• Your ESET product detected a Win32/Filecoder.GandCrab infection
  • Decrypt specific variants of your files using the ESETGandCrabDecryptor.exe tool (Currently only 979 released keys for Syrian victims are supported)
  • Your personal files have become encrypted
  • Your files have been renamed with one of the following extensions: .GDCB, .CRAB, .KRAB, or .RANDOM_CHARACTERS
  • You receive the following messages your computer’s desktop background, or in a .txt or .html file:

    – “Attention! All your files documents, photos, databases and other important files are encrypted and have the extension…”

Figure 1-1

Click +Details for more information and additional images associated with this ransomware


Win32/Filecoder.GandCrab is a trojan that encrypts files on local drives. Users are told they have to download and install the Tor browser (commonly used for Dark Web), send information and make a payment using the Bitcoin or Dash payment service in order to decrypt their files.

Image gallery




  1. Download the ESET GandCrab decryptor tool and save the file to your desktop.


  2. Click Start → All Programs → Accessories, right-click Command prompt and then select Run as administrator from the context menu.
    • Windows 8 / 8.1 / 10 users: press the Windows key + to search for applications, type Command prompt into the Search field, right-click Command prompt and then select Run as administrator from the context menu.
  3. Type the command cd %userprofile%\Desktop (do not replace “userprofile” with your username–type the command exactly as shown) and then press Enter.
  4. Type the command ESETGandCrabDecryptor.exe and press Enter.
  5. Read and agree to the end-user license agreement.
  6. Type ESETGandCrabDecryptor.exe C: and press Enter to scan the C drive. To scan a different drive replace C: with the applicable drive letter.

GandCrabDecryptor Switches

In most cases, running the ESET GandCrab decryptor tool as shown in step 6 is the best choice. However, if you are familiar with command line switches, the following switches are available for use with the GandCrabDecryptor tool:

  • /s— run the tool in silent mode
  • /f— run the tool in forced mode
  • /d— run the tool in debug mode
  • /n— run the tool and only list files for cleaning
  • /h or /? — show usage
  1. The ESET GandCrab decryptor tool will run and the “Looking for infected files…” message will be displayed. If an infection is discovered, follow the prompts from the ESET GandCrab decryptor tool to clean your system.

Figure 1-2

Need Assistance in North America?

If you are a North American ESET customer and need assistance, visit helpus.eset.com to chat with a live technician, view product documentation or schedule a consultation with an ESET Home Advisor.

How useful was this post?

Click on a star to rate it!

Average rating / 5. Vote count:

No votes so far! Be the first to rate this post.

(Visited 6 times, 1 visits today)
Discover More help  [KB3287] ESET Secure Authentication FAQ