefender has presented GandCrab decryptor for v1, v4, and v5, a free tool to recover encrypted files without paying the ransom. Maybe it helps, the full name is Bitdefender GandCrab V1, V4, V5 Decryptor.

 

[Power Bot]

The Bitdefender tool might not work with the new 5.0.4 or 5.0.5 version according to some websites i searched via google but @Mirkec is totally right try the tool! I hope it works and if it doesn't you can save all your encrypted files onto a "clean" usb storage device "just save the most important ones" i say that because you may not have enough Space on a usb stick to save it all but maybe you do, like i say though i would make sure nothing else is on the usb stick and just store the encrpted files onto it then format and install windows all over and make sure you use a good antivirus and popup blockers in your browser and all that stuff good firewall etc etc etc. Windows defender does not qualify as a good antivirus these encryption viruses disable windows defender like it is a child's toy, windows defender is pretty useless.!!!

in the event the tool does not work....>> Eventually a decryption tool will be released "hopefully" and then you can de-crypt them from the usb you saved them on. Good luck and i hope everything works out.

 

[Jonas_Barua]

Method 1.

Windows 10 / Windows 8

1. Press the Power button on the Windows logo screen. Now press and hold Shift, located on the keyboard, then click Restart ..
2. Now select Troubleshoot → Advanced Options → Startup Settings and then press Restart.
3. When the computer is activated, select Enable Safe Mode with Networking in the Startup Settings window.
Log in to your infected account and start the browser. Download Reimage or another renowned anti-spyware program. Update it before completing the system scan and remove any malicious files that belong to ransomware and finish removing Cerber virus.
If the ransomware program blocks Safe Mode with Networking, try the following method.

Method 2.

1. Press the Power button on the Windows logo screen. Now press and hold Shift, located on the keyboard, then click Restart ..
2. Now select Troubleshoot → Advanced Options → Startup Settings and then press Restart.
3. When the computer is activated, select Enable Safe Mode with Command Prompt in the Startup Settings window
4. When the Command Prompt window appears, type cd restore and click Enter,
5. ... then type rstrui.exe and press Enter again.
6. When a new window appears, click Next and select the restore point before infiltrating Cerber. After you do this, click Next,
7. ... click on Yes to start the system restore.

Once you restore system files and settings to an earlier date, download and scan your computer using Reimage and ensure that removal of Cerber virus has been successfully performed.
Finally, you always have to think about crypto-ransomware protection. To protect your computer from Cerber and other ransomware programs, you must use reputable anti-spyware programs such as Reimage, Malwarebytes, or Plumbytes Anti-Malware.

 

[narou21]

thank you for your reply. I have already removed the malware but I want a tools to decrypt Gandcrab 5.0.4 files

 

[Yash Dedhia]

Earlier this year in February, Bitdefender released the world’s first decryption tool to help GandCrab ransomware victims get their data back for free. But since then, victims of subsequent versions of GandCrab and its ‘ransomware-as-a-service’ affiliate approach have been reaching out to us for help.

The good news is that now you can have your data back without paying a cent to the cyber-criminals, as Bitdefender has released a free utility that automates the data decryption process. This tool recovers files encrypted by GandCrab ransomware versions 1, 4 and 5. You can recognize this ransomware and its version, by the extension it appends to the encrypted files and/or ransom-note:

Version 1: file extension is .GDCB. The ransom note starts with —= GANDCRAB =—, ……………. the extension: .GDCB
Version 2: file extension is .GDCB. The ransom note starts with —= GANDCRAB =—, ……………. the extension: .GDCB
Version 3: file extension is .CRAB. The ransom note starts with —= GANDCRAB V3 =— ……….. the extension: .CRAB
Version 4: file extension is .KRAB. The ransom note starts with —= GANDCRAB V4 =— ……….. the extension: .KRAB
Version 5: file extension is .([A-Z]+). The ransom note starts with —= GANDCRAB V5.0 =— ………. the extension: .UKCZA
Version 5.0.1: file extension is .([A-Z]+). The ransom note starts with —= GANDCRAB V5.0.2 =— …. the extension: .YIAQDG
Version 5.0.2: file extension is .([A-Z]+). The ransom note starts with—= GANDCRAB V5.0.2 =— …. the extension: .CQXGPMKNR
Version 5.0.3: file extension is .([A-Z]+). The ransom note starts with—= GANDCRAB V5.0.2 =— …. the extension: .HHFEHIOL
In order for this recovery solution to work, you are required at least 1 available ransom-note on your PC. The ransom-note is required to recover the decryption key. Please make sure that you do not run a clean-up utility which detects and removes these ransom-notes prior to execution of this tool. The information inside the ransom-notes is essential in the decryption process as it allows us to compute the unique decryption key for your files.

How to use the tool

Step 1: Download the decryption utility provided by Bitdefender and save it somewhere on your computer. Please note that this tool requires an active internet connection. Without this prerequisite the decryption process won’t continue.


This tool REQUIRES an active internet connection as our servers will attempt to reply the submitted ID with a possibly valid RSA-2048 private key. If this step succeeds the decryption
process will continue.

Step 2: Run the utility – it should be saved on your computer as BDGandCrabDecryptor.exe.

Step 3: Agree to the terms and conditions.

Step 4: Select “Scan Entire System” if you want to search for all encrypted files or just add the path to your encrypted files. We strongly recommend that you also select “Backup files” before starting the decryption process. Then press “Scan”.

Regardless of whether you check the “Backup files” option or not, the decryption tool attempts to decrypt 5 files in the provided path and will NOT continue if decryption is unsuccessful. This extra safety mechanism ensures that the decryption tool has yielded valid files. This approach may not suit testing decryption on 1 or 2 files, or attempting to decrypt files with different extensions.

Step 5: At this point, your files should be decrypted. If you checked the backup option, you will see both the encrypted and the decrypted files. To remove the encrypted files, just search for files matching the extension and remove them in bulk. We do not encurage you to do this, unless you doubled check your files can be safely opened and there is no trace of damage.

If you encounter any issues, please contact us at via the e-mail address provided in the removal tool.

Can you please check with this as instructions provided or contact them through email... I guess that might work for you..

 

[SiteWizard]

@narou21 can you tell us if this work out and if it is solved ???
So we can close this thread then

Otherwise when it is NOT working do the next steps:

Any files that are encrypted with GandCrab V5.0.4/5.0.5 will have a random 5-9 character extension (i.e. .XMMFA, .LUKIZQW, .TKKLKM) appended to the end of the encrypted data filename and leave files (ransom notes) named [random uppercased extension]-DECRYPT.html (i.e. LUKIZQW-DECRYPT, TKKLKM-DECRYPT). Most ransomware will drop a ransom note in every directory/affected folder where data has been encrypted. These notes are often created in multiple file formats (.txt, .html, .png, .bmp, .url) to ensure that the victim can open them and read the ransom demands/instructions.

Unfortunately, files encrypted by GandCrab V5.0.4/5.0.5 are not decryptable at this time without paying the ransom since these versions have been reported by Marcelo Rivero (Malware Intelligence Analyst) to break the BitDefender decryption tool so it will not work....

RansomNoteCleaner created by Demonslay335 (aka Michael Gillespie) can be used to search for (and remove) ransom notes dropped by the malware. Other options include Duplicate File Removers such as SearchMyFiles, Duplicate Cleaner Free, CloneSpy and CCleaner’s Duplicate File Finder.

CryptoSearch created by Demonslay335 (aka Michael Gillespie) and powered by his ID Ransomware (IDR) service can help find files encrypted by a particular ransomware. It will then allow you to copy/move the files to another location for archiving in the event of a possible solution for future decryption. CryptoSearch does not decrypt data. The encrypted files do not contain malicious code so they are safe.

These are some common folder variable locations malicious executables and .dlls hide:

• %SystemDrive%\ (C:\)
• %SystemRoot%\ (C:\Windows, %WinDir%\)
• %UserProfile%\
• %UserProfile%\AppData\Roaming\
• %AppData%\
• %LocalAppData%\
• %ProgramData%\ / %AllUserProfile%\
• %Temp%\ / %AppData%\Local\Temp\

Note: Some folders like %AppData% are hidden by the operating system so you may need to configure Windows to show hidden files & folders.

If you need individual assistance only with removing the malware infection, follow the instructions in the Malware Removal and Log Section Preparation Guide...

For the Maleware Removal and Log Section Preparation Guide : type this in Google and you will find it

 

[Mr. Spacely]

@SiteWizard I think this could be a good tutorial for such things.

 

[narou21]

@narou21 can you tell us if this work out and if it is solved ???
So we can close this thread then

Otherwise when it is NOT working do the next steps:

Any files that are encrypted with GandCrab V5.0.4/5.0.5 will have a random 5-9 character extension (i.e. .XMMFA, .LUKIZQW, .TKKLKM) appended to the end of the encrypted data filename and leave files (ransom notes) named [random uppercased extension]-DECRYPT.html (i.e. LUKIZQW-DECRYPT, TKKLKM-DECRYPT). Most ransomware will drop a ransom note in every directory/affected folder where data has been encrypted. These notes are often created in multiple file formats (.txt, .html, .png, .bmp, .url) to ensure that the victim can open them and read the ransom demands/instructions.

Unfortunately, files encrypted by GandCrab V5.0.4/5.0.5 are not decryptable at this time without paying the ransom since these versions have been reported by Marcelo Rivero (Malware Intelligence Analyst) to break the BitDefender decryption tool so it will not work....

RansomNoteCleaner created by Demonslay335 (aka Michael Gillespie) can be used to search for (and remove) ransom notes dropped by the malware. Other options include Duplicate File Removers such as SearchMyFiles, Duplicate Cleaner Free, CloneSpy and CCleaner’s Duplicate File Finder.

CryptoSearch created by Demonslay335 (aka Michael Gillespie) and powered by his ID Ransomware (IDR) service can help find files encrypted by a particular ransomware. It will then allow you to copy/move the files to another location for archiving in the event of a possible solution for future decryption. CryptoSearch does not decrypt data. The encrypted files do not contain malicious code so they are safe.

These are some common folder variable locations malicious executables and .dlls hide:

• %SystemDrive%\ (C:\)
• %SystemRoot%\ (C:\Windows, %WinDir%\)
• %UserProfile%\
• %UserProfile%\AppData\Roaming\
• %AppData%\
• %LocalAppData%\
• %ProgramData%\ / %AllUserProfile%\
• %Temp%\ / %AppData%\Local\Temp\

Note: Some folders like %AppData% are hidden by the operating system so you may need to configure Windows to show hidden files & folders.

If you need individual assistance only with removing the malware infection, follow the instructions in the Malware Removal and Log Section Preparation Guide...

For the Maleware Removal and Log Section Preparation Guide : type this in Google and you will find it

-----------------------------------------------------------------
Thank you for your answer and your solutions. I did not find a solution to decrypt the virus?

 

[Mr. Spacely]

-----------------------------------------------------------------
Thank you for your answer and your solutions. I did not find a solution to decrypt the virus?

I that case Best soution is 2 reinstall OS

 

[SiteWizard]

you'r files are Unfortunately encrypted by GandCrab V5.0.4/5.0.5 and for now they are not decryptable .
So the best thing to do is like @Iceman96 have write here , "Format the HD Kill that Partition and make a NEW one .
then reinstall the OS.

Make sertend that you have a up to date maleware program .

 

[Mr. Spacely]

And I also suggest Instaling malwarebytes it haves buit in ransomware detector

 

[narou21]

Thank you ??? it is done ??. reset file decryption??

 

[Mr. Spacely]

@Hawkeye You can close this now

 

[Cumulonimbus]

Thread closed.