How to decrypt files encrypted by Gandcrab v5.0.4: free decryption tool is available

Know How to Recover Files Encrypted by Ransomware

Ransomware is a type of computer virus that is used by hackers or Cybercriminals in attempt to blackmail unsuspecting users to pay ransom fee by encrypting their crucial stored files. This is such a nasty virus whose removal alone is not enough to get the encrypted files in decrypt or original form. Such viruses use some sophisticated cryptographic algorithm/s to encrypt the files, this means a unique decryption tool is must to get the files to access back once again.

Gandcrab v5.0.4 is one of such virus and many Windows PC users has becomes its victims in past few months. If you are also its victim and want to know how to decrypt files encrypted by Gandcrab v5.0.4 then carefully read the blog till the end.

Some fact about the Gandcrab v5.0.4 

Gandcrab v5.0.4  is a new variant of GandCrab ransomware, which has become quite infamous ransomware type of virus. Some other variants of this threat are: GandCrab .GDCB, GandCrab .CRAB (v2), GandCrab .CRAB (v2.1), GandCrab .CRAB (v3), GandCrab .KRAB (v4), GandCrab .krab (v4.1), GandCrab V5.0, GandCrab 5.0.1, GandCrab 5.0.2, GandCrab 5.0.3, GandCrab 5.0.4, GandCrab 5.0.5, GandCrab 5.0.7, GandCrab 5.0.8, GandCrab 5.0.9, GandCrab 5.1.0 and GandCrab 5.1.

Bitdefender decryption tool for the decryption

 In February 2018, Bitdefender released the first decryption tool for GandCrab ransomware to help the victims to know how to decrypt files encrypted by Gandcrab v5.0.4. But the subsequent versions of the GandCrab afterward and its Ransomware-as- a-service affiliate approach have been reaching out to the victims. The good news is that you can retrieve back the encrypted files by this ransomware without paying a cent to the Cybercriminals.

Below is the table that shows of which variants to this decryption tool is available. The victims can find the type of variant that intrude in their device just by looking the unique extension name that many variants use to append the filenames of the encrypted files.

What is required to use the decryption tool?

Using of the decryption tool requires firstly an active Internet connection. This requires for the Bitdefender’s server in attempt to reply to the submitted ID with a possibly valid RSA-2048 private key. The further process will continue after succeeding of this very step. The other thing that the victims must have required is at least 1 copy of the ransom note that the ransoware generates after completing the encrypting process. This will help them to compute the unique decryption key for the encrypted files. Below is the process how to decrypt files encrypted by Gandcrab v5.0.4

Step by step process to use the Gandcrab decryption tool

  • Step 1: Download the Decryption tool and save it somewhere on the PC

Wait for the moment till the servers from the Bitdefender attempt to reply the submitted ID with a possibly valid RSA-2048 private key. This step to be succeeded is must and without this the decryption process will not possible. So, don’t have a cut to the Internet Connection meanwhile.

  • Step 2: Run the utility and save it on the computer as BDGandCrabDecryptor.exe.
  • Step 3: Click on the “Agree to the terms and Conditions”.
  • Step 4: Select “Scan Entire System”, which adds with the path to the encrypted files, if you want to search for the all encrypted files.

Here, you can select the “Backup files” before the scanning. If you select the backup files as well, you will be able to see both the encrypted and decrypted files.  Whether you check for the backup files or not, the decryption tool attempts to decrypt the files in the path that is provided and will discontinue if decryption is unsuccessful.

  • Step 5: At this point, you will get the files in decrypted form. You should see whether your files will be safely opened and there is no trace of damage.

After validating, you will be free to delete the encrypted files in bulk by selecting the files by the unique extension name matching with the GranCrab.

Important Note: The bit-defender ransomware decryption tool is very effective. But before using the tool, you have to remove all the files associated with GandCrab from the PC. So, first scan the PC with a powerful anti-malware tool and then execute any decryptor tool.  In case if Bitdefender decryption tool doesn’t works for any reason, you can use a powerful data recovery tool to recover the locked files.

Deceptive ways Cybercriminals use to spread ransomware

According to malware researchers, GandCrab ransomware is spread by using spam emails containing a JavaScript file posing as an actual PDF type of file. The file is contained in a 7z archive. Some of the email addresses that have been reporting from when GandCrab variants came into existence are [email protected], [email protected], [email protected], [email protected], [email protected], [email protected] and so on. The attachments on the spoofed emails were reported to contain major the following topics such as payments, tickets, order invoice, documents, and MS Office or PDF docs, tax invoice and so on.

Details description how the ransomware encrypt the files

Once the recipients open the malicious attachment, the zip archive will install on the targeted PC and run a Javascript, which drops a malicious executable file.

The executable file is located in the %AppData% directory. It can be detected on Window registry entry in the “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce” Window sub key. This process in the mentioned location indicates about the PC has been infected with the ransomware.

After infection, GranCrab ransomware scans for the files that it can encrypt. As you know GandCrab has many variants. Different variants use different sophisticated encryption algorithms to encrypt the files. Such as GandCrab 2/3/4/5/ ransomware are using RSA 2048 and AES 256 algorithms and the GandCrab 5.0.4 and GandCrab 5.1 which are the most aggressive virus of this family use the RAS and Salso- 20 algorithms.

GandCrab variants can encrypt any type of files including images, audios, videos, documents, presentations, and databases etc. The encrypted files will receive a unique extension name. Some of the extensions that different GandCrab variants use to append the filenames of their encrypted files are .gdcb, .crab. .krab, .KRAB, and .lock etc. Each extension name belongs to a particular variant of GandCrab Ransomware. Thus, extensions that different variants use are the identification of different variants of the GandCrab.

Soon after the encryption process is completed, the files stored on the system will inaccessible. The Cyber criminals will start blackmailing their victims to pay ransom fee and get a unique decryption tool. Actually, algorithms that threats use make the developers a unique decryption key. The developers store that decryptor under remote servers. They demand ransom fee in Bitcoin, DASH or in other Cryptocurrency to hide their identity.

The Cybercriminals with the help of the variants proliferate in some ransom note after connecting the PC through their remote servers or hosts. The ransom note mostly appears in the form of .html or .txt file. The ransom note contains short message which informs the victims about the ransomware attack and asks them to contact to the developers and buy the unique decryption of which the Cyber-criminals demand huge ransom fee.

More about the ransomware note

The ransom note looks like below:


All your files documents, photos, databases and other important files are encrypted and have the extension: .
The only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
1. Download Tor browser –
2. Install Tor browser
3. Open Tor Browser
4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/[id]
5. Follow the instructions on this page

On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.

Do not try to modify files or use your own private key – this will result in the loss of your data forever!”

Avoid paying the ransom fee

You should avoid paying the ransom money because this will not help. The Cybercriminals are not honest and they will disappear after taking the ransom fee. You should not believe on them. And most of all, the money you pay will be used to create more such dangerous ransomware.

I am sure you don’t have any more doubts related to how to decrypt files encrypted by Gandcrab v5.0.4. Thanks to Bitdefender, this would be possible now. The method How to Recover Files encrypted by ransomware and the use the Bitdefender decryption tool is discussed above. However, it is strictly recommend you to scan your PC with some reputable antivirus tool before using the decryption tool. As long as the payloads and script of  Gandcrab V5.0.4 is there in the PC, you will not be able to use the decryption tool.