How to remove GandCrab v5.0.4 virus and restore encrypted files

In this article you learn some must-know information about ransomware, their classification, how to act in the case of their installation on your device and what measures must be taken to keep your tool away from them.

As for the classification, ransomware are different from each other by what encryption algorithm is used and how much the ransom is. But all the ransomware follow the same working pattern: encrypt a document, so that it is no longer possible to read and use, and then start to demand a ransom from a person to whom it belongs. If the victim of this virus attack considers his document important or he has never made a back-up, he has to pay a ransom for having his file decrypted. The fact that he gives cybercriminals a demanded sum of money in the exchange of his document means nothing, because they can go on blackmailing him or just they are unable to decrypt the document themselves because of a constantly developing virus.

GandCrab v5.0 ransomware virus

Speaking about this family of viruses, we should mention the most «outstanding» representatives in it. They are Gandcrab3 and Gandcrab V5.0.4. The latter one’s developed from Gandcrab3.

You may wonder where ransomware come from. Here are possible ways of the infection.

  • Firstly, they use an old but time-tested method: they are hiding inside different documents, which circulate via emails.
  • Secondly, they can get inside your device easily while installing wanted software.
  • Thirdly, while browsing the net, you can catch such «pests».

If you care about the well-being of your lovely device, you must follow the precaution rules, which are as easy as ABC:

You should be careful with different attachments, sent out vie emails.

Don’t forget about a regular backup of your files. In the case of their infection, you'll have their copies.

Removal instruction

Step 1. Boot into Safe mode

Safe mode

Start -> Msconfig.exe

Safe mode. Step 1

On the tab Boot select Safe boot

Safe mode. Step 2

Step 2. Check Startup folder

Start -> Msconfig.exe ->Disable unknown programs in the Startup tab


Step 3. Check hosts file

Modify hosts file, that located in C:\Windows\System32\drivers\etc\ .

Hosts file.Step 1

Open the file with Notepad and delete suspicious strings.

Hosts file.Step 2

It has to look like this:

Hosts file.Step 3

Step 4. Scan the system with antiviral scanner


Antivirus scanner

Why we recommend Reimage Repair

Detects viruses fully: all files and even registry keys of malware will be found

Can fix system errors

Protects your computer in the future

24/7 free support team

Reimage's scanner is only for malware detection. If the program detects a virus on the computer, you will need to purchase Reimage Repair's full version to delete viruses. Uninstall steps and Refund policy, EULA, Privacy Policy.

Step 5. Disable Safe mode

Start -> Msconfig.exe ->Disable Safe boot in the Boot tab

Deactivate Safe mode

GandCrab v5.0 decryption instruction

After you remove GandCrab v5.0 from the machine, and you're certain about it, you need to think about the decryption manners. First of all, we want to say that the very efficient method is to load the backup copies. In case you have the copies of the information and GandCrab v5.0 is entirely destroyed – just delete the encoded data and upload the backups. If there were no previously saved copies – the chances to get the files are significantly lower. The only manner to recover them is the Shadow Volume Copies. It’s the basic tool of Windows that saves all the modified or deleted data. They might be accessed with the help of custom restoration programs.

Unfortunately, all modern viruses can remove these copies, but if you're working from a profile without master privileges, the virus just had no ability perform that without the permission. You might recall that sometime before you saw a ransom note you've seen another dialogue window, asking to make alterations to your system. If you've declined those changes – the copies weren't erased, so they can be accessed through such programs as Recuva or ShadowExplorer. You may simply find them both in the Net. You might get them from the sites of their creators, with step-by-step guides. In case you require more information on this topic – feel free to look at our entry on file restoration: article about files decryption.

This website uses cookies to improve your experience. If you continue using the site, we will assume that you accept our cookies policy.