Help me before I lose everything. I was hit by a nasty ransomware...

sram

[H]ard|Gawd
Joined
Jul 30, 2007
Messages
1,469
As I was browsing my folders today, I saw one strange file setting somewhere in one of the folders and when I opened it, it was none other than a text file showing instructions on how to decrypt my files. I was hit by grandcrab 5.1. Fortunately, my NAS newwork drive which holds all valuable actual data isn't hit. I took it immediately offline and turned it off. Now I have to back it up before hooking it up again just in case. I have another NAS laying around. But I need to free my local drives and all my pc's in my local network from the infection. Fortunately for the 2nd time, I can see that there is a working decrypter tool from bitdefender, so I will go try it with the files in my local drives. What I couldn't find is a dedicated removal tool for this grandcrab 5.1 ransomware.

What would be the best way to remove this ? Probably boot into a live CD, scan and remove infections there like we used to do in the old days? Boot into safe mode and scan?

Maybe I need to disable system restore?

What about the registry? I think it needs to be scanned as well.

I want to absolutely get rid of this sh*t, and I will admit I'm not the best when it comes to this. This is the machine in my sig. Damn, I really hate ransomware, it is the worst.
 

DrLobotomy

Supreme [H]ardness
Joined
May 19, 2016
Messages
6,736
Yank the drive and stick it a caddy on another PC and do a scan. See if there any special tools made for that malware to remove the damage.

A lot of these ransomwares Are bogus and just want to make you THINK you are screwed. Most can be removed EZPZ
 

Dead Parrot

2[H]4U
Joined
Mar 4, 2013
Messages
2,831
Either boot to live CD with OS of a different type then the infected drive (linux vs windows) or pull drive and read on a different PC(again with different type of OS). Different OS decreases the chance that the payload file gets run successfully and encrypts your data. Once all the data is copied, nuke and reload.

Check your NAS with a live CD booted PC just in case.
 

sram

[H]ard|Gawd
Joined
Jul 30, 2007
Messages
1,469
Yank the drive and stick it a caddy on another PC and do a scan. See if there any special tools made for that malware to remove the damage.

A lot of these ransomwares Are bogus and just want to make you THINK you are screwed. Most can be removed EZPZ

It is not bogus. It is actually the real thing. Some files in my local drives were encrypted. For some reason, it wasn't able to reach network shares which helped me.

If the files are encrypted, and you want to attempt to recover them, the master key for whatever you were hit with might already be released. Do a search around the net once you determine what you got hit with. Two examples:
https://www.bleepingcomputer.com/ne...ster-decryption-keys-for-gandcrab-ransomware/

https://www.bleepingcomputer.com/ne...tion-key-released-for-fileslocker-ransomware/

I actually used the bitdefender decrypter. It worked like a charm. You just select the folder where the encrypted files are, and it will just decrypt them automatically. Very neat.

https://labs.bitdefender.com/2018/10/gandcrab-ransomware-decryption-tool-available-for-free/

The data is isolated. I still didn't nuke it. This will need some work! I'll be back in few hours
 

sram

[H]ard|Gawd
Joined
Jul 30, 2007
Messages
1,469
The machine that got infected is my main machine you see in my sig. It is part of LAN inside my little house. And like I explained before, actual data is in a NAS. The NAS didn't get infected as per my visual inspection because I don't see the ransomware ugly text file everywhere (It should show everywhere once a place is infected), and all my files are intact and perfectly readable. The NAS is disconnected and I can access it via a different machine and scan it in isolation to be sure. But, regarding nuking from high orbit.....It is a LAN with three machines always connected to it and sometimes 3 other laptops. If the infection is network intelligent, it wouldn't have a problem spreading through. So if I'm going to nuke things, I should do a fresh install of windows to all machines in my lan, and even If I do that, some network shares (I have some other external drives connected to my LAN) may still have it and it will spread again so nuking will be in vain. That's why i'm reluctant on how to really proceed. Nuking everything will require me to redo everything and I don't have an image for every machine in my home. And again how will that be any different if the infection can still get to my machines from external or network drives? Or is nuking the system drive (usually C: drive letter) that different, and very important to get rid of residues? And it is much better than just disinfecting with an antivirus? Of course I can't nuke the NAS and other network drives because they contain actual data. I can only scan them and that will take ages because I have about 25TB worth of data (What would be the best ways to minimize the time for scanning very large data drives?). I'm little lost and reluctant !
 
Last edited:

Brian_B

2[H]4U
Joined
Mar 23, 2012
Messages
3,356
Sounds like you are learning some valuable life lessons.

There isn't an easy answer here.

Maybe your best bet is just to pray that it's a dumb virus and proceed as you have been.
 

grim4593

Limp Gawd
Joined
Nov 30, 2014
Messages
360
Generally I focus on the OS drives. Even if there was infected data it would have to be executed on in order to cause problems.
 

Dead Parrot

2[H]4U
Joined
Mar 4, 2013
Messages
2,831
Even if the malware didn't encrypt the NAS, you should assume that the original executable file might have been backed up to the NAS. Would really suck to wonder what 'that file' is some months from now and recreate your malware problem.

Sometimes you can spend more time trying to find a way to cut task time then it will cost if you just pick the fastest other PC you have and start. Example, if you had started the NAS scan on Saturday, then you would already be two days into the scan.

If the other machines don't show any sign of malware after your scans, probably safe to figure they are free of infection.

Good time to make a backup of any really critical files like irreplaceable family pictures and versions of software since switched to a subscription model. A movie collection can usually be re-downloaded. Same for a game collection. PITA but doable. Those pictures taken of Uncle Foobar two weeks before he died, not so much. Especially if it turns out all your relatives were waiting for you to send them copies.
 

TordanGow

[H]ard|Gawd
Joined
May 25, 2015
Messages
1,500
As I was browsing my folders today, I saw one strange file setting somewhere in one of the folders and when I opened it, it was none other than a text file showing instructions on how to decrypt my files. I was hit by grandcrab 5.1. Fortunately, my NAS newwork drive which holds all valuable actual data isn't hit. I took it immediately offline and turned it off. Now I have to back it up before hooking it up again just in case. I have another NAS laying around. But I need to free my local drives and all my pc's in my local network from the infection. Fortunately for the 2nd time, I can see that there is a working decrypter tool from bitdefender, so I will go try it with the files in my local drives. What I couldn't find is a dedicated removal tool for this grandcrab 5.1 ransomware.

What would be the best way to remove this ? Probably boot into a live CD, scan and remove infections there like we used to do in the old days? Boot into safe mode and scan?

Maybe I need to disable system restore?

What about the registry? I think it needs to be scanned as well.

I want to absolutely get rid of this sh*t, and I will admit I'm not the best when it comes to this. This is the machine in my sig. Damn, I really hate ransomware, it is the worst.



Gandcrab specific:
https://labs.bitdefender.com/2018/10/gandcrab-ransomware-decryption-tool-available-for-free/

Update June 2019: Our collaboration with the Romanian Police, Europol and other law enforcement agencies has yielded another new decryptor for all GandCrab ransomware versions released, except for v2 and v3. If you need to decrypt versions 1, 4, 5.0.1 through 5.2, then download and run our new tool linked below.
 
Top