GandCrab ransomware crew loses $1M after Bitdefender releases free decrypter

Bitdefender says over 1,700 victims successfully decrypted GandCrab-locked files within hours of the tool's release.

ransomware-istock.jpg
(Image: Suebsiri, Getty Images/iStockphoto)

Bitdefender believes the criminal group behind the GandCrab ransomware has lost an estimated $1 million in ransom payments after the company released a free decryption utility for GandCrab victims last week.

Also: 7 tips for SMBs to improve data security TechRepublic

The Romanian antivirus maker says that at least 1,700 GandCrab victims were able to successfully decrypt GandCrab-locked files within hours after the tool's release.

Most of these users were located in South Korea, China, India, and the US, according to statistics released by the company yesterday.

Bitdefender released a free decryption utility for recovering files locked by the GandCrab ransomware last week, in collaboration with Europol, Romanian Police, and other law enforcement organizations.

gandcrab-victims-distribution.png
Image: Bitdefender

As a Romanian Police spokesperson told ZDNet last week, the tool leveraged a flaw in the ransomware's encryption scheme to allow victims to decrypt their files without paying the crooks' ransom fee.

The tool can recover files encrypted by GandCrab versions v1 (GDCB extension), v4 (KRAB extension), and v5 (random 10-character extension, also the current/latest GandCrab version), respectively.

A day after Bitdefender released its decryption utility, the GandCrab team also released a new version, v5.0.5, that fixed the encryption loophole and broke the company's decrypter.

GandCrab versions v2 and v3 are still undecryptable, but those versions have been active only between February and July, and have not been seen in recent infections.

Bitdefender says the "most prolific GandCrab ransomware versions are v4 and v5."

Bitdefender's GandCrab decryption utility is the perfect example why most security experts will always advise victims to put their ransomware-encrypted files aside and wait for a free decryption utility to be released in the coming months.

While decryption utilities may not be published for all ransomware strains, when they do, they can offer victims a chance at recovering files once considered lost.

Related stories: