How to delete GANDCRAB

This analysis and removal article has been made to inform you and provide instructions on deleting GANDCRAB 5.2 ransomware infection from your computer and also add methods via which you can try and restore files, encrypted by this cryptovirus on your computer.

Following the successful decryption of GANDCRAB 5.1, ransomware, an updated and undetectable version of the notorious ransomware, called GANDCRAB 5.2 has been released. The harmful software was working for over a year and it has now been created frequently in more recent and more recent versions, majority of which aim to enchipher the files of entered systems and ask their owners to land on a TOR page, where victims are coerced to pay fine in the BitCoin or DASH cryptocurrencies. In the unlucky events that your device was corrupted by GANDCRAB 5.2 ransomware, we would advise that you read this deletion report.


GANDCRAB 5.2 has not deviated much from the rest of the GANDCRAB ransomware family in terms of infection ways. The newest parasite files of GANDCRAB 5.2 ransomware were reported by safeguarding professionals to travel via two major ways:

  • Via files, uploaded on threatened web pages.
  • Via files transmitted to victims via e-mail.

If GANDCRAB 5.2 ransomware is spread via e-mail, then the virus may infect computers as a result of a file, embedded within an archive, containing a malicious .JS (JavaScript) category of files. The e-mail that could be sending the archive may impersonate an e-mail sending a picture, like the up-to-date malspam e-mail we found to be circulated GANDCRAB:

Once the victim sees that someone sent a picture with the text “;)” written in the e-mail body, it might raise interest. In case the victim downloads the .ZIP archive and extracts the picture, infection with GANDCRAB 5.2 may be inevitable.

Another scheme via which victims can get corrupted by e-mail in packages with GANDCRAB 5.2 ransomware is to open Microsoft Word or .PDF files moreover transmitted as attachment, but this time feigning to be invoices, receipts and other supposedly invaluable documents, moreover contained in a .ZIP archive. Earlier the victim downloads and extracts the Microsoft Word catalog and starts it, the file could ask to permit Macros, like the image underneath exhibits.

This is accomplished alongside the pretense that you can’t see what is in the catalog, unless you tap on “permit Editing” or “permit Content” button. Once you click this button, infection with GANDCRAB 5.2 may occur. In case the record is a .PDF file, the same might arise, merely that the PDF Adobe Reader catalog may in an automatic way open the Microsoft Word catalog as soon as you open it.

Another method that is also known to cause infections with GANDCRAB 5.2 ransomware virus was recently reported to be used very often. The parasite way incorporates uploading files on threatened or evil WordPress portals, and make them look that they are authentic utility holes. Some of the software which are supposed to be cracked, but get in alongside GANDCRAB 5.2 are reported by victims to be the following:

  • KMSPico(activator for Windows).
  • Securitask(stability utility).
  • SysTools PST join together(catalog join togetherr).
  • Merging Image to PDF(document merger).

More info on how GANDCRAB ransomware infects victims via files uploaded on sites can be found in the related web link we have added underneath:

GANDCRAB Ransomware Now Infects Via Software Cracks

GANDCRAB 5.2 ransomware belongs to the GANDCRAB ransomware group of malware, which has circulated in the consecutive variants up until this version:


When we come to the current GANDCRAB 5.2 variation, there have been quite a great deal of parasite files reported so far by malicious software researchers to have the following titles and identifiers:

The minute the GANDCRAB 5.2 ransomware malicious software results in an threat on the systems, threatened by it, the harmful application as quickly as you can spaws the by chance titled executable record. In it’s turn, the by chance titled .exe file creates a child process in wmic.exe(Windows Management Instrumentation) as the VMRay graphic below shows:

Image Source: VMRay

From there, GANDCRAB v5.2 ransomware may start it’s malignant process to encode the files on the threatened device. The process starts in packages with unleashing the ransom notice of GANDCRAB 5.2 ransomware, which is a .txt file that has a randomly generated name and ends with “-DECRYYPT.txt”. The ransom notice record has the following notification to victims, requesting them to land on a TOR-based portal:

The web hyperlink in the GANDCRAB 5.2 “DECRYPT.txt” log redirects to a penalty payment site that seeks you to pay a lot of dollars in DASH or BTC. The website is started in addition to TOR browser and sounds like the following:

The last process of GANDCRAB 5.2 ransomware is to modify your wallpaper. The wallpaper in other words reconfigured looks like the following on pcs that were corrupted with the malicious software:

GANDCRAB 5.2 ransomware could also perform the following command as an administrator so to eliminate the backed up files on the affected device:

Probably the biggest change in GANDCRAB so far is that the ransomware virus does not add a random file extension, but renames the whole encrypted file to A-Z, a-z, 0-9 randomly generated name. And what is much worse is that every log is renamed differently in packages with diverse log title length. The files, enchiphered by GANDCRAB ransomware are transformed to the following after enciphering:

The encoding of GANDCRAB 5.2 ransomware is accomplished via Salsa20 cipher. This encryption algorithm intentions to change information from the files on the corrupted device along with stops of encoded details. The harmful application doesn’t enchipher the entire log, but pretty merely pieces of it, sufficient to create it appear malevolent and not reliable. And what is harsher, GANDCRAB 5.2 ransomware employs CBC settings for its log enciphering processes. This settings appears that the image we posted underneath and it to summarize breaks your files if you attempt to modify their add-on or interfere alongside them:

But earlier initiating uninstallation, we would highly suggest that you generate an image of your system so that you may be capable of restoring the threat earlier a decryptor of the malicious program has been created and your files are repaird. You might also attempt backing up your files on a flash drive or in another place. Whatever you do, don’t meddle alongside the files, because this shall breach them.

Warning, multiple anti-virus scanners have detected possible malware in GANDCRAB.

Anti-Virus SoftwareVersionDetection
K7 AntiVirus9.179.12403Unwanted-Program ( 00454f261 )
Kingsoft AntiVirus2013.4.9.267Win32.Troj.Generic.a.(kcloud)
VIPRE Antivirus22224MalSign.Generic
NANO AntiVirus0.26.0.55366Trojan.Win32.Searcher.bpjlwd


  • Installs itself without permissions
  • GANDCRAB Connects to the internet without your permission
  • Slows internet connection
  • Integrates into the web browser via the GANDCRAB browser extension
  • Changes user's homepage
  • Distributes itself through pay-per-install or is bundled with third-party software.
  • Shows Fake Security Alerts, Pop-ups and Ads.
  • GANDCRAB Shows commercial adverts
  • Common GANDCRAB behavior and some other text emplaining som info related to behavior
  • GANDCRAB Deactivates Installed Security Software.
Download Removal Toolto remove GANDCRAB

GANDCRAB effected Windows OS versions

  • Windows 1030% 
  • Windows 838% 
  • Windows 722% 
  • Windows Vista6% 
  • Windows XP4% 

GANDCRAB Geography

Eliminate GANDCRAB from Windows

Delete GANDCRAB from Windows XP:

  1. Click on Start to open the menu.
  2. Select Control Panel and go to Add or Remove Programs. win-xp-control-panel GANDCRAB
  3. Choose and remove the unwanted program.

Remove GANDCRAB from your Windows 7 and Vista:

  1. Open Start menu and select Control Panel. win7-control-panel GANDCRAB
  2. Move to Uninstall a program
  3. Right-click on the unwanted app and pick Uninstall.

Erase GANDCRAB from Windows 8 and 8.1:

  1. Right-click on the lower-left corner and select Control Panel. win8-control-panel-search GANDCRAB
  2. Choose Uninstall a program and right-click on the unwanted app.
  3. Click Uninstall .

Delete GANDCRAB from Your Browsers

GANDCRAB Removal from Internet Explorer

  • Click on the Gear icon and select Internet Options.
  • Go to Advanced tab and click Reset.reset-ie GANDCRAB
  • Check Delete personal settings and click Reset again.
  • Click Close and select OK.
  • Go back to the Gear icon, pick Manage add-onsToolbars and Extensions, and delete unwanted extensions. ie-addons GANDCRAB
  • Go to Search Providers and choose a new default search engine

Erase GANDCRAB from Mozilla Firefox

  • Enter „about:addons“ into the URL field. firefox-extensions GANDCRAB
  • Go to Extensions and delete suspicious browser extensions
  • Click on the menu, click the question mark and open Firefox Help. Click on the Refresh Firefox button and select Refresh Firefox to confirm. firefox_reset GANDCRAB

Terminate GANDCRAB from Chrome

  • Type in „chrome://extensions“ into the URL field and tap Enter. extensions-chrome GANDCRAB
  • Terminate unreliable browser extensions
  • Restart Google Chrome. chrome-advanced GANDCRAB
  • Open Chrome menu, click SettingsShow advanced settings, select Reset browser settings, and click Reset (optional).
Download Removal Toolto remove GANDCRAB