Game Over for GandCrab: New free decryption tool allows victims to unlock all versions of this ransomware

Shortly after those behind GandCrab announced they are retiring, researchers have released a new tool which nullifies all versions of the ransomware.
Written by Danny Palmer, Senior Writer

A new decryption tool that counters one of the most prolific families of ransomware by allowing victims to retrieve their files for free has been released in a collaborative effort by Europol, the FBI, cybersecurity company Bitdefender, and others.

The latest version of the GandCrab decryptor neutralises the most recent incarnations of the file-locking malware – GandCrab 5.0 through to GandCrab 5.2 – as well as allowing users to retrieve files encrypted by older versions of the ransomware.

It's thought that over 1.5 million Windows users have been infected with GandCrab since it first emerged in January 2018, with both home and business networks falling victim to attacks by what Europol describes as "one of the most aggressive forms of ransomware".

SEE: What is ransomware? Everything you need to know about one of the biggest menaces on the web

The cyber criminals behind GandCrab claim that the ransomware has extorted over $2 billion from victims who've given in and paid to receive the decryption key to get their files back – although researchers say the figure is likely an exaggeration.

Helped along by an affiliate model that allowed low-level cyber criminals to buy ready-made kits that made attacks easy to distribute, in exchange for 40% of the cut going to the authors, GandCrab at one point accounted for over half of all ransomware infections.

Several free decryption tools have been released to combat GandCrab over the past 18 months – something which Bitdefender and partner law enforcement agencies say has helped over 30,000 victims and prevented more than $50m being paid to the attackers.

The latest GandCrab decryptor has been released by Bitdefender in partnership with Europol, Romanian Police, DIICOT, FBI, the UK's National Crime Agency and the Metropolitan Police, as well as police forces across Europe.

The tool is available to download from both Bitdefender Labs and the No More Ransom project. The latter is a joint scheme by a large number of cybersecurity companies, governments and law enforcement agencies, which provide free decryption tools for many different forms of ransomware.

The latest version of the GandCrab decryptor comes shortly after the creators of the ransomware announced that they plan to retire, claiming to have pocketed hundreds of millions from the malware.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

While affiliates can still distribute GandCrab for now, the shutdown of the operation means that it won't be profitable for much longer. However, it could still potentially cause issues for victims, not only via causing infections, but once GandCrab operations have ceased, it means even if victims pay ransom demands, they won't get their files back.

"The GandCrab team has stopped affiliates from accessing new versions of the malware and has urged them to prepare for an imminent shutdown. The shutdown will be followed by deletion of all keys, leaving the victims unable to retrieve the ransomed data even if they do pay the ransom," said Bogdan Botezatu, director of threat research and reporting at Bitdefender.

Despite the end of GandCrab, ransomware remains a large threat to organisations, with several high-profile attacks in recent months highlighting the danger posed.

To avoid falling victim to ransomware in the first place, researchers recommend that all software and applications are patched and up-to-date to avoid attackers being able to take advantage of known vulnerabilities. It's also recommended that organisations frequently backup their systems, so if a ransomware infection does occur, the network can be restored from a recent backup.

Cybersecurity companies and law enforcement agencies warn that victims shouldn't give into the demands of attackers – not only does it fund crime, but attackers could label those who pay up as soft targets and strike again at a later date.



Editorial standards