GandCrab Ransomware Recovery

Has GandCrab Ransomware hit your company? If files got encrypted and your backup strategy fails, you can have a company wide emergency on your hands. More importantly, GandCrab is known to be relatively inactive since May 2019 and you may not be be able to decrypt your files even if you pay the attacker.

This page provides all information you need to know about the Gandcrab group, their history, creation, Ransomware as a Service Model, their process of shutting down operations and more importantly, the decryption process and potentially freely available decrytor tools.

Don’t fret. We’re here to help you in recovering your files.

GandCrab Ransomware Recovery

How do I know if GandCrab Ransomware has infected my system?

While it may sound like an infectious disease, Gandcrab was actually a virus that started rearing its ugly head somewhere around the early months of 2018. From then, until the shutting down of its operations, the creators managed to wreak havoc across the world, encrypting data and demanding ransom payments left and right.

No individual or company, big and or small, was safe from them. The reason they were so successful is because they maintained a successful affiliate model, also known as the Ransomware as a Service business model.

  • There are a number of signs pointing to a GandCrab ransomware infection:
  • You receive a message that your data is encrypted and that you have to pay a ransom.
  • The names of your files or file extensions change suddenly
  • The desktop wallpaper has suddenly disappeared
  • CPU utilization is 100%, although you hardly use any applications
  • Your computer reacts very slowly to commands
  • The hard disk seems to process data without pause
  • Your virus protection is deactivated and cannot be started

What should I do when my data has been encrypted by GandCrab Ransomware?

Shut down your computer or server in a normal fashion and disconnect all network connections as soon as possible, including but not limited to any data storage devices along with cloud storage. For more details please visit the Ransomware Information site.

Do not pay the ransom or try to remove GandCrab ransomware trojan on your own.The group known to have performed these GandCrab attacks have publicly announced that they are no longer active. So anyone demanding payments may not actually have working decryption keys.

You should leave the removal of ransomware and, the subsequent recovery of your valuable company data, exclusively to experts.

BeforeCrypt can help you as a serious and highly-effective partner should you be infected by GandCrab ransomware. Thanks to our experience and knowledge, we can recover 100% of your encrypted data in most cases.

Keep calm! Contact us, and we can help you!

Ransomware Recovery Ransomware Decryption


Due to a variety of factions which deploy GandCrab ransomware, there is usually a large disparity between the ransom amounts involved in different cases.

The average GandCrab ransom amount is somewhere between $600–$600,000. In addition Dash exchange fees will apply. Dash is an alternative to Bitcoin.

  • GandCrab Ransomware average ransom in USD $

The GandCrab ransomware downtime is comparatively shorter than other types of ransomware. This is due the fact that GandCrab attackers used automated TOR sites to accept payment and deliver decryptor keys.

Depending on your company size and how often you use IT-systems in your daily business, this is the most expensive part of this incident. Additional to the unavailability of your IT-systems, this is damaging your company reputation.

Your goal should be to get your systems back to a productive state as soon as possible. The best way to do this is to call in experts, which have a vast knowledge of GandCrab ransomware and get the IT-systems back up running.

  • GandCrab
  • All Ransomware

There is a high chance to get a working GandCrab decryptor after paying the attackers. This is because they use an automated process to accept payments and deliver the decryption tool. But there’s never a guarantee to get a working decryption key at all.

  • Paid Decryption Successful
  • Paid Decryption Failed

The most common attack vector for GandCrab ransomware is an unsecured RDP-Connection (Remote Desktop Protocol). Followed up by phishing emails and security vulnerabilities.

  • Remote Desktop (RDP)
  • Phishing Emails
  • Security vulnerabilities
NameGandCrab Virus / GandCrab Ransomware
Danger levelVery High. Advanced Ransomware which makes system changes and encrypts files
Release dateJanuary 30, 2018
OS affectedWindows
Appended file extensions.gdcb, .crab, .krab, .KRAB, .lock, .[random_characters]
Ransom note.krab-decrypt.txt, [randomly_generated_extension]-DECRYPT.html, [victim's ID]-DECRYPT.txt, [victim's ID]-DECRYPT.html, KRAB-DECRYPT.txt, GDCB-DECRYPT.txt
Contact email addressPayment is accepted through automated TOR site


GandCrab Ransomware Note #1: TOR Website

GandCrab Ransomnote-TOR

This is an average GandCrab ransomware note.

GandCrab Ransomware Note #2: Text file

GandCrab Ransomnote-txt

—= GANDCRAB V5.1 =—




All your files, documents, photos, databases and other important files are encrypted and have the extension: 

The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.

The server with your key is in a closed network TOR. You can get there by the following ways:


| 0. Download Tor browser –

| 1. Install Tor browser 
| 2. Open Tor Browser 
| 3. Open link in TOR browser: [TOR link]
| 4. Follow the instructions on this page


On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.






Almost always, there is a * .txt file in every folder that has been encrypted. The text file usually has the name “GDCB-DECRYPT.txt” and contains all the necessary information to contact the GandCrab Ransomware attackers to get your data back. It’s usually safe to open this file, just be sure the full file extension is *.txt.

GandCrab Ransomware: Modified Filename Extensions

GandCrab ransomnote-file

GandCrab ransomware file names just show a different file extension. Unlike other ransomware variants, GandCrab don’t includes an attacker email address or a unique ID in the filename.



Depending on the variant of GandCrab ransomware, it could be possible that there’s a publicly available decryption method. Please use our request form, and we can check this for free for you. You can also use free websites to check this, too.

GandCrab ransomware creates multiple Windows registry entries, creates hidden executable files and sometimes opens a backdoor in firewalls for further access. There are multiple steps necessary, including the cleaning up of the Windows registry, scanning for malware and the manual cleanup of the GandCrab ransomware. Depending on the system environment, it is sometimes safer and faster to reinstall the operating system.

The most common attack vector for GandCrab ransomware is an unsecure RDP-Connection (Remote Desktop Protocol). It is followed up by phishing emails and security vulnerabilities. In many ways, it isn’t different from other strains of ransomware and viruses, but it’s the Ransomware-as-a-Service business model that made GandCrab adopt a faster rate of distribution.

Many amateur hackers looking to make easy bucks, use Ransomware-as-a-Service model adopted by Gandcrab, whereby they receive the entire exploit kit and user manuals on how to stage an attack. Once small vendors stage successful attacks, the original Gandcrab ransomware hackers make a portion of revenue whenever a payment is made by the victim.

This has become a highly lucrative business model for ransomware gangs in 2021 and beyond. 

GandCrab ransomware encrypts files with an AES-265 bit and RSA-2048 encryption algorithm.


  1. Professional ransomware response can significantly decrease downtime. We deal with hundreds of cases every year. Through our years of experience, we have developed a streamlined process that brings our clients back online as fast as possible. In the event that a ransom has to be paid, purchasing the necessary cryptocurrency can take days. The process of resolving a ransomware attack without prior experience can take many hours of research. Most of our cases are completely resolved 24-72 hours after we begin the recovery process.

  2. Avoid dealing with criminals and ensure legal compliance. Most companies don’t feel comfortable dealing with cyber-criminals. It can add another layer of stress in emergency. We maintain files on different groups of hackers in order to maximize security and effectiveness of negotiations. We also ensure that all communications and transfers comply with applicable laws and regulations to protect our clients against potential legal problems. 

  3. Instant cryptocurrency transfers. It is always better to avoid giving into the attacker’s demands. If backups and normal recovery methods fail, however, there may be no other choice. Most ransomware attackers demand payment in Bitcoin. If you try to purchase Bitcoin yourself, an intensive know-your-customer process is usually required, which can take 2-6 days for large amounts. We maintain a reserve of the currencies demanded by attackers to make instant payments if needed.

  4. Ensure data integrity and security. As specialists in the field of ransomware incident response, we are always refining industry best practices for data recovery. We have robust, standardized procedures for backing up encrypted data, restoring data, and removing viruses to ensure that there is no data loss or damage.

  5. Easy Insurance Reporting: All of our clients receive a detailed incident report with all information required by cyber-insurance and for law enforcement purposes. Thankfully, cyber-insurance often covers the cost of cyber-extortion as well as professional ransomware response services. Completing all paperwork correctly from the beginning can speed up the process of filing a claim and recovering lost funds.
  1. Backup, Backup, Backup! In most cases, a fresh and secure backup of data can prevent ransomware attack from succeeding. For this reason, many attackers put in a lot of effort to find and encrypt backups. The best backup will be air-gapped, meaning physically disconnected from your main network. It is also important to have a regular backup schedule with robust security procedures

  2. Install a Next-Gen Antivirus. Next generation anti-virus software combines a classic signature-based antivirus with powerful exploit protection, ransomware protection and endpoint detection and response (EDR). Mcafee, Fireeye, and Sentinel One are all examples of antivirus software with these features. 

  3. Install a Next-Gen Firewall. A Next-Gen-Firewall is also called Unified threat management (UTM) firewall. It adds a layer of security at every entry and exit point of your company data communication. It combines classic network security with intrusion detection, intrusion prevention, gateway antivirus, email filtering and many other features. 

If you can afford it, having staff or hiring a dedicated service to monitor network traffic can also help to detect unusual activity and prevent ransomware attacks. Ransomware attackers usually do a lot of surveillance on a network before attempting a hack. This “reconnaissance” phase has certain tell-tale signs. If you can catch these early, it’s possible to detect the attacker early and deny them access to the network. 

If you get hit by ransomware, a professional ransomware response service can help to identify and patch security gaps. 

Need fast help with GandCrab ransomware recovery? Contact us now and get instant help from ransomware experts

Ransomware Recovery Data