Experts released a free Decryption Tool for GandCrab ransomware

Pierluigi Paganini October 25, 2018

Good news for the victims of the infamous GandCrab ransomware, security experts have created a decryption tool that allows them to decrypts files without paying the ransom.

Bitdefender security firm along with Europol, the FBI, Romanian Police, and other law enforcement agencies has developed a free ransomware decryption tool.

“The good news is that now you can have your data back without paying a cent to the cyber-criminals, as Bitdefender has released a free utility that automates the data decryption process.” reads the blog post published by Bitdefender.

“This tool recovers files encrypted by GandCrab ransomware versions 1, 4 and 5.”

Victims can determine this ransomware version by analyzing the extension appended to the encrypted files and/or ransom-note. In the following table are reported the information for the various versions of the popular ransomware.

Version 1: file extension is .GDCB. The ransom note starts with —= GANDCRAB =—, ……………. the extension: .GDCB
Version 2: file extension is .GDCB. The ransom note starts with —= GANDCRAB =—, ……………. the extension: .GDCB
Version 3: file extension is .CRAB. The ransom note starts with —= GANDCRAB V3 =— ……….. the extension: .CRAB
Version 4: file extension is .KRAB. The ransom note starts with —= GANDCRAB V4 =— ……….. the extension: .KRAB
Version 5: file extension is .([A-Z]+). The ransom note starts with —= GANDCRAB V5.0 =— ………. the extension: .UKCZA
Version 5.0.1: file extension is .([A-Z]+). The ransom note starts with —= GANDCRAB V5.0.2 =— …. the extension: .YIAQDG
Version 5.0.2: file extension is .([A-Z]+). The ransom note starts with—= GANDCRAB V5.0.2 =— …. the extension: .CQXGPMKNR
Version 5.0.3: file extension is .([A-Z]+). The ransom note starts with—= GANDCRAB V5.0.2 =— …. the extension: .HHFEHIOL

“Developed in close partnership with Europol and the Romanian Police, and with support from the FBI and other law enforcement agencies, the tool lets victims around the world retrieve their encrypted information without paying tens of millions of dollars in ransom to hackers.” reads the statement published by the Bitdefender.

“The new tool can now decrypt data ransomed by versions 1, 4 and 5 of the GandCrab malware, as well as all versions of the ransomware for a limited set of victims in Syria.”

GandCrab was first spotted earlier this year by cyber security firm LMNTRIX that discovered an advertisement in Russian hacking community on the dark web.

GandCrab decryption tool

GandCrab is offered as a ransomware-as-a-service, where crooks offer the malware to criminals for a share of the ultimate profits.

This ransomware spreads via multiple attack vectors, including spam email, exploit kits and malware campaigns.

Victims of the ransomware can download it from the following link:

https://labs.bitdefender.com/wp-content/uploads/downloads/gandcrab-removal-tool-v1-v4-v5/

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – GandCrab, decryption tool)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment