GandCrab developers release free decryption tool for Syrian victims

Syrian citizens receive free decryption keys from GandCrab developers

Gandcrab developers show their mercy by releasing decryption keys for Syrian victims.

Out of the sudden, developers of GandCrab ransomware released decryption keys for Syrian citizens in the underground forum.^[1] With the regret for not including Syria in the exception list from the beginning, they also posted a statement that no other keys will be revealed in the future.

Cybercriminals admit that this heart-showing behavior was initiated by a tweet^[2] from a Syrian father who lost his sons in the war and asked to recover their photos. Jameel, a man who lost his children in Syrian war stated in his series of tweets:

All I have left of my children is the photos and videos I took of them before they were mercilessly killed. And now GandCrab V5.0.3 has locked all of them.

They want 600 dollars to give me back my children, that's what they've done, they've taken my boys away from me for a some filthy money. How can I pay them 600 dollars if I barely have enough money to put food on the table for me and my wife?

The unexpected move does not involve victims from other countries

The response from Gandcrab owners is saying that all Syrian victims will get their decryption keys and, if there are still victims who haven't received theirs, it is a matter of time until they get them.

However, hackers are asking their victims to provide the following information for identification:

• The image of the victim;
• Passport;
• Payment page.

Keep in mind that showing your passport or identification document, as hackers suggest, can lead you to more severe damage or privacy issues, so you should do that with extreme cautiousness.

GandCrab message for Syrian people states:

We regret that we did not initially add this country to the exceptions. But at least that way we can help them now.
Whose keys are not (only for citizens of Syria and the CIS, Ukraine including) – you need to come to us and take a picture of yourself with a passport and payment page. After that, we will issue a decryptor for free.

As for victims in other countries, virus developers have a message too. However, they state that no other keys are going to be released in the future. The only solution for remaining victims is to pay the demanded ransom and decrypt files by using hackers' decryption tools. However, we do not recommend paying the ransom because people behind this threat are not trustworthy.^[3]

Decryption works for almost all GandCrab variants

Inside the forum post, virus developers placed a link to an archived file which contains decryption keys. A .zip file includes readme.txt and SY_keys.txt files.

The first document contains information in Russian and states how keys are organized in the file, and why they were released in the first place. The SY_keys.txt file contains a list of around 1000 decryption keys. Each line has a victim's unique ID and decryption key. According to various analysts, these decryption keys work for GandCrab ransomware variants from 1.0.0 to 5.0.

Legitimate decryption tools for this cyber intruder and its latest versions haven't been released yet, so you must be careful if you decide to deal with cyber criminals. The ransomware remains one of the most dangerous threats in the cybersecurity world, going neck-to-neck with cryptominers.^[4]