A newly released decryptor allows for the free recovery of files encrypted by some versions of GandCrab, a ransomware family that has affected hundreds of thousands of people since the beginning of the year.
The free GandCrab decryption tool will decrypt files encrypted by versions 1, 4 and 5 of the ransomware. These versions are recognizable by the extensions they use: GDCB, KRAB, and a series of random characters of various length (example: .rnsgl). Instructions on using the decryptor are available later in the article.
This new decryptor comes from Romanian antivirus company Bitdefender, and is the result of the collaboration between several law enforcement organizations, including the Romanian Police and counterparts from other countries (Bulgaria, France, Hungary, Italy, Poland, the Netherlands, United Kingdom, and the United States) and the Europol.
In a blog post today, Bitdefender notes that they are working on a solution to decrypt data locked by GandCrab 2 and 3, which use the .CRAB extension and ask users to be patient and not to pay the ransom. The ransom note typically asks victims between $600 and $6.000 in exchange for the decryption key.
A company spokesperson told BleepingComputer that newer variants 4 and 5 of the ransomware are responsible for most of the infections and that the decryption tool can help users with systems infected "even minutes ago."
According to Bitdefender telemetry, over half a million users had their computers infected with GandCrab ransomware from all over the world.
"The most targeted countries based on all versions of GandCrab are: US, UK, China, India, Brazil, and Germany," the company says.
A source close to the investigation has also told BleepingComputer that this decryptor was not made available through the takeover of the ransomware's command & control servers. Therefore, it most likely relies on a cryptographic flaw in the ransomware's encryption process.
Ransomware is actively fought by law enforcement agencies in Europe, who joined tech companies in a project called the No More Ransom. The objective is to help ransomware victims with tools and solutions capable to recover the encrypted data. More than 80 decryption tools are currently available.
To use the new GandCrab Ransomware decryptor, you need to make sure you have an available copy of the ransom note as it contains a key that will be used to decrypt your files.
Once you confirm that you have an available ransom note on the computer, you should download the decryptor using the following link.
Once downloaded, start the decryptor and accept the license agreement. You will then be shown the main decryptor screen. At this screen, put a checkmark in "Scan entire system", as shown below, and then click on the "Scan" button.
The decryptor will now begin to scan for a decryption key and decrypt any files encrypted by GandCrab that it can find.
When finished, the decryptor will indicate if it had any problems decrypting files. As you can see from the image below, the decryptor stated "Some files could not be decrypted".
To determine what files were not decrypted, you can view the log files located at %Temp%\BDRemovalTool\BDRansomDecryptor\BDRansomDecryptor1600.log. The log file name may be slightly different per computer. This log file will list all files that it could not decrypt.
Full details on how to use the utility are available here.
GandCrab enjoys distribution across the world due to the ransomware-as-a-service (RaaS) business model adopted by its developer. They provide a toolkit for cybercriminals to spread the malware to systems they have access to, in exchange for 30% of the payments they collect.
This ransomware family is active since January and its developers are quick at releasing updates with improved code that allows it to bypass security measures. It is now at its fifth version, but a new variant is likely to become available soon.
Despite the clear financial focus, GandCrab developers showed compassion for victims affected by the war in Syria. After a Syrian victim tweeted last that GandCrab took away the photos of his deceased children, the malware developers published the decryption keys for victims in that country.