GandCrab header

In a post to an underground hacking and cybercrime forum, the GandCrab developers have released the decryption keys for Syrian victims.

The release of these decryption keys was in response to a Tweet where a Syrian victim asked for help after photos of his deceased children were encrypted.

After seeing this tweet, the GandCrab developers posted on a forum that they have released the keys for all Syrian victims. They also stated that it was a mistake that Syria was not added to the original list of countries that GandCrab would not encrypt, but did not say if they would be added going forward.

Forum Post
Forum Post

In the post is a link to a zip file that contains the released decryption keys for Syrian victims.  This zip file contains the readme.txt and SY_keys.txt files. 

The readme.txt file contains information on how the key file is organized and information on why the keys were released.  As the contents of this file are in Russian, I have included the translated version below.

id - ver - key

GandCrab for help SY people.

For antiviruses:
Decryptor to develop independently for each version.
We believe in the "power" of Bitdefender, since they all promise the decryptor constantly, and it is not yet ready, but now it is being developed and will soon be ready. Without keys, true. We would very much like the decryptor to be written by Kaspersky or Eset.
The most important thing is not to indicate that he will help everyone. He will help only a citizen of Syria. Because of their political situation, economic and relations with the CIS countries.
We regret that we did not initially add this country to the exceptions. But at least that way we can help them now.
Whose keys are not (only for citizens of Syria and the CIS, Ukraine including) - you need to come to us and take a picture of yourself with a passport and payment page. After that, we will issue a decryptor for free.
This is indicated just in case any clever people patch the file so that it works everywhere. Hi, Polish kurvy.
As for other countries - we will not share the keys, even if we are closed someday. We will remove them. It is necessary to resume the punitive process in respect of some countries.
Let me remind you that you can only decrypt using our keys that are stored on our server. We issue them only after payment. There are no other miracle ways.

With love from crabs, representatives of different countries, religions, beliefs and beliefs.

--- With the support of the forum (ex. Damagelab) ---

The SY_keys.txt file contains a list of 978 decryption keys for Syrian victims. These includes keys for GandCrab version 1.0.0r through 5.0 and each line contains the victim id, version, and decryption key. 

Syrian Decryption Keys
Syrian Decryption Keys

For Syrian victims who are not on this list, the ransomware devs stated they will release their keys if they take a picture of themselves, their passport, and their payment page. Obviously, it should be a concern to send your passport to any unknown individual.

For victims, in other countries, the developers continue to have no sympathy and have stated they will never release those keys and will delete them when they shut down GandCrab.

A big thanks to Damian1338 who alerted me to this release.

Bitdefender added keys for Syrian victims to their decryptor

Bitdefender has updated their GandCrab decryptor so that it now includes the keys for Syrian victims. If you are from Syria and have been infected by GandCrab, you should check if their decryptor works before paying any ransom or restoring from an older, and possibly outdated, backup.

Bitdefender Decryptor
Bitdefender Decryptor

To download the Bitdefender GandCrab decryptor, please use the link below.

Bitdefender GandCrab Decryptor Download

Once downloaded, run the program and have it scan your computer to determine if it can decrypt your files. If it is able to, it will let you know and prompt you to decrypt your drives.

According to Bitdefender, before you use the decryptor you should understand that the decryptor only works for the keys it has embedded in the decryptor, which in this case is the Syrian keys.

  • This tool is built around the decryption keys released by the GandCrab operators themselves. These keys are associated with Syrian victims, according to their release.
  • While this decryption tool allows Syrian victims to get their information back, there is no guarantee that all victims will be able to successfully decrypt their data. In some circumstances, residents of a country might be inadvertently identified as located somewhere else based on the exit node’s IP address.
  • This tool DOES NOT WORK for GandCrab victims located outside Syria. Of course, there is no harm in running the tool and attempting to decrypt, but we will not be able to provide technical support in case you are located outside Syria and decryption fails.

Not unheard of for ransomware devs to release keys

While it is not very common for ransomware developers to release keys for free, it is not unheard of either.

In May 2016, the reigning ransomware called TeslaCrypt began to shutdown. When an ESET researcher noticed this, he reached out to devs and asked if they would release the keys. To everyone's surprise, they released the master decryption key so that any remaining victims could decrypt their files for free.

TeslaCrypt Message on their C2 Server
TeslaCrypt Message on their C2 Server

Later that year, after the CrySiS Ransomware developers switched to a new version, they released the keys for an older one. These decryption keys were released through posts to the forums as shown below.

BleepingComputer Forum Post
BleepingComputer Forum Post

Two more times that year, the CrySiS devs released their  keys on BleepingComputer when they switched to new versions.  Unfortunately, this practice has long since been discontinued, but we hope they continue to release more keys in the future.

Update 10/23/18: Bitdefender has added the keys that were released for Syrian victims to their decryptor. We have added an section explaining how to get this decryptor and use it.

Related Articles:

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

Free Decrypter Available for the Latest GandCrab Ransomware Versions

The Week in Ransomware - October 26th 2018 - Decryptors, RaaS, and More

The Week in Ransomware - October 19th 2018 - GandCrab, Birbware, and More

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More