Free decryption tool released for multiple GandCrab ransomware versions

New decryption tool can recover files locked by GandCrab versions 1, 4, and 5.
Written by Catalin Cimpanu, Contributor

The No More Ransom project released today an updated and more potent decryption tool for the GandCrab ransomware in what Europol has described as the "latest victory of law enforcement in the battle against ransomware."

The decryption tool was developed by Romanian Police, Europol, and Bitdefender, and will be made available on the No More Ransom project website for download starting today.

The tool is an update on a first version that was released in February by Bitdefender. The new GandCrab decrypter is more potent and can recover data for more GandCrab versions --v1 (GDCB extension), v4 (KRAB extension), and v5 (random 10-character extension, also the current/latest GandCrab version), respectively.

The new decrypter also comes after Bitdefender released a more limited decryption tool earlier this week for GandCrab ransomware victims located in Syria. The Romanian antivirus maker was able to create that decrypter after the GandCrab developer released legitimate and authentic decryption keys for victims located inside Syria, out of compassion.

In a blog post today, Bitdefender also said they're still working on creating a decrypter that can unlock files encrypted by GandCrab versions 2 and 3.

A representative of the Romanian Police Central Cybercrime Unit didn't comment on the operation's particularities, citing an ongoing investigation, but told ZDNet the new decryption tool was "a cryptographic issue rather than an infrastructure issue," suggesting investigators found a flaw in GandCrab's file encryption routine. Flaws in ransomware encryption schemes is how authorities and cyber-security firms have been able to decrypt most ransomware strains in the past years.

The new GandCrab ransomware decryption tool is indeed a great victory for law enforcement, and indirectly victims who had their files encrypted. While GandCrab v1 was mostly deployed in January and February, v4 and v5 have been put in circulation in July and September, respectively. This means that anyone infected with GandCrab versions released in the past four months can now recover files for free, without paying GandCrab's ransom demand --which usually varies from $600 to $3,000 per infected computer.


GandCrab is, by far, the most active and widespread ransomware strain today, taking the place of Locky and Cerber, the leading ransomware strains of 2016 and 2017.

The GandCrab ransomware is developed by a central figure who goes by the name of "Crab" or "Gandcrab" and rented to other cybercriminals on a well-known hacking forum.

Its RaaS (ransomware-as-a-service) model allows distributors to keep 70 percent of the ransom payments, while Crab takes a 30 percent cut, although Crab used to take a smaller percentage when the ransomware first launched in January.

New GandCrab versions are usually released every one or two weeks, and the ransomware was ported to target even older Windows versions, such as XP. The GandCrab author has also recently partnered with a crypter service in an agreement that could result in the ransomware strain becoming more difficult to spot and analyze in the future.

Since it was first spotted at the start of 2018, GandCrab distribution campaigns have been spotted leveraging email spam campaigns and exploit kits.

In August, the GandCrab ransomware author included a zero-day vulnerability for the AhnLab antivirus inside the ransomware's code after the South Korean company released a vaccine that prevented victims from being infected with a particular version of GandCrab.

Besides Europol and Bitdefender, Romanian Police also worked with counterparts from Bulgaria, France, Hungary, Italy, Poland, the Netherlands, the UK, and the US.

"Together, we have understood the perception of this threat, and through joint efforts, we want to support the hundreds of thousands of ransomware victims in Romania and around the world," a spokesperson for the Romanian Police Central Cybercrime Unit told ZDNet.


Editorial standards