Gandcrab2 Ransomware Removal (+.Crab File Recovery) June 2018 Update

The encrypted files may not be the only damage done to you. parasite may still be hiding on your PC. To determine whether you've been infected with ransomware, we recommend downloading SpyHunter.

Download SpyHunter Anti-Malware

More information on SpyHunter, steps to uninstallEULAThreat Assessment Criteria, and Privacy Policy.

How irritating is this problem? (2 votes, average: 5.00)

This page aims to help you remove Gandcrab2 Ransomware for free. Our instructions also cover how any Gandcrab2 file can be recovered.

New Ransomware versions keep terrorizing internet users!

Recently, the security headlines have been flooded with warnings about a new Ransomware infection called Gandcrab2. This file-encryption version uses a complex algorithm, which can turn any piece of data completely inaccessible. It secures the targeted files with a double sided key and may even convert its file extensions, to make it unrecognizable for the system. When this nasty encryption process is over, the victim is greeted with a shocking ransom message that prompts them to purchase a special Gandcrab2 decryption key. Once they have deprived you of the access to your data, the crooks, who have created this infection, basically offer to decrypt it for you if you pay the amount of money they request. The ransom is usually payable with Bitcoins and you will be given exact instructions on how to purchase and transfer them to the hackers’ account. Falling a victim to this nasty online blackmail scheme isn’t a nice experience at all. In fact, you will be literally threatened to lose all of your encrypted files if you don’t fulfill the ransom demands. However, if you really want to save your data and remove Gandcrab2, you should act smart and not comply with the hackers’ instructions right away. Let us tell you what alternatives you may have.

Where Gandcrab2 lurks and how it works?

Ransomware is an entire malware group, which brings together some of the most harmful online threats that the computer users may face. These malicious pieces of software are typically very advanced, and they use numerous delusive tricks to enter the victim’s system. Well-camouflaged transmitters such as Trojans, different software installation kits, files, ads, links, infected web pages, illegal platforms, spam messages and email attachments can come in handy when the criminals want to distribute infections like Gandcrab2. In most of the cases, one single click on such potential transmitters can lead to contamination and, unfortunately, there may be no symptoms at all. Once the Ransomware gets inside the system, it doesn’t lose time and immediately starts to scan the targeted machine for certain file types (usually the most valuable and the most frequently file formats) and encrypt them all. Then, it generates a clearly visible ransom message, which prompts the victim to complete certain payment steps, in order to obtain a special decryption key. The hackers may be very pushy and threatening or act as helpful in their attempts to make you pay as possible. They may even promise you some discounts if you pay within a certain time frame. However, you shouldn’t forget that you are dealing with cyber criminals and giving them your money is a direct sponsorship of their blackmailing scheme. Paying the ransom, unfortunately, as promising as it may sound, may not guarantee the complete recovery of your encrypted data and you should not take it as the only possible solution. In fact, you should know that there is a risk of never receiving a decryption key, because, once the hackers get the money, they may simply vanish. Alternatively, they may decide to double the ransom amount and keep increasing it for as long as you are willing to pay. So what should you do?

Gandcrab2 Ransomware Removal



Some of the steps will likely require you to exit the page. Bookmark it for later reference.

Reboot in Safe Mode (use this guide if you don’t know how to do it).



We get asked this a lot, so we are putting it here: Removing parasite manually may take hours and damage your system in the process. We recommend downloading SpyHunter to see if it can detect parasite files for you.

Press CTRL + SHIFT + ESC at the same time and go to the Processes Tab. Try to determine which processes are dangerous. 


Right click on each of them and select Open File Location. Then scan the files with our free online virus scanner:

Drag and Drop Files Here to Scan
Maximum file size: 128MB.

This scanner is free and will always remain free for our website's users. You can find its full-page version at: https://howtoremove.guide/online-virus-scanner/

Scan Results

Virus Scanner Result

After you open their folder, end the processes that are infected, then delete their folders. 

After you open their folder, end the processes that are infected, then delete their folders. 

Note: If you are sure something is part of the infection – delete it, even if the scanner doesn’t flag it. No anti-virus program can detect all infections.


Hold the Start Key and R –  copy + paste the following and click OK:

notepad %windir%/system32/Drivers/etc/hosts

A new file will open. If you are hacked, there will be a bunch of other IPs connected to you at the bottom. Look at the image below:

hosts_opt (1)

If there are suspicious IPs below “Localhost” – write to us in the comments.

Type msconfig in the search field and hit enter. A window will pop-up:


Go in Startup —> Uncheck entries that have “Unknown” as Manufacturer.

  • Please note that ransomware may even include a fake Manufacturer name to its process. Make sure you check out every process here is legitimate.


To remove parasite on your own, you may have to meddle with system files and registries. If you were to do this, you need to be extremely careful, because you may damage your system.

If you want to avoid the risk, we recommend downloading SpyHunter
a professional malware removal tool.

More information on SpyHunter, steps to uninstallEULAThreat Assessment Criteria, and Privacy Policy.

Type Regedit in the windows search field and press EnterOnce inside, press CTRL and F together and type the virus’s Name. 

Search for the ransomware  in your registries and delete the entries. Be extremely careful –  you can damage your system if you delete entries not related to the ransomware.

Type each of the following in the Windows Search Field:

  1. %AppData%
  2. %LocalAppData%
  3. %ProgramData%
  4. %WinDir%
  5. %Temp%

Delete everything in Temp. The rest just check out for anything recently added. Remember to leave us a comment if you run into any trouble!


How to Decrypt Gandcrab2 files

We have a comprehensive (and daily updated) guide on how to decrypt your files. Check it out here.

Having Gandcrab2 removed is what we suggest you do. In fact, this action is essential for the safety of your system as a whole. Having such a nasty malware on your PC can cause serious issues and security holes, which may lead to new virus contaminations. That’s why, how to eliminate the infection and not how to pay the ransom is what you should be primarily concerned with. The complete removal process of Gandcrab2 is described in details in the Removal Guide below but should you need some professional assistance, you can always use the help of the professional Gandcrab2 removal tool fro this page or contact a specialist of your choice. Remember, though, that once you delete the Ransomware, your encrypted files won’t get automatically restored. To get them back, you should best use file backup copies as this is the only 100% method of file recovery. Alternatively, the file-restoration steps, which we have included in the guide below may also be able to help you extract some of your data, in case that you don’t have backups. The best option, though, is to make sure that your information is kept safe somewhere on an external drive or a cloud storage before a Ransomware virus like Gandcrab2 has managed to hit you. Also, remember to protect your system with a reputable antivirus program and don’t skip the OS security updates as they are very important. They are essential for your system’s safety and the elimination of vulnerabilities, which a Ransomware can easily exploit.


Name Gandcrab2
Type Ransomware
Danger Level High (Ransomware is by far the worst threat you can encounter)
Symptoms Very few and unnoticeable ones before the ransom notification comes up.
Distribution Method From fake ads and fake system requests to spam emails and contagious web pages.
Data Recovery Tool Currently Unavailable
Detection Tool

If the guide doesn’t help, download the anti-virus program we recommended or try our free online virus scanner. Also, you can always ask us in the comments for help!

Leave a Comment