GandCrab represents one of the most prolific and financially successful ransomware operations in recent cybersecurity history. Active from January 2018 through June 2019, this ransomware-as-a-service (RaaS) platform infected hundreds of thousands of computers worldwide before its operators claimed retirement. Despite the original developers announcing their shutdown, variants and copycat versions continue to circulate, making GandCrab-related infections an ongoing concern for both home users and businesses.
This particular ransomware family gained notoriety for its sophisticated evasion techniques, rapid evolution through multiple versions (reaching version 5.3), and the brazen public presence of its developers on underground forums. GandCrab encrypted victim files using strong cryptography, appended various extensions depending on the version (.GDCB, .CRAB, .KRAB, or random strings), and demanded ransom payments in cryptocurrency—initially Bitcoin, later switching exclusively to Dash for enhanced anonymity.
Threat Profile
| Attribute | Details |
|---|---|
| Family | GandCrab (ransomware-as-a-service) |
| Classification | Crypto-ransomware, file-encrypting malware |
| Active Versions | v1.0 through v5.3 (2018–2019); copycat variants post-2019 |
| Platform | Windows (XP through Windows 10/11) |
| Aliases | GDCB, CRAB, KRAB (based on file extension); detected as Ransom:Win32/GandCrypt, Trojan-Ransom.Win32.GandCrab by various vendors |
| Encryption Method | Salsa20 cipher with RSA-2048 key exchange (versions varied; later versions used elliptic curve cryptography) |
| File Extensions | .GDCB, .CRAB, .KRAB, or random 5-10 character extensions (version-dependent) |
| Distribution | Exploit kits (GrandSoft, RigEK, Fallout), malspam campaigns, compromised RDP, software cracks, drive-by downloads |
| Persistence | Registry Run keys, scheduled tasks; some versions installed as Windows services |
| Ransom Demand | $600–$2,400 USD equivalent in Dash (DASH) cryptocurrency; increased for delayed payment |
| Communication | Tor-based payment sites, .bit domain ransom notes (accessed via special gateways) |
| Notable Behavior | Terminates database/backup processes, deletes shadow copies, exfiltrates system information, attempts lateral network movement in later versions |
| Decryption Status | Decryptors available for versions 1.0, 4.0-4.1.2, 5.0.4-5.1; most versions remain without free decryption |
| Removal Difficulty | Moderate (removing the malware itself); decryption without key: extremely difficult to impossible for most versions |
How It Spreads
GandCrab's distribution model relied on a ransomware-as-a-service infrastructure where the core developers provided the encryption payload to affiliate partners who handled distribution. This business model resulted in an exceptionally diverse range of infection vectors, as different affiliates specialized in different delivery methods. The sheer variety of distribution channels made GandCrab one of the most widespread ransomware families of its era.
The most successful distribution method for GandCrab was through exploit kits—automated attack platforms that scanned for vulnerabilities in visitors' browsers and plugins. The GrandSoft Exploit Kit and Fallout Exploit Kit were particularly associated with GandCrab distribution, targeting outdated versions of Internet Explorer, Flash Player, and other browser components. Users could become infected simply by visiting a compromised legitimate website or clicking on a malicious advertisement, with no other action required if their software was out of date.
Later versions of GandCrab expanded into more aggressive distribution channels, including corporate network compromises through weak Remote Desktop Protocol (RDP) credentials. Common infection vectors included:
- Malicious email attachments disguised as invoices, shipping notifications, or urgent account alerts, typically containing infected Word documents with malicious macros or executable files in ZIP archives
- Exploit kit drive-by downloads from compromised legitimate websites, malicious advertising networks, and traffic distribution systems
- Software cracks and keygens bundled with pirated software, particularly popular productivity software and video games
- Fake software updates presented as critical Flash Player or browser updates on compromised or malicious websites
- RDP brute-force attacks targeting businesses and power users with poorly secured remote desktop access
- Trojanized installers for popular freeware utilities distributed through unofficial download sites and torrent networks
- Malvertising campaigns on legitimate ad networks that redirected users to exploit kit landing pages
- PowerShell-based downloaders delivered through previous malware infections or fileless attack chains
What It Does On Your Machine
Once GandCrab executes on a system, it moves through a carefully orchestrated infection sequence designed to maximize encryption coverage while evading detection and preventing recovery. The malware first performs environmental checks to avoid execution in virtual machines or sandbox environments commonly used by security researchers. It examines system language settings and will not encrypt systems configured for Russian, Ukrainian, or several other CIS countries—a common characteristic suggesting the operators' geographical origin and a calculated move to avoid prosecution by those governments.
After confirming it's running on a genuine target system, GandCrab establishes persistence through multiple mechanisms. It typically creates registry Run keys to ensure execution after reboot and may install itself as a Windows service or scheduled task. The malware then begins its most destructive phase: systematically terminating processes associated with databases, email clients, backup software, and office applications to ensure maximum file access. It executes commands to delete Volume Shadow Copies (Windows' built-in backup system), eliminating the most accessible recovery option for victims.
The encryption process itself is remarkably fast and discriminating. GandCrab targets specific high-value file extensions—documents, spreadsheets, databases, photos, videos, archives, and source code—while avoiding system files necessary for Windows to function. This ensures the victim can still boot their computer and access the ransom note, while all personal and business data becomes inaccessible. Each encrypted file receives a new extension (varying by version), and ransom notes are dropped in every affected folder, typically named "KRAB-DECRYPT.txt" or similar version-specific names.
Later versions of GandCrab incorporated additional malicious functionality beyond simple encryption. Version 5 and above included information-stealing capabilities, exfiltrating system information, installed software lists, and in some configurations, credentials and cryptocurrency wallet data to the attackers' command-and-control servers. Some variants attempted lateral movement within business networks, seeking additional machines to infect and maximizing the ransom potential from corporate victims.
Manual Removal — Step by Step
Isolate the Infected System Immediately
Before attempting any removal, disconnect the computer from all networks—unplug the ethernet cable and disable Wi-Fi. If you're on a business network, also disconnect any mapped network drives and external storage devices. GandCrab can spread to connected drives and network shares, so isolation is critical. Do not connect any backup drives to the infected machine at this stage. If possible, photograph the ransom note with your phone for documentation purposes—you'll need details from it later.
Boot Into Safe Mode with Networking
Restart the computer and repeatedly press F8 (or Shift+F8 on Windows 10/11) during boot to access the Advanced Boot Options menu. Select "Safe Mode with Networking." This loads Windows with minimal drivers and prevents most malware from auto-starting, while still allowing internet access for downloading tools. On Windows 10/11, you may need to boot from recovery media or use the Settings app to access recovery options if F8 doesn't work. Safe Mode provides a cleaner environment for the removal process.
Identify and Terminate the Malicious Process
Press Ctrl+Shift+Esc to open Task Manager. Look for suspicious processes running from %APPDATA%, %TEMP%, or %LOCALAPPDATA% folders with random names. GandCrab typically runs as a randomly-named executable (e.g., "qwerty.exe" or a GUID-like name). Right-click any suspicious process, select "Open File Location" to confirm the path matches the patterns above, then "End Task." Note the full path—you'll need it shortly. Be cautious not to terminate legitimate Windows processes; when in doubt, search the process name online first.
Remove Persistence Mechanisms
Press Win+R, type "regedit," and open the Registry Editor. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Look for entries with random names or paths matching the malicious executable location you identified. Right-click and delete these entries. Next, open Task Scheduler (search for it in Start menu), expand Task Scheduler Library, and delete any suspicious scheduled tasks with random names or those pointing to the malware's folder. This prevents the ransomware from restarting.
Delete the Malware Files
Open File Explorer and navigate to the folder containing the malicious executable you identified in Step 3. Delete the entire folder if it contains only malware-related files. Common locations include subfolders under %APPDATA%\Microsoft\Windows\, %LOCALAPPDATA% with random GUID names, or %TEMP%. Also check for and delete any ransom note files (typically named KRAB-DECRYPT.txt, GDCB-DECRYPT.txt, or similar). You may need to enable "Show hidden files" in File Explorer's View options to see some of these folders.
Run Comprehensive Malware Scans
Download and install Malwarebytes (from malwarebytes.com) while still in Safe Mode. Run a complete "Threat Scan" which will detect GandCrab and related components. Allow it to quarantine all detected items. Follow up with a scan using Windows Defender (run "Windows Security" from Start menu, then "Virus & threat protection > Scan options > Full scan"). Consider also running the free Kaspersky TDSSKiller and HitmanPro for additional coverage against rootkit components and any residual infections. Some GandCrab versions installed additional payloads that require thorough cleanup.
Attempt Decryption If Applicable
Visit the No More Ransom Project website (nomoreransom.org) and use their Crypto Sheriff tool to identify your specific GandCrab version based on the ransom note or encrypted file characteristics. Free decryption tools exist for certain GandCrab versions (1.0, 4.0-4.1.2, and 5.0.4-5.1). Download the appropriate decryptor if available and follow its instructions carefully. Unfortunately, most GandCrab versions still lack free decryption solutions. If no decryptor exists for your version, recovery will depend on restoring from backups or professional data recovery services—never pay the ransom, as there's no guarantee of receiving a working decryption key.
Check for Additional Compromises
GandCrab sometimes arrived bundled with information stealers or other malware. Run a credential audit: change passwords for all important accounts (email, banking, social media) from a different, clean device—not from the infected computer until you're absolutely certain it's clean. Check your installed programs list (Settings > Apps) for any unfamiliar software installed around the infection date. Review browser extensions in Chrome, Firefox, and Edge for suspicious add-ons. Some GandCrab affiliates installed cryptocurrency miners or remote access trojans alongside the ransomware.
Restore System Integrity
Open Command Prompt as Administrator and run "sfc /scannow" to verify and repair Windows system files that may have been damaged. This process takes 15-30 minutes. Since GandCrab deleted shadow copies, you won't be able to use System Restore unless you had third-party backup software running. If you have external backups that were disconnected during the infection, you can now carefully restore files—but first scan those backup drives with your updated antivirus before copying files back to ensure they're not infected.
Reboot, Verify, and Monitor
Restart your computer normally (not in Safe Mode) and verify that no suspicious processes launch. Run one more quick scan with Malwarebytes and Windows Defender to confirm the system is clean. Check that no encrypted files remain on your system—if you find any, you likely didn't remove all malware components, or you need the decryption tool from Step 7. Monitor system behavior carefully for the next few days, watching for unusual slowdowns, unexpected network activity, or files behaving strangely. Consider running Process Explorer from Microsoft Sysinternals for detailed process monitoring during this observation period.
Prevention
- Implement a robust backup strategy following the 3-2-1 rule: three copies of your data, on two different media types, with one copy stored offline or off-site. Regularly disconnect external backup drives after backing up—connected drives will be encrypted by ransomware. Test your backups periodically to ensure they actually work when you need them. Automated cloud backup services like Backblaze or Carbonite provide continuous protection with versioning that can recover files from before infection.
- Keep all software updated without exception—Windows, browsers, Java, Flash (or better yet, uninstall Flash entirely), Adobe Reader, and all plugins. Enable automatic updates where possible. GandCrab's exploit kit distribution method relied entirely on outdated software vulnerabilities. The vast majority of infections could have been prevented with current patches. Set aside time monthly to verify everything is updated, including rarely-used software.
- Exercise extreme caution with email attachments, especially Office documents, PDFs, and archives from unexpected senders. Never enable macros in documents from unknown sources, regardless of how urgent or official the request appears. Verify unexpected invoices or shipping notifications by contacting the company directly through their official website—not by replying to the email. When in doubt, don't open it.
- Use comprehensive security software with real-time protection and keep it updated. Windows Defender provides decent baseline protection on Windows 10/11, but consider adding Malwarebytes Premium for additional behavioral detection layers. Ensure real-time scanning is actually enabled—many users inadvertently disable it and run unprotected. Configure your security software to scan downloads automatically and block known exploit kit domains.
- Restrict administrative privileges on your computer. Create a standard user account for daily activities and only use an administrator account when installing software or changing system settings. GandCrab and most ransomware have reduced impact when running without admin rights, as they can't modify system-level settings, delete shadow copies, or establish deep persistence. This single change dramatically reduces infection success rates.
- Secure Remote Desktop Protocol if you use it. Disable RDP entirely if you don't need it (most home users don't). If you must use RDP, never expose it directly to the internet—use a VPN instead. Implement strong, unique passwords (20+ characters), enable Network Level Authentication, change the default port 3389, and use account lockout policies to prevent brute-force attacks. Many business GandCrab infections entered through weak RDP credentials.
- Download software only from official sources—never use "crack" sites, key generators, or piracy platforms. These are the single most common distribution vector for ransomware outside of email and exploit kits. The money you save on pirated software will cost exponentially more when ransomware encrypts your files. If you can't afford software, look for legitimate free alternatives rather than pirated versions of commercial products.
- Enable controlled folder access in Windows 10/11 (found in Windows Security > Ransomware protection). This feature restricts which applications can modify files in protected folders like Documents, Pictures, and Desktop. While it requires some initial configuration to authorize legitimate applications, it provides powerful protection against unauthorized encryption by blocking unknown executables from accessing your personal files—exactly what ransomware needs to do.
Bring It In
While the manual removal steps above can eliminate the GandCrab malware from your system, the encryption it caused is another matter entirely. Without the specific decryption key held by the attackers—or one of the limited free decryptors available for certain versions—encrypted files remain inaccessible. This is where professional help makes a critical difference. At Computer Repair Roswell, we maintain relationships with cybersecurity organizations, access to specialized recovery tools, and the expertise to identify exactly which GandCrab variant infected your system and whether any recovery options exist. We've successfully recovered data from ransomware infections using advanced techniques including file carving from unallocated disk space, exploiting imperfect encryption implementations, and working with law enforcement decryption initiatives.
Beyond data recovery, we provide comprehensive post-infection services: securing your system against reinfection, implementing proper backup solutions so this never happens again, and—when necessary—rebuilding your system from the ground up with better security architecture. Ransomware infections represent wake-up calls; we ensure you're protected going forward. Don't struggle through this alone or risk making the situation worse with improper removal attempts. Call us at (770) 856-1550 or visit our shop at 1394 Canton Road, Roswell, GA 30075. We're open Monday through Friday, 9 AM to 6 PM, and Saturday 10 AM to 4 PM. Bring your infected machine in for a free initial diagnostic, and we'll provide an honest assessment of your recovery options and exactly what we can do to help.