GandCrab ransomware free decryption tool released By Will Wisser Posted on November 2, 2018 2 min read 2 1,848 In light of the recent victorious move of security analysts, learn how to decrypt files locked by GandCrab v1, v4 and v5 ransomware without paying the ransom. On October 25, Romanian security software vendor Bitdefender sensationally spread the word about their breakthrough in combatting GandCrab, one of the nastiest and most competently designed blackmail viruses to date. This e-extortion epidemic has been running rampant since early 2018, making hundreds of thousands of victims throughout the world. The antivirus lab’s researchers were able to come up with a decryption tool that restores files encrypted by versions 1, 4 and 5 of said ransomware. This way, not only can the numerous infected users heave a sigh of relief over returning the most valuable data, but they can also do it for free. Compared to ransoms demanded by the GandCrab crew, which range from about $600 to $6,000 worth of Bitcoin or Dash cryptocurrency, this initiative is certainly a godsend. One of the supported GandCrab versions in action Zooming in, the tool called Bitdefender GandCrab Decryptor supports 3 editions of the ransomware in question, namely the ones that append victims’ personal files with the following extensions: GDCB (version 1), KRAB (version 4), or random character string, such as “yhtsfctld” (version 5). Note that the recovery works for all sub-variants of the above-mentioned iterations, so those hit by, say, GandCrab v5.0.3 are among the lucky ones as well. According to the AV company’s press release, the decryptor was masterminded in close collaboration with the Romanian Police, Europol, the FBI and other law enforcement agencies from the UK, the Netherlands, France, Poland, Bulgaria, Italy, and Hungary. For the record, iterations 4 and 5 of the malicious program reportedly account for the majority of the infection cases. Regarding those contaminated with GandCrab versions 2 and 4, the analysts recommend them to refrain from redeeming their files via the ransom at this point. Although the decryptor in its current state doesn’t crack these mods, the white hats working on the vendor’s research team have instilled some hope by saying, “We’re still on it”. So the victims should stay tuned for good news, which is hopefully a matter of near future. Overall, the security firm’s telemetry states that about 500,000 users across the globe have fallen victim to GandCrab this year. There are currently no official details if the decryptor is an outcome of seizing the malicious command & control (C&C) servers, or whether it takes advantage of a crypto implementation flaw in the offending code. The latter is more likely, though. Anyway, let’s move on to the decryption routine proper. How to decrypt GandCrab v1, v2 and v5 The main prerequisite to successful data recovery in this scenario is the availability of a ransom note dropped by the infection. That’s because it contains a unique user-specific key that will be used by the decryptor to restore your files. This key is a long string of hexadecimal characters that identifies each victim. So, as soon as you ascertain that the ransom note is on your computer, go head and download the decryptor. Run the app and accept the End-User License Agreement. When done, you will see the main GUI. Before you proceed, be sure to insert a specific scanning path or enable the “Scan entire system” option. Also, consider putting a checkmark for the self-explanatory “Backup files” feature. Then, click “Scan”. The tool will start traversing your computer for the crypto key data and decrypt all files locked by a supported GandCrab edition. Be advised the utility first tries to recover 5 files in the defined scanning path and will not continue if the decryption fails for some reason. Otherwise, it will decrypt the hostage files and then display the scan status notification. If something went wrong and some data couldn’t be restored, the app will let you know by saying “Some files could not be decrypted!” In order to find out which files haven’t been reinstated, you can peruse the tool’s logs generated inside the BDRansomDecryptor folder under the %Temp% directory. However, if the decryptor succeeds in locating all the bits and pieces of the required cryptographic information in the system, the chances that something goes wrong are quite low and it should be able to get all your files out of captivity. The bottom line GandCrab ransomware devs have architected a smooth extortion model where they get a 30% cut from all the ransoms while outsourcing the distribution job to unscrupulous affiliates. This tactic is known as RaaS (Ransomware-as-a-Service), and it’s the basis for long-lasting worldwide propagation of the culprit. This strain boasts frequent updates featuring code improvements and permanently refined AV evasion mechanisms. The build currently in rotation is GandCrab v5 – one of the decryptable variants, courtesy of Bitdefender. This probably means, though, that the crooks will make a few tweaks or a complete overhaul of their infection sometime soon to get around the free decryption trap. In the meantime, if you have been attacked by this virtual predator and the stars align in terms of the ransomware variant, don’t fail to give the free recovery tool a shot right away.