.GDCB
, .CRAB
, .KRAB
, or .RANDOM_CHARACTERS
.txt
or .html
file:"Attention! All your files documents, photos, databases and other important files are encrypted and have the extension..."
Win32/Filecoder.GandCrab is a trojan that encrypts files on local drives. Users are told they have to download and install the Tor browser (commonly used for Dark Web), send information, and make a payment using the Bitcoin or Dash payment service to decrypt their files.
Click the images to view larger in new window
Download the ESET GandCrab decryptor tool and save the file to your desktop.
Click Start → All Programs → Accessories, right-click Command prompt and select Run as administrator from the context menu.
Windows 8 / 8.1 / 10 users: press the Windows key + Q on your keyboard to search for applications, type Command prompt into the Search field, right-click Command prompt and then select Run as administrator from the context menu.
Type the command cd %userprofile%\Desktop
(do not replace "userprofile" with your username–type the command exactly as shown) and press the Enter key on your keyboard.
Type the command ESETGandCrabDecryptor.exe
and press the Enter key on your keyboard.
Read and agree to the end-user license agreement.
Type ESETGandCrabDecryptor.exe C:
and press the Enter key on your keyboard to scan the C drive. To scan a different drive replace C:
with the applicable drive letter.
In most cases, running the ESET GandCrab decryptor tool as shown in step 6 is the best choice. However, if you are familiar with command line switches, the following switches are available for use with the GandCrabDecryptor tool:
The ESET GandCrab decryptor tool will run and the "Looking for infected files..." message will be displayed. If an infection is discovered, follow the prompts from the ESET GandCrab decryptor tool to clean your system.