Free decryptor released for GandCrab versions 1, 4, and 5

Several versions of the infamous GandCrab ransomware can now be decrypted

No More Ransom project released an official GandCrab decryptor that works for versions 1, 4 and 5

Romanian cybersecurity firm Bitdefender released the new decryption tool for GandCrab ransomware versions 1, 4, and 5.^[1] The researchers worked with the Romanian police, coupled with law enforcement organizations from countries like United States, United Kingdom, Hungary, Poland, Bulgaria, France, Italy, and the Netherlands. The project No More Ransom^[2] was created to help fighting ransomware, producing free decryption tools for the victims worldwide.

GandCrab ransomware is one of the most aggressive forms of malware that has been plaguing regular users and corporations, including governmental institutions, since its release in January 2018. During the year, bad actors released multiple upgrades to the virus, making each of them more sophisticated. The latest variant, GandCrab 5,^[3] used a combination of random characters to encrypt data on the targeted computer. To this date, the cyber threat infected almost half a million victims worldwide.

GandCrab operates the ransomware-as-a-service scheme, allowing even those with minimal hacking skills to use the tool to extort money for a 30% cut from ransom payments. Due to this reason, malware managed to become prevalent around the globe.

According to Europol, it is the “latest victory of law enforcement in the battle against ransomware,” and also added:

It is the most comprehensive decryption tool available to date for this particular ransomware family: it works for all but two existing versions of the malware (v.1,4 and 5), regardless of the victim’s geographical location.

Help for the Syrian victims

Since its first version, GandCrab uses an exemptions list that is compiled of keyboard layout of certain countries (Russia, Ukraine, Belarus, Armenian, etc.). If the malware detects that the victim is coming from one of these countries, it does not execute its payload.

Syria is suffering from a horrible war, and many people are struggling to cope. However, cybercriminals did not include Syria into the list of exemptions, later admitting that it was a mistake. Thus, GandCrab authors released a statement in the underground forums, announcing that Syrian victims can download the decryptor for free, although they also mentioned that it is a one-off occurrence and will not be repeated in the future.^[4]

Nevertheless, earlier this week, ESET released a decryptor which would work for 979 Syrian victims and would work securely.^[5]

Researchers won the fight against GandCrab, but not the war

Bitdefender reported in their blog post that they are actively working on the decryption of versions 2 and 3, which uses .CRAB file extension to lock data. Therefore, those who have their files encrypted with these versions of malware should not pay the ransom (which can vary between $600 and $6,000) and wait till No More Ransom project releases the cure.

Experts managed to create decryptor with the help of cryptographic flaw that occurs during the encryption procedure. Issues within the code is what allowed law enforcement and cybersecurity researchers release decryptors for many different infections, such as Thanatos ransomware.

Nevertheless, users should still be extremely vigilant when it comes to cybersecurity. Ransomware is one the most dangerous infections that managed to wreck havoc all over the world since WannaCry was released. It can also be especially devastating to corporations and businesses, costing millions in recovery procedures.

Those who are affected by GandCrab v1, v4 or v5 (.GDCB and .KRAB extensions) can download the decryptor from the official Bitdefender website or No More Ransom site.