Bitdefender researchers release the fourth decryptor: all versions of now-retired GandCrab ransomware are decryptable
On 17th of June, Bitdefender lab, together with the FBI, Europol and other law enforcement bodies, released a new decryption tool that can negate all the effects of GandCrab ransomware and let victims recover their files for free. The latest decryption tool allows users decrypt files encrypted by GandCrab 5.0 through to GandCrab 5.2, as well as older virus versions.
GandCrab was first released in January 2018 and became one of the most prolific and aggressive malware families, released many versions for over a year and a half. It not only devastated millions of users, locking up their personal photos, documents, videos, and other files, but also went “Big game hunting” by attacking high-profile organizations in massive targeted attacks that were mostly performed via the Remote Desktop attacks.
Luckily for security researchers and regular users, GandCrab developers announced the closure of the malware strain, claiming $2 billion total profits and $150 million personal income, although many experts believe the numbers to be an exaggeration. Nevertheless, crooks also said that they successfully managed to withdraw the illegal money and invest them into legal businesses, claiming that “by doing evil deeds, retribution does not come.”
The law enforcement agencies managed to break into GandCrab's Command and Control servers
Since GandCrab was released in January 2018, it is estimated that over 1.5 million Windows computer users infected their machines with this ransomware family. According to Europol, the released decryptors managed to save more than 30,000 victims from paying the ransom, saving them approximately $50 million in unpaid ransoms:
The decryption tool counters versions 1 and 4 and versions 5 to 5.2, which are the latest to be used by cybercriminals. Previous decryptors for the GandCrab ransomware have helped more than 30 000 victims recover their data and save roughly $50 million in unpaid ransoms. Most importantly, the joint efforts have weakened the operators’ position on the market and have led to the demise and shutdown of the operation by law enforcement.
Just as previously, Bitdefender did not find the flaw within GandCrab's code, but rather managed to break into hackers' Command and Control servers and tool the decryption keys needed to help the victims.
The tool is available to download from Bitdefender and No More Ransom project
GandCrab operated an affiliate program (Ransomware-as-a-service) – the developers advertised its ransomware on the underground forums, allowing partners to infect victims by using exploits, email spam, etc., and keep 60% of profits while providing 40% for the malware authors. RaaS is usually operated by large ransomware families, and GandCrab definitely falls into that description: during mid-2018, the malware was accountable for 50% of all ransomware infections.
Nevertheless, the number of infected victims subsided in the past few months, and GandCrab was seen in the press much less than previously. After that was the news that many were waiting for – GandCrab to shut down in the second half of June. The developers also urged victims to pay ransoms quickly, as all the keys that are held on the remote server will be destroyed.
GandCrab affiliates cannot access the malware anymore, so all the paid ransoms will be in vain – crooks would not be able to send the decryptors. Fortunately, with the newest decryptor victims can now sleep well at night. The decryption tool can be downloaded via the official Bitdefender website or No More Ransom project.
Even with the remedy available, however, users should still stay cautious, as the absence of GandCrab now leaves an empty gap in the market, which will allow new families to emerge. Thus, do not let your guard down – use reputable security software, update your system on time, stay away from spam email attachments and always back up your personal files on an external HDD or virtual server.