This page aims to help you remove GandCrab 5.2 Ransomware for free. Our instructions also cover how any GandCrab 5.2 file can be recovered.
Dealing with a virus such as GandCrab 5.2 Ransomware can be a very challenging and frustrating experience. This piece of software is a new addition to the Ransomware family and it targets your personal files and secretly encrypts them in order to extort money from you later. If you have come to our page precisely because you have been infected with this terrible malware and a scary ransom message has been demanding that you pay a certain amount to a given cryptocurrency wallet, then below you will find instructions that have been carefully prepared by our “How to remove” team, which will show you how to find and remove the nasty virus from your system. In addition to that, we will provide you with some alternative steps for recovering the encrypted files without paying a ransom to anyone. That’s why our suggestion is to stay with us till the end and read the next lines. Please keep in mind, however, that the Ransomware cryptoviruses like GandCrab 5.2 are the hardest type of Ransomware to fight. Their consequences can often turn out to be irreversible and this means that nothing can guarantee the complete recovery from their attack.
Having infiltrated into your system once, the Ransomware program first scans it for the types of files it is interested in. Usually, these are documents and all sorts of images, audios or videos, as well as archives, databases and any other file type that may be important. Then the virus creates a list of targeted files that it starts encrypting one by one. This immediately makes them unusable since none of the software on your PC will be able to read the encryption code and the newly applied file extensions added by the virus. The purpose of these actions is simple – to prevent the users from using their personal data and to demand a ransom in exchange for th decryption of the files.
The amount of the ransom may vary from several hundreds to several thousands of dollars, depending on whether the victim is a regular computer user or a representative of a large organization, institution or an enterprise. Most often, the money is required in bitcoins or another cyber-currency, which are currencies that are quite difficult for the authorities to trace. It is mainly due to this that the cyber criminals behind the Ransomware so successfully extort huge sums of money from their victims and are not afraid of persecution. Paying them, however, not only sponsors their criminal scheme but is also very risky and may not help you save your encrypted files. After all, the hackers behind a threat like GandCrab 5.2 Ransomware don’t really care if you can ever use your precious files again or not. So it is not impossible that the criminals simply take whatever money you send them without actually keeping their end of the “deal”. And even if they send a decryption key to you, there is always the possibility that the key will not work. You see, in the programming world, things are quite complex, so any mistake in the decrypting process can significantly affect the final result and lead to an unsuccessful decryption or even to corruption of the files. If you manage to safely remove the Ransomware, however, you may have a chance to save some of your data through external backups or with the help of the file-recovery suggestions in the removal guide above.
|Danger Level||High (GandCrab 5.2 Ransomware encrypts all types of files)|
|Symptoms||GandCrab 5.2 Ransomware is hard to detect and aside from increased use of RAM and CPU, there would barely be any other visible red flags.|
|Distribution Method||Most of the time, Trojans get distributed through spam e-mails and social network messages, malicious ads, shady and pirated downloads, questionable torrents and other similar methods.|
Remove GandCrab 5.2 Ransomware
Note: Before you go any further, we advise you to bookmark this page or have it open on a separate device such as your smartphone or another PC. Some of the steps might require you to exit your browser on this PC.
2: Task Manager
Press Ctrl + Shift + Esc to enter the Task Manager. Go to the Tab labeled Processes (Details for Win 8/10). Carefully look through the list of processes that are currently active on you PC.
If any of them seems shady, consumes too much RAM/CPU or has some strange description or no description at all, right-click on it, select Open File Location and delete everything there.
Also, even if you do not delete the files, be sure to stop the process by right-clicking on it and selecting End Process.
3: The Hosts file
Go to c:\windows\system32\drivers\etc\hosts. Open the hosts file with notepad.
Find where it says Localhost and take a look below that.
If you see any IP addresses there (below Localhost) send them to us here, in the comments since they might be coming from the virus.
To remove parasite on your own, you may have to meddle with system files and registries. If you were to do this, you need to be extremely careful, because you may damage your system.
If you want to avoid the risk, we recommend downloading SpyHunter - a professional malware removal tool - to see whether it will find malicious programs on your PC.
4: Disable Startup programs
Re-open the Start Menu and type msconfig.
Click on the first search result. In the next window, go to the Startup tab. If you are on Win 10, it will send you to the Startup part of the task manager instead, as in the picture:
If you see any sketchy/shady looking entries in the list with an unknown manufacturer or a manufacturer name that looks suspicious , disable those programs and select OK.
5: Registry Editor
Press Windows key + R and in the resulting window type regedit.
Now, press Ctrl + F and type the name of the virus.
Delete everything that gets found. If you are not sure about whether to delete something, do not hesitate to ask us in the comments. Keep in mind that if you delete the wrong thing, you might cause all sorts of issues to your PC.
6: Deleting potentially malicious data
Type each of the following locations in the Windows search box and hit enter to open the locations:
Delete everything you see in Temp linked to GandCrab 5.2 Ransomware. About the other folders, sort their contents by date and delete only the most recent entries. As always, if you are not sure about something, write to us in the comment section.
The previous steps were all aimed at removing the GandCrab 5.2 Ransomware from your PC. However, in order to regain access to your files, you will also need to decrypt them or restore them. For that, we have a separate article with detailed instructions on what you have to do in order to unlock your data. Here is a link to that guide.
Daniel Sadakov has a degree in Information Technology and specializes in web and mobile cyber security. He harbors a strong detestation for anything and everything malicious and has committed his resources and time to battling all manners of web and mobile threats. He has founded MobileSecurityZone.com, a website dedicated to covering the top tech stories and providing useful tips for the everyday user, in an effort to reach and help more people.