GandCrab ransomware

Recommended Posts

So today I just got the ransomware because I wasn't paying attention to what it said to install so just pressed run. All my files got encrypted in .gdcb format, tried several malware tools to decrypt them and nothing. And yes, I was so "smart" to reinstall my windows and format the windows partition to get rid of the ransomware, and just now read that I've done a big mistake.  So if anyone has any idea how to decrypt the file please help me out. Oh and yes I looked to restore my windows but all restoring points got deleted when I installed the ransomware.

The ransomware note says the following:

---= GANDCRAB =---

All your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB
The only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
1. Download Tor browser -
2. Install Tor browser
3. Open Tor Browser
4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/aa88f7d8b620120b                        
5. Follow the instructions on this page

If Tor/Tor browser is locked in your country or you can not install it, open one of the following links in your regular browser:

On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.

If you have difficulties with TOR or you have any problems, please use this online messenger : (PC version -
It is absolutely free and anonymous service.

Register, generate address, and write to our address : BM-2cXeGxpYz3MuccD4v8Szw4zwc8HyE25qK4 , in the subject please write your ID - *************          
We will answer in a short time.

Do not try to modify files or use your own private key - this will result in the loss of your data forever! 

Thanks in addition to any help !!

Edited by GT500
Put the contents of the ransom note in a CODE box to ensure no one clicked on the links, and censored ID.

Share this post

Link to post
Share on other sites

There is more information about this ransomware at the following link:

In the case of ransomware like this, which uses secure encryption and generates new public/private keys for every computer it infects, usually there is no way to decrypt the files without getting the private key from the criminals who made the ransomware. You can try a tool such as ShadowExplorer, however ransomware like this usually deletes Volume Shadow Copies, so ShadowExplorer will usually find nothing. Even if the Volume Shadow Copies were not deleted, the odds of finding backup copies of files in them is pretty slim, since Windows would normally only leave backup copies of files in the Volume Shadow Copies if you were using Microsoft's own backup software for data backups (although sometimes the System Restore will save copies of files in the Volume Shadow Copies).

In cases where the Volume Shadow Copies are deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies, as mentioned above the odds of there being backup copies of important files in them are low to begin with. Note that you may need to find a local computer technician who can assist you with this if you do want to try it.

Here's a link to a list of file recovery tools at Wikipedia:

Share this post

Link to post
Share on other sites

I recommend keeping an eye on the newsfeed, as they usually report on the release of new decryption tools for ransomware, and they give a weekly report of all new ransomware and decryption tools.

Share this post

Link to post
Share on other sites

It looks like Romanian law enforcement and BitDefender have been working together to track the criminals who made/distributed this ransomware, and BitDefender has released a decryption tool for it. There's more information at the following link:

  • Like 1

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.