Home News GandCrab ransomware free decryption tool (up to version 5.1)

GandCrab ransomware free decryption tool (up to version 5.1)

3 min read
8
8,098
In light of the recent victorious move of security analysts, learn how to decrypt files locked by GandCrab v1, v4 and v5 ransomware without paying the ransom.

[February 2019 update]

On October 25, Romanian security software vendor Bitdefender sensationally spread the word about their breakthrough in combatting GandCrab, one of the nastiest and most competently designed blackmail viruses to date. This e-extortion epidemic has been running rampant since early 2018, making hundreds of thousands of victims throughout the world.

The antivirus lab’s researchers were able to come up with a decryption tool that restores files encrypted by versions 1, 4 and 5 of said ransomware. This way, not only can the numerous infected users heave a sigh of relief over returning the most valuable data, but they can also do it for free. Compared to ransoms demanded by the GandCrab crew, which range from about $600 to $6,000 worth of Bitcoin or Dash cryptocurrency, this initiative is certainly a godsend.

One of the supported GandCrab versions in action
One of the supported GandCrab versions in action

Zooming in, the tool called Bitdefender GandCrab Decryptor supports 3 editions of the ransomware in question, namely the ones that append victims’ personal files with the following extensions: GDCB (version 1), KRAB (version 4), or random character string, such as “yhtsfctld” (version 5). Note that the recovery works for all sub-variants of the above-mentioned iterations, so those hit by, say, GandCrab v5.0.3 are among the lucky ones as well.

According to the AV company’s press release, the decryptor was masterminded in close collaboration with the Romanian Police, Europol, the FBI and other law enforcement agencies from the UK, the Netherlands, France, Poland, Bulgaria, Italy, and Hungary.

For the record, iterations 4 and 5 of the malicious program reportedly account for the majority of the infection cases. Regarding those contaminated with GandCrab versions 2 and 4, the analysts recommend them to refrain from redeeming their files via the ransom at this point. Although the decryptor in its current state doesn’t crack these mods, the white hats working on the vendor’s research team have instilled some hope by saying, “We’re still on it”. So the victims should stay tuned for good news, which is hopefully a matter of near future. Overall, the security firm’s telemetry states that about 500,000 users across the globe have fallen victim to GandCrab this year.

There are currently no official details if the decryptor is an outcome of seizing the malicious command & control (C&C) servers, or whether it takes advantage of a crypto implementation flaw in the offending code. The latter is more likely, though. Anyway, let’s move on to the decryption routine proper.

How to decrypt GandCrab v1, v2, v5.0-5.0.3

The main prerequisite to successful data recovery in this scenario is the availability of a ransom note dropped by the infection. That’s because it contains a unique user-specific key that will be used by the decryptor to restore your files. This key is a long string of hexadecimal characters that identifies each victim.

So, as soon as you ascertain that the ransom note is on your computer, go head and download the decryptor. Run the app and accept the End-User License Agreement. When done, you will see the main GUI. Before you proceed, be sure to insert a specific scanning path or enable the “Scan entire system” option. Also, consider putting a checkmark for the self-explanatory “Backup files” feature. Then, click “Scan”.

Bitdefender GandCrab Decryptor GUI

The tool will start traversing your computer for the crypto key data and decrypt all files locked by a supported GandCrab edition.

GandCrab decryption underway

Be advised the utility first tries to recover 5 files in the defined scanning path and will not continue if the decryption fails for some reason. Otherwise, it will decrypt the hostage files and then display the scan status notification. If something went wrong and some data couldn’t be restored, the app will let you know by saying “Some files could not be decrypted!

Decryption report

In order to find out which files haven’t been reinstated, you can peruse the tool’s logs generated inside the BDRansomDecryptor folder under the %Temp% directory. However, if the decryptor succeeds in locating all the bits and pieces of the required cryptographic information in the system, the chances that something goes wrong are quite low and it should be able to get all your files out of captivity.

February 2019 update: support added for GandCrab variants up to v5.1

Almost 4 months after the above-mentioned version of the revolutionary decryptor was out, the same security firm cooked up a new mod that’s capable of restoring files mutilated by more editions of the ransomware. Its recovery power now additionally spans GandCrab iterations up to version 5.1 inclusive. This tool is particularly game-changing in the context of the GandCrab 5.0.4 sub-campaign, which has made the most victims over the past few months.

New Bitdefender decryptor version supporting more GandCrab variants

Not only has the most recent build of rescue app gotten an enhanced cipher cracking functionality, but it also underwent an overhaul on the outside. It’s now called Bitdefender Decryption Utility for GandCrab V1, V4, V5.

Download GandCrab v1-v5.1 ransomware decryptor

The new light-colored GUI supersedes the dark user console of the previous variant. Other than that, the features are the same. The user is offered to select a specific encrypted folder or opt for a scan of the entire system. The “Backup files” option is still there, and it’s worthwhile just to make sure data stays in its current form if something goes wrong along the way.

Predictably enough, heaving a sigh of relief is a premature reaction when it comes to ransomware families as potent as this one. Mere days elapsed after the vendor announced the revamped decryptor – and the cybercriminals came up with GandCrab 5.2 variant that cannot be cracked. The bad guys must have “patched” the crypto flaw discovered by the security analysts, so the undecryptable menace is back and it’s out there looking for new victims. While the researchers’ efforts are more than commendable, the crooks continue to be one step ahead.

The bottom line

GandCrab ransomware devs have architected a smooth extortion model where they get a 30% cut from all the ransoms while outsourcing the distribution job to unscrupulous affiliates. This tactic is known as RaaS (Ransomware-as-a-Service), and it’s the basis for long-lasting worldwide propagation of the culprit. This strain boasts frequent updates featuring code improvements and permanently refined AV evasion mechanisms.

Again, the build currently in rotation is GandCrab v5.2, and it’s uncrackable thus far. The malware operators have made a few tweaks of their infection to get around the free decryption trap. In the meantime, if you have been attacked by this virtual predator and the stars align in terms of the ransomware variant, don’t fail to give the free recovery tool a shot right away.

8 Comments

  1. lamborio

    November 5, 2018 at 9:21 pm

    hi
    help me please
    Decryptor Started

    Looking for ransom note … [E:\$RECYCLE.BIN\S-1-5-18\VQJTYPZB-DECRYPT.txt]
    Looking for VERSION … [V5]
    Looking for EXT … Error while looking for GandCrab extension!
    [ERR:Init]

    Decryptor Started

    Looking for ransom note … [E:\$RECYCLE.BIN\S-1-5-18\VQJTYPZB-DECRYPT.txt]
    Looking for VERSION … [V5]
    Looking for EXT … Error while looking for GandCrab extension!
    [ERR:Init]

    Reply

    • Will Wisser

      November 22, 2018 at 10:09 am

      Hi lamborio, Unfortunately BitDefender decryptor doesn’t work with tha last (5.0.4) version of GandCrab.

      Reply

      • Will Wisser

        February 22, 2019 at 6:04 pm

        lamborio, now it also decrypts Gandcrab 5.0.4! Try and let us now.

        Reply

  2. Amr Helmy

    December 8, 2018 at 6:14 pm

    On November 2018, I discovered that my PC was affected by GANDCRAB V5.0.4 by referring to HRMGI. It seems to be everywhere in my computer. I have downloaded Bitdefender GandCrab V1, V4, V5 .
    I have also followed the steps properly. Each time I try to scan using Bitdefender GandCrab V1, V4, V5 Decryptor – system looking for encryption key. After a while, it is shown that initialization failed.

    Reply

  3. ahmed

    January 29, 2019 at 7:55 am

    —= GANDCRAB V5.1 =—

    ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED***********************

    *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS*****

    Attention!

    All your files, documents, photos, databases and other important files are encrypted and have the extension: .JFECLIEC

    The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.

    The server with your key is in a closed network TOR. You can get there by the following ways:

    —————————————————————————————-

    | 0. Download Tor browser – https://www.torproject.org/

    | 1. Install Tor browser
    | 2. Open Tor Browser
    | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/b25654eee4ee12eb
    | 4. Follow the instructions on this page

    —————————————————————————————-

    On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.

    ATTENTION!

    IN ORDER TO PREVENT DATA DAMAGE:

    * DO NOT MODIFY ENCRYPTED FILES
    * DO NOT CHANGE DATA BELOW

    —BEGIN GANDCRAB KEY—
    lAQAAH9aX5ojiajzsB4QcyzqBQV3ZBWvKBncjpwGnB7YqbBRqT9smF9xSbfEJj4xjWMqAxF38qDZr4nTJPSapH8nSPKieb5WHmzBGd627WObxu2/UUgujDNxFBZAd/kbZyl4kTueFT6SQoka0/zFvIt6wJ7ZFsSeqbsJ/ImNmHNQ7hYATpqtke9e7uMiV/YhGuYMSVjtF6mHhtuTAUcijh4hk1JTyODEAsIC19suOvNYDOk0dRi35Tj8TC2xVS+0gUPkbOJwO3DozLa6v81kcu0/I99uq3Ug/kffNyo5j3/8GIYH6VqJ1sA1xQFT5YkO8F8M/dOrRN5V1NjERG7rm1EbBIkTP16x/BdYkrDlZZMAdxL0z9OLIXR5up7jJG4jnj79m0l7DW/QmLPlRk4I0/MU1qniJIrgBz6+odjSd4S2SsIt7b0IYXaEf6D1aSJIGspnXH1GYfRN+YJkKYQvcgZWhwDJawqhnt3dL0zCbPq3Kf3gG9iGC73LlfmLwFPfbvMhNfRgqdR5nPZh/fXAKLBcfdedpN7MD7TwmMWJvgYc7p66qWFy2U+ayyxNMRdzmsgrxmziEENqdkpJFVLjaI6T3MQ9no7txg28+EH+zsDFL32rQwVcIWRQ8uy0uuKsIZ9ueL+gFjnhyi265byrvinX6cCwu04pMi7k/zVZ48aAzC0eOSmBnV8KjE004E93LjPigEkDA8xy19HDaX0ZICfje+PYXE/23d6EekgK2yuarOm0OK9NwkANzXgqqtJZaAqYdw8yHiSIY69A7+zMuwJvlitaUPzN/V77IJKyEDW5mSRg4TIdjdbO+3QhWBTxWSSSpYqbnNVYziIhb9xoUj+E1nNxDHpGONtpudqytjXQNdQefvs5Z5os5tZUI0+hId/3y26CarsiFNiFud5rSFszHeIKiPWUA5SvO0qkp7UDlQJMGl0c7+O9JxO/DUxmZ9HcNB8Z6dzpsrvH8h6Rl0M1J6lTAggRNMnZBRrGEghO5goYjjaQBy6TPYr3L7QlVGcymq1WqROvzyMSgsBR7XLD0LUTLeiSVX4zUCss+ryeMRWHbNuRil+m/joJCrvk2J+gVy6QwVQP6MkOx9URFIj5FH4Qc+p543lOvd9Omp4eGvl32ZMvkUzwJJ8NopV8G/nnXh+sm9t0rAd5C1B3ApTS4FV/fU9ngy/fIu9pnNMhfWXHXIk4iB3UOb45D9SyDZAsD/EYtujc5vZxwocBdbG3PVTAqjP+YNNPxVyf9GhnGgO3dINEOSnZR0JLZrH+3osgB5AxIeYW4PGW86dsnm0mb1VfJA9/2RDHtKrfL2uNb8hRXefTt4OimcsZiY1FB1k/ROThwCDUIWAWc4uoLE7ZIp8DRHdZL+6i8uLh6w4lKinXt+UFwZeGSA9xc5UOvWQaRV1z8piPVXTWfoJe34EDJSCjl9ICdwzSaM1nLUf5K+EMxAmrsZO6yV/ta02GEXg/pAYOM+THqnLoGmET92mNA418bMmrVPkOupaTfWyfudMOweRWSHh8GH/0/H55QIFR/i7ucGJhYabe8RYvT/3pUD4yEMV5JIctuC5Bl+cgWlFs01PrG4aiUZbn5XyBqHRLsN0lw5/5OgtjDPXfeGDQhDTBzUJZyk6x8CY6eoWrQBHD2C6yp5HW9IsmZERgoE8619jxNKXTeeLBe0FTve6D34SA6no3w2mBXTJvjedmg19WfhC3ApyzmiM4awGSjfZGZVCuJt58xTmZ0grP2wlp1TgBJCafigrnkHBXyFfb4t0yCIMa7QKusoE0BgmT+xGb2/Q8TTR9bD6H68p+XUD4II1vBL1S+vEu6POhRHFAoHssXlOoH0dk1A8ad798X8x0xzuu3rLqEDIDRIFY2aH5hLrtgXBqNNRbsbmTuQpv0T4J/jLItgRTYT/PnV9pb0ob3uDFgMGPZTF69fbfKepi9X+P/RD2w8E0OYVFdsN/ifGPp55ic+8+OUew9Wsk221KDIAEyJMkFX+6NQZjpJRwNJSWfVZa4TFp3/15Q0YJyZIDW/DvKSHvr7KvhE/OaqQp8xg6oCHljc/uqr3UETnYU7z+R7PkVCZlhJ/37aCQGgenrjxpsRpKNMIQA8LdhDcW5Y/u1Z5GK0b0gfctTWn8bxiatPoT21cTNWN2pvTjp3dPYRxMe38Qv9c1BsdExGuznQwnpC11s6tJMiCXZHlfsvIoJA5DBbE0h85TVsrnSLWr25l+W91LxYGmLI/q5WvtOEyuRQg=
    —END GANDCRAB KEY—

    —BEGIN PC DATA—
    7ftDEgLb/ZS0lcmZbHM61KXJyQOMD5oK2A6MbtAgbXYAWLQC95+cYAdxL2D79M/JN5DOAuuVteCtRX/IWXQpQ2iaurPazrESG+ggarGXo6bcGPMpY0uHIkmg28QUqhTsgkgYXVpiDcFwiXH/glKVWoVHKCPZMpv74CZ2O8Q3zWax0KIRC/ovEtvBmdlSspmHNvUFIKl0WYNaAyw0SK6bDLlF3yPqB5gmabF+Z/XMGd3sgD725J3/UwB7w9xEWL0y74Xq53tHRnKHMIOBjFCwejeo91rwnMmZ9V9XSUzO7jBnmNH794C1GB4pWqjhRWUVJfeP0wtSVyCbtPmJItBQBktq98ZqR+23Y7HOmdGRikeFP93yqfMwLOHjXaO3r11WtOZ+TxXJjfajL2507PfbSz+z8KAgoUXF153sPEWxlygtudzoPVoM6iOVyOmqqBpvZ7wGrt4ypy8D1eWlWDmQ7q14Buw+gT2wM0zYb5sfv9xQLXSj3LjYwCriiTO3KImg843wWKH+7gkXvC2ijIFdEv1EsiM8ANPhxdQRIFH1UUGbyeqMaJ0K1g0//eQae28E33SaCvTrMtccPEeVKMovLq4b4AnbcGqVqbCvEZSsQ7TenIeaYEIjb4k0oFGccyvSkqIGDBHFzoGoqFlwxkbQxIbGvnUdm/LKOvM1EsedW5iszlZfHLoe7w==
    —END PC DATA—

    Reply

    • Will Wisser

      February 7, 2019 at 10:51 am

      Ahmed, you’ve got Gandcrab v5.1, unfortunately Bitdefender tool decrypts files up to version 5.0.3.

      Reply

      • Will Wisser

        February 22, 2019 at 6:02 pm

        Now it works for 5.1 also. Try and let us know.

        Reply

  4. nurudin

    March 8, 2019 at 3:13 pm

    anu idea for gandcrab v 5.2?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *