In light of the recent victorious move of security analysts, learn how to decrypt files locked by GandCrab v1, v4 and v5 ransomware without paying the ransom.
[February 2019 update]
On October 25, Romanian security software vendor Bitdefender sensationally spread the word about their breakthrough in combatting GandCrab, one of the nastiest and most competently designed blackmail viruses to date. This e-extortion epidemic has been running rampant since early 2018, making hundreds of thousands of victims throughout the world.
The antivirus lab’s researchers were able to come up with a decryption tool that restores files encrypted by versions 1, 4 and 5 of said ransomware. This way, not only can the numerous infected users heave a sigh of relief over returning the most valuable data, but they can also do it for free. Compared to ransoms demanded by the GandCrab crew, which range from about $600 to $6,000 worth of Bitcoin or Dash cryptocurrency, this initiative is certainly a godsend.
Zooming in, the tool called Bitdefender GandCrab Decryptor supports 3 editions of the ransomware in question, namely the ones that append victims’ personal files with the following extensions: GDCB (version 1), KRAB (version 4), or random character string, such as “yhtsfctld” (version 5). Note that the recovery works for all sub-variants of the above-mentioned iterations, so those hit by, say, GandCrab v5.0.3 are among the lucky ones as well.
According to the AV company’s press release, the decryptor was masterminded in close collaboration with the Romanian Police, Europol, the FBI and other law enforcement agencies from the UK, the Netherlands, France, Poland, Bulgaria, Italy, and Hungary.
For the record, iterations 4 and 5 of the malicious program reportedly account for the majority of the infection cases. Regarding those contaminated with GandCrab versions 2 and 4, the analysts recommend them to refrain from redeeming their files via the ransom at this point. Although the decryptor in its current state doesn’t crack these mods, the white hats working on the vendor’s research team have instilled some hope by saying, “We’re still on it”. So the victims should stay tuned for good news, which is hopefully a matter of near future. Overall, the security firm’s telemetry states that about 500,000 users across the globe have fallen victim to GandCrab this year.
There are currently no official details if the decryptor is an outcome of seizing the malicious command & control (C&C) servers, or whether it takes advantage of a crypto implementation flaw in the offending code. The latter is more likely, though. Anyway, let’s move on to the decryption routine proper.
How to decrypt GandCrab v1, v2, v5.0-5.0.3
The main prerequisite to successful data recovery in this scenario is the availability of a ransom note dropped by the infection. That’s because it contains a unique user-specific key that will be used by the decryptor to restore your files. This key is a long string of hexadecimal characters that identifies each victim.
So, as soon as you ascertain that the ransom note is on your computer, go head and download the decryptor. Run the app and accept the End-User License Agreement. When done, you will see the main GUI. Before you proceed, be sure to insert a specific scanning path or enable the “Scan entire system” option. Also, consider putting a checkmark for the self-explanatory “Backup files” feature. Then, click “Scan”.
The tool will start traversing your computer for the crypto key data and decrypt all files locked by a supported GandCrab edition.
Be advised the utility first tries to recover 5 files in the defined scanning path and will not continue if the decryption fails for some reason. Otherwise, it will decrypt the hostage files and then display the scan status notification. If something went wrong and some data couldn’t be restored, the app will let you know by saying “Some files could not be decrypted!”
In order to find out which files haven’t been reinstated, you can peruse the tool’s logs generated inside the BDRansomDecryptor folder under the %Temp% directory. However, if the decryptor succeeds in locating all the bits and pieces of the required cryptographic information in the system, the chances that something goes wrong are quite low and it should be able to get all your files out of captivity.
February 2019 update: support added for GandCrab variants up to v5.1
Almost 4 months after the above-mentioned version of the revolutionary decryptor was out, the same security firm cooked up a new mod that’s capable of restoring files mutilated by more editions of the ransomware. Its recovery power now additionally spans GandCrab iterations up to version 5.1 inclusive. This tool is particularly game-changing in the context of the GandCrab 5.0.4 sub-campaign, which has made the most victims over the past few months.
Not only has the most recent build of rescue app gotten an enhanced cipher cracking functionality, but it also underwent an overhaul on the outside. It’s now called Bitdefender Decryption Utility for GandCrab V1, V4, V5.
The new light-colored GUI supersedes the dark user console of the previous variant. Other than that, the features are the same. The user is offered to select a specific encrypted folder or opt for a scan of the entire system. The “Backup files” option is still there, and it’s worthwhile just to make sure data stays in its current form if something goes wrong along the way.
Predictably enough, heaving a sigh of relief is a premature reaction when it comes to ransomware families as potent as this one. Mere days elapsed after the vendor announced the revamped decryptor – and the cybercriminals came up with GandCrab 5.2 variant that cannot be cracked. The bad guys must have “patched” the crypto flaw discovered by the security analysts, so the undecryptable menace is back and it’s out there looking for new victims. While the researchers’ efforts are more than commendable, the crooks continue to be one step ahead.
The bottom line
GandCrab ransomware devs have architected a smooth extortion model where they get a 30% cut from all the ransoms while outsourcing the distribution job to unscrupulous affiliates. This tactic is known as RaaS (Ransomware-as-a-Service), and it’s the basis for long-lasting worldwide propagation of the culprit. This strain boasts frequent updates featuring code improvements and permanently refined AV evasion mechanisms.
Again, the build currently in rotation is GandCrab v5.2, and it’s uncrackable thus far. The malware operators have made a few tweaks of their infection to get around the free decryption trap. In the meantime, if you have been attacked by this virtual predator and the stars align in terms of the ransomware variant, don’t fail to give the free recovery tool a shot right away.