Ransomware Decryption Help / GandCrab v5.1

[-Xerxes-]

Hi all.
I have a ransomware attack/virus called “ GandCrab v5.1 “. I’m not familiar with terms either but I’ll try to explain.
All my photos/pdf and vids ext. have been renamed with a random extra extension like xerxes.jpg.hdjalfrk (Extension name doesn’t matter for gandcrab as I learned. Photos are the most important ones for me there and they have no backup or older versions to repair... :’(
After the removal of the malware, I tried to rename a pdf and a photo manually. Which is not a solution as you guess. It says the photo is either damaged, broken or corrupted etc when you try to view it.
I booted windows to 1 week older version but It doesn’t help with photos as you know.
I tried around 10 “free” decryption/recovery tools and they are not really free. They are showing you the photos that you can recover; but if you want to recover you need to buy a license.. every single of them.. so they are not really “free”.

Anyone knows how I repair those renamed/encrypted photos for free? Any recovery tool that can fix them for free really?
If I really have to pay (I hope not) which one would you recommend for my issue? Stellaris, bitdefender, smt data recovery tool, easeus or anything else that can fix them for sure..

[mmoc9e6898c2ed]

If you have to pay, pay the people responsible for the ransomware, not 3rd party software. That's the most likely way to work. It's in their business model's best interest to keep their promises and decrypt your files.

[Netherspark]

Bitdefender claim to offer a free decryption service for this specific attack, but it may not work on the newest versions. This page might help:

https://www.bugsfighter.com/remove-g...pt-your-files/

I don't know if that helps you, but in future I would advise regularly backing everything up to an external drive.

If you have to pay, pay the people responsible for the ransomware, not 3rd party software. That's the most likely way to work. It's in their business model's best interest to keep their promises and decrypt your files.

I don't think anyone should listen to an account created specifically to tell you to pay the ransom...

[-Xerxes-]

If you have to pay, pay the people responsible for the ransomware, not 3rd party software. That's the most likely way to work. It's in their business model's best interest to keep their promises and decrypt your files.

You just registered to say that? You look like you work for them.
There is a ransom explanation text on every single folder. Which suggest you to download a specific browser they made, the link they provided and follow their instructions there. How do you trust them to not get screwed more and more really?
Paying them is not an option for me, sorry.

I don't know how to help you, but in future I would advise regularly backing everything up to an external drive.




I'm not sure how much anyone should listen to an account created specifically to tell you to pay the ransom...

I’ll do that from now on for sure but I really need to repair those photos. Thanks

[chazus]

NoMoreRansomware, where my company usually checks first to see if there are recovery options, lists that as one of the ones they've seen.

The full fix (I havent read it myself, just glanced) is here: https://www.nomoreransom.org/uploads...ION%20TOOL.pdf

And the project download here: https://www.nomoreransom.org/en/decryption-tools.html

Pretty much, if you can't decrypt it, you're screwed. You'll need a backup somewhere. You cannot 'repair' the files, or 'recover' them, or 'tweak or fix' them. Encrypting is a really brutal method of ransom. It pretty much has forwarded the idea that you NEED backups now. Not just for 'maybe my hard drive might fail'.

[-Xerxes-]

I tried this one before too but it says it works till gandcrab v5.0.1 or smt. The tool made by bitdefender might do the trick but they are not decrypted "v5.1" yet. Looks like I need to wait for bitdefender to release newer version

[Temp name]

Yeah 5.1 just launched, give it a while.. Also, do not do what post #2 suggested under any circumstance. Paying them might help, or it might not, but one thing is certain, you'll lose money and they'll get some, ultimately meaning they can continue doing it.

[Twoddle]

Where did you get this "Ransomware"?

[chazus]

Where did you get this "Ransomware"?

The most common one I see these days is businesses getting an "Invoice" from a known business they work with, and the ransomware is a PDF file named like "Invoice32564" and they just see the company name and click it and blam. It's pretty simple and just.. so many businesses have an army of tech inept people.

[-Xerxes-]

Where did you get this "Ransomware"?

Amp Emulator or smt, I was trying to crack Adobe Premiere. I used this exe before too and it was fine but this time I downloaded one which is infected by ransomware. I run that ampemulator.exe or whatever it’s called to crack and boom. Adobe should be happy atleast

[cuafpr]

Amp Emulator or smt, I was trying to crack Adobe Premiere. I used this exe before too and it was fine but this time I downloaded one which is infected by ransomware. I run that ampemulator.exe or whatever it’s called to crack and boom. Adobe should be happy atleast

so you got ransomware trying to pirate software lol... sorry not sorry. Stop stealing or face the risks. If you are going to steal software/music/movies i highly suggest backups and not doing it on your main PC, use an older one or a VM.

[Twoddle]

At the very least upload unknown and unsigned .exes to virustotal beforehand and I would sometimes go so far as to run it in a virtual machine as well to test it out.

[andrewjoy]

Your pretty screwed.

DO NOT PAY UNDER ANY CIRCUMSTANCES!

As others have said check NoMoreRansomware for your version you may get lucky.

And don't run random .exe files to "crack" software. Premier pro is not worth it , davinci resolve basic version is free and honestly WAYYYYY better optimised than that shit show that is premier.

[-Xerxes-]

I didn’t know davinci had a free version. I’ll check it, thanks a lot!

Your pretty screwed.

DO NOT PAY UNDER ANY CIRCUMSTANCES!

As others have said check NoMoreRansomware for your version you may get lucky.

And don't run random .exe files to "crack" software. Premier pro is not worth it , davinci resolve basic version is free and honestly WAYYYYY better optimised than that shit show that is premier.

Yes I won’t pay, just waiting for bitdefender to release a newer version to decrpyt that v5.1

[haxartus]

First, create a backup of the encrypted files so you don't lose them. Then you can play with any free decryption tools you may like. Even if you are not successful, keep the backup since a decrypter may be created in the future.

[Flame6]

The most common one I see these days is businesses getting an "Invoice" from a known business they work with, and the ransomware is a PDF file named like "Invoice32564" and they just see the company name and click it and blam. It's pretty simple and just.. so many businesses have an army of tech inept people.

This would get us 95% of the time. We do business with hundreds of vendors and PDF's are the most popular format for sending an invoice.

[chazus]

It looks like Gandcrab 5.1 was decrypted, I noticed on my repair forum today

https://labs.bitdefender.com/2019/02...d=aff%7Cc%7CIR
@-Xerxes-

[-Xerxes-]

Yes it was and it worked 100% for me thanks for reminding

[ludihokuji]

so you got ransomware trying to pirate software lol... sorry not sorry. Stop stealing or face the risks. If you are going to steal software/music/movies i highly suggest backups and not doing it on your main PC, use an older one or a VM.

This! On top of the guy opening a seemingly PDF file with an EXE extension. And not willing to pay. Justice climax for me here.

[Kagthul]

At the very least upload unknown and unsigned .exes to virustotal beforehand and I would sometimes go so far as to run it in a virtual machine as well to test it out.

This.

IF you're going to be doing shady crap, then do it in a VM. ANd have a clean backup copy of that VM's .chd file so you can just dump it if it gets infected and start over.