Counterintuitively enough, the GandCrab 5.2 crypto ransomware attack is amazingly easy to prevent but incredibly tough to handle if it happens to get through. In most cases, all it takes to thwart this type of a predicament is abstain from opening fishy email attachments. The restoration of encrypted files, however, may only be feasible through submitting a ransom in digital cash.
Security-savvy computer users who are familiar with the GandCrab ransomware campaign should be aware that this infection tends to change over time. It took the threat actors about a month to come up with a new edition of the Trojan after the previous version 5.1 had emerged. The most recent variant is similar to its forerunner in many ways, except that its cryptographic characteristics have had an overhaul. The background of this alteration is all about a free decryptor created by security gurus in February 2019, which defeats the crypto of this strain’s iterations up to 5.1. Due to in-depth tweaks in cipher implementation, GandCrab 5.2 is no longer supported by the recovery solution.
GandCrab 5.2 ransomware wreaking havoc with data and the desktop wallpaper
The other properties of the baddie, including propagation vectors and the specificity of interacting with the Command and Control server, underwent no significant changes as compared with the rest of GandCrab spinoffs. The latest release of the virus still appends filenames with a random extension consisting of 5-10 characters. A sample file Park.jpg, when scrambled due to the assault, will look like Park.jpg.axblqisb. The format of the names of so-called ransom notes created on a PC hasn’t changed either. The first part of this TXT document still matches the unique file extension, only made uppercase. So, the string in our illustration scenario is going to be AXBLQISB-MANUAL.txt, or AXBLQISB-DECRYPT.txt.
The fact that the GandCrab 5.2 virus leverages a fusion of two different cryptosystems is a legacy that’s particularly unfavorable for anyone infected. The blend of symmetric AES cipher and asymmetric RSA standard poses an extremely hard-to-overcome hurdle for brute force attacks and forensic recovery methods, hence the futility of the above-mentioned decryptor. The only guaranteed fix is when the targeted user owns the private RSA key, which is not the case. This high-entropy piece of data is stored on the C2 server accessible by no one but the perpetrators. In order to get hold of the recovery package, the victim is instructed to send 600-1,200 USD worth of Bitcoin or Dash coins to a wallet provided on the ransomware decryptor page on Tor network.
Here is what happens before the plagued user gets to the point where they are confronted with the “pay or not” dilemma. The malicious payload usually arrives with spam email that may pretend to be anything from an invoice to some job applicant’s CV. The attachment, typically a JS file, executes a harmful script once an unsuspecting recipient double-clicks on it. The ensuing events are covert enough to overlook: GandCrab 5.2 scans the hard drive and any media attached to the PC, including network shares, in order to find all files with popular extensions. Incidentally, the data scan algorithm has been enhanced in this edition, so these personal data objects become encrypted within minutes after infiltration of the bad code. The next thing you know, a warning message saying “Encrypted by GandCrab 5.2” replaces the desktop wallpaper.
Ultimately, there are two options for anyone who falls victim to this virus. The first one is to pay up. In this case, even if the extortionists provide the automatic decryptor tool, the outcome is still going to be a cold comfort for the user. The other way out is to try the steps below. Nothing is ever guaranteed when it comes to ransomware, but the fix suggested here is certainly worth a shot.
Automated cleanup to remove GandCrab 5.2 virus
1. Click the button to download the stub installer and go through several setup dialogs. Once the tool is up and running, click Start Computer Scan
2. Wail until the cleaner checks the PC for malicious code. As soon as the scan is completed, the report will list all malware objects spotted in the system. Make sure the entries for detected infections are checked, and select the Fix Threats feature. This will result in malware removal and system remediation, so you should now be good to go.
Restore the encrypted files
GandCrab 5.2 encryption is a sophisticated data modification. There is no simple and single solution to cover all the cases. Transferring the ransom as demanded by the crooks is not the way either. Kindly apply the methods outlined below as they have been carefully developed to provide a recovery help for the most severe cases of encrypting assaults.
Data recovery with automatic software
Good news is that the virus actually deals with copies of the files. The originals have been deleted. The removed data still can be restored by virtue of such tools as Data Recovery Pro.
Shadow Volume Copies
As Windows creates backups at given periods of time, a victim is advised to address relevant restore points. Unfortunately, the method cannot apply unless the System Restore had been enabled prior to the invasion. Please also note the recovery returns files as saved before the time associated with the restore point addressed.
- Previous Versions dialog to target individual files
One can open Properties for any file. The menu has a tab called Previous Versions. It indicates versions of a file that have been backed up.
To make use of the feature, right-click an affected file and choose Properties in the drop-down list. Proceed with clicking the above-mentioned tab. You can opt between the Copy or Restore procedures, the former enabling to copy the item into the location specified by the user.
Backups and removing remaining traces of the GandCrab 5.2 ransomware
Prevention is the best cure. If you stick to making regular reserve copies of your data and store those outside your operating system, the impacts by the ransomware are very limited. However, prior to copying the data from backups into the system hit by ransomware, make sure the removal of GandCrab 5.2 virus has completed.
Your manual removal attempts may kill the ransomware in general. In most of the cases, some remnants manage to survive and are still capable of causing a significant damage. Please apply a reliable anti-malware scanner to detect and remove, if applicable, any remaining infections.