How to remove GANDCRAB 5.2 Ransomware and recover files

5/5 (3)

What is GANDCRAB 5.2 ransomware

GANDCRAB 5.2 is a new type of huge and disastrous GandCrab ransomware. The virus do not wind down even for a little bit, it is still out in the internet, infecting hundreds of victims a day. GANDCRAB 5.2 will use strong encryption algorithms to make all victim’s data unreadable. Any user have valuable data stored on a computer, it may be something of a personal value or important work documents. Which is why this criminal scheme still exists – it is quite profitable for cyber crooks, a lot of people rush to pay for decryption to unlock their data and get those files back. Still, we should warn you, that there is not guarantee that you will get decryption key after the payment, which is quite huge in fact, to be more exact 2400$ in BitCoins. If you are the victim of GANDCRAB virus, you may use this guide to remove GANDCRAB 5.2 Ransomware and restore your files.

remove GANDCRAB 5.2 ransomware

GANDCRAB 5.2 is using Salsa20 and RSA-2048 encryption algorithm to encode personal data of a victim. Encrypted data is not accessible and user can’t open or run encrypted files. The virus may encipher all the important files: any kind of documents (like MS Office), photos, videos, audio files, email files and so on. Then cyber criminals are offering a simple deal – 2400$ in cryptocurrency (in this particular case it is BitCoins or DASH) for decryption (the process reverse to encryption). You may find this offer in any ransom note of this virus. Here’s an example of infected files:

remove GANDCRAB 5.2 ransomware

The ransomware will drop [random characters and numbers]-DECRYPT.html file (for example DUCUEYUAV-DECRYPT.html), here is the content of it:

remove GANDCRAB 5.2 ransomware

The virus will also change desktop wallpapers to pidor.bmp as a blackmail message:

remove GANDCRAB 5.2 ransomware

ENCRYPTED BY GANDCRAB 5.2
DEAR %Username% YOUR FILES ARE UNDER STRONG PROTECTION BY OUR SOFTWARE.
IN ORDER TO RESTORE IT YOU MUST BUY DECRYPTOR
For further steps read DUCUEYUAV-DECRYPT.html that is located in every encrypted folder.

Important note: In order to infect their victims, GANDCRAB 5.2 uses method of fraudulent downloads with hacked, repacked (RePack) and infected installers of popular programs, games and other software. When users download and run any of these infected programs, they will install GANDCRAB 5.2. Also we must warn you that usually cyber criminals do not answer to their victims, that’s why it is quite risky to spend huge money for ransom.

Here’s the list of extensions that GANDCRAB 5.2 ransomware will encrypt:

.cat, .csv, .db, .doc, .gif, .htm, .ico, .inf, .ini, .jpg, .png, .ppt, .sam, .shw, .txt, .url, .xls, .xml, .wav, .wb2, .wk4, .wpd, .wpg
These are MS Office documents, OpenOffice, PDF, text files, databases, photos, music, video, image files, archives and so on.

Be cautious

It is common knowledge that most of ransomware viruses use spam emails as a method of distribution. Cyber criminals screen their viruses behind email messages with infected attachments, so that their victims will voluntarily open them, making virus infiltration process much easier. That’s why we strongly recommend not to open any suspicious and shady attachments from unknown emails. Cyber crooks make use of anything that can force a user to open such email: fake memos, messages from big and trusted shops like Amazon or Ebay, congratulation letters about winning some expensive gadgets or big sum of money, and so on. For example, here is the letter that the victim of GANDCRAB may receive (German version):

remove GANDCRAB 5.2 ransomware

There are two solutions of this problem. First is to use special Removal Tool. Removal Tools delete all instances of malware by few clicks and help user to save time. Or you can use Manual Removal Guide, but you should know that it might be very difficult to remove GANDCRAB 5.2 ransomware manually without specialist’s help.

GANDCRAB 5.2 Removal Guide

  1. Download GANDCRAB 5.2 Removal Tool.
  2. Remove GANDCRAB 5.2 from Windows (7, 8, 8.1, Vista, XP, 10) or Mac OS (Run system in Safe Mode).
  3. How to restore files
  4. How to protect PC from future infections.

How to remove GANDCRAB 5.2 ransomware automatically:

Thor Home

Download Norton Security Thor Home may help you to get rid of this virus and clean up your system. In case you need a proper and reliable antivirus, we recommend you to try it.

Windows compatible

Manual GANDCRAB 5.2 Removal Guide

Here is step-by-step instructions on how to remove GANDCRAB 5.2 from Windows and Mac computers. Follow this steps carefully and remove files and folders belonging to GANDCRAB 5.2. First of all, you need to run system in a Safe Mode. Then find and remove needed files and folders.

Uninstall GANDCRAB 5.2 from Windows or Mac

Here you may find the list of confirmed related to the ransomware files and registry keys. You should delete them in order to remove virus, however it would be easier to do it with our automatic removal tool. The list:

-DECRYPT.html
%s-DECRYPT.html
%s-DECRYPT.txt
XMMFA-DECRYPT.html
IBAGX-DECRYPT.html
QIKKA-DECRYPT.html
KRAB-DECRYPT.html
KRAB-DECRYPT.txt
CRAB-DECRYPT.txt
pidor.bmp

Windows 7/Vista:

  1. Restart the computer;
  2. Press Settings button;
  3. Choose Safe Mode;
  4. Find programs or files potentially related to GANDCRAB 5.2 by using Removal Tool;
  5. Delete found files;

Windows 8/8.1:

  1. Restart the computer;
  2. Press Settings button;
  3. Choose Safe Mode;
  4. Find programs or files potentially related to GANDCRAB 5.2 by using Removal Tool;
  5. Delete found files;

Windows 10:

  1. Restart the computer;
  2. Press Settings button;
  3. Choose Safe Mode;
  4. Find programs or files potentially related to GANDCRAB 5.2 by using Removal Tool;
  5. Delete found files;

Windows XP:

  1. Restart the computer;
  2. Press Settings button;
  3. Choose Safe Mode;
  4. Find programs or files potentially related to GANDCRAB 5.2 by using Removal Tool;
  5. Delete found files;

Mac OS:

  1. Restart the computer;
  2. Press and Hold Shift button, before system will be loaded;
  3. Release Shift button, when Apple logo appears;
  4. Find programs or files potentially related to GANDCRAB 5.2 by using Removal Tool;
  5. Delete found files;

How to restore encrypted files

You can try to restore your files with special tools. You may find more detailed info on data recovery software in this article – recovery software. These programs may help you to restore files that were infected and encrypted by ransomware.

Restore data with Stellar Data Recovery

This program can restore the encrypted files, it is easy to use and very helpful.

Stellar Data Recovery

  1. Download and install Stellar Data Recovery
  2. Choose drives and folders with your data, then press Scan.
  3. Select all the files in a folder, then click on Restore button.
  4. Manage export location. That’s it!

Download Stellar Data Recovery


Restore encrypted files using Recuva

There is an alternative program, that you may use – Recuva.

  1. Run the Recuva;
  2. Follow instructions and wait until scan process ends;
  3. Find needed files, mark them and Press Recover button;

How to prevent ransomware infection?

It is always rewarding to prevent ransomware infection because of the consequences it may bring. There are a lot of difficulties in resolving issues with encoders viruses, that’s why it is very vital to keep a proper and reliable anti-ransomware software on your computer. In case you don’t have any, here you may find some of the best offers in order to protect your PC from disastrous viruses.

How to prevent ransomware infection?

It is always rewarding to prevent ransomware infection because of the consequences it may bring. There are a lot of difficulties in resolving issues with encoders viruses, that’s why it is very vital to keep a proper and reliable anti-ransomware software on your computer. In case you don’t have any, here you may find some of the best offers in order to protect your PC from disastrous viruses.

Thor Home

Thor Home
Download Norton Security

WiperSoft is a reliable antivirus application, that is able to protect your PC and prevent the infection from the start. The program is designed to be user-friendly and multi-functional.

Please rate this

You may also like...

6 Responses

  1. Feguino says:

    Is there any way to decrypt the files encrypted by the virus. I have many important documents that would like to restore.

    • Malware Warrior says:

      Feguino, there are no available decryptors for newest versions of GandCrab, like this one. We advise you to try to restore your files with special recovery tools. You may find more detailed info on data recovery software in this article – recovery software.

  2. Ben says:

    hi there… Iv’been infected but fortunately on a computer I just reinstalled, so, I just formated it and put a clean windows install.

    The question is: I git an External HDD and it seems it has some infected files (encrypted) is it safe to plug it and remove all the encrypted files (or try to decrypt). I mean, does the fact that I plug this HDD to my compueter could reinfect my windows?

    • admin says:

      Hi, Ben! Unfortunately, yes. The virus can be dangerous in your case. So we recommend don’t plug your external HDD to your computer.

  3. Mehmet Ali ALTAN says:

    I stored criptoed files in a cloud account. All solutions using original computers’ HDD to find early copies, or restored files. Is there any method to decrypting of archived files by another comp. except infected one?

  4. Gohel Brijesh says:

    Hello sir

    I am affected by .Seto rensonware . I am removing viruses by install new window but already encrypted file is same . So please share me some guidance for decryption of this .Seto file

    Plz help I am in big trouble

Leave a Reply

Your email address will not be published. Required fields are marked *