Free Decrypter Available for the Latest GandCrab ransomware Versions
A newly released tool allows free recovery of files encrypted by some versions of GandCrab, a ransomware family that affected hundreds of thousands of people since the beginning of the year.
The free GandCrab decryption tool works with data encrypted by variants 1, 4 and 5 of the ransomware, recognizable by the extensions they use: GDCB, KRAB, and 10 random characters.
Keep the ransom note
Some utilities available online help users get rid of the ransom notes dumped in every folder during the encryption operation triggered during a ransomware attack. However, to run the GandCrab decryption tool successfully, at least one ransom note should be available on the computer. “The ransom-note is required to recover the decryption key,” read the instructions.
Full details on how to use the utility are available here.
Collaborative effort against worldwide infections
The decrypter comes from Romanian antivirus company Bitdefender, and is the result of the collaboration between several law enforcement organizations, including the Romanian Police and counterparts from other countries (Bulgaria, France, Hungary, Italy, Poland, the Netherlands, United Kingdom, and the United States) and the Europol.
In a blog post today, Bitdefender notes that they are working on a solution to decrypt data locked by GandCrab 2 and 3, which use the CRAB extension and ask users to be patient and not to pay the ransom. The ransom note typically asks victims between $600 and $6.000 in exchange for the decryption key.
A company spokesperson told BleepingComputer that newer variants 4 and 5 of the ransomware are responsible for most of the infections and that the decryption tool can help users with systems infected “even minutes ago.”
According to Bitdefender telemetry, over half a million users had their computers infected with GandCrab ransomware. “The most targeted countries based on all versions of GandCrab are: US, UK, China, India, Brazil, and Germany,” the company says.
Ransomware is actively fought by law enforcement agencies in Europe, who joined tech companies in a project called the No More Ransom. The objective is to help ransomware victims with tools and solutions capable to recover the encrypted data. More than 80 decryption tools are currently available.
Malware devs show sympathy
GandCrab enjoys distribution across the world due to the ransomware-as-a-service (RaaS) business model adopted by its developer. They provide a toolkit for cybercriminals to spread the malware to systems they have access to, in exchange for 30% of the payments they collect.
This ransomware family is active since January and its developers are quick at releasing updates with improved code that allows it to bypass security measures. It is now at its fifth version, but a new variant is likely to become available soon.
Despite the clear financial focus, GandCrab developers showed compassion for victims affected by the war in Syria. After a Syrian victim tweeted last that GandCrab took away the photos of his deceased children, the malware developers published the decryption keys for victims in that country.
Read the original article over at BleepingComputer.com.