Release of GandCrab 5.2 Decryptor Ends a Bad Ransomware Story

[steven36]

In collaboration with law enforcement agencies around the world, Bitdefender has released an updated decryptor for the GandCrab Ransomware that can decrypt files encrypted by versions 1, 4, and 5 through 5.2.

 

 

 

 

In announcements by both Bitdefender and Europol, a decryptor for the GandCrab Ransomware was released that decrypts the latest versions of the ransomware.

"The tool is released in partnership with law enforcement agencies from Austria (Bundeskriminalambt – BMI), Belgium (Federal Computer Crime Unit), Bulgaria (Bulgarian Cybercrime Unit), France (Police Judiciaire de Paris – Befti), Germany (LKA Baden-Württemberg), the Netherlands (High Tech Crime Unit), Romania (DIICOT), the United Kingdom (NCA and Metropolitan Police), the United States (FBI) and Europol, together with the private partner Bitdefender."

Similar to previous releases of GandCrab Ransomware decryptors by Bitdefender, this tool is not being made available due to a flaw in the encryption algorithm. Instead, the security firm in collaboration with law enforcement was able to gain access to GandCrab command & control servers in order to download the decryption keys needed to decrypt a victim's files.

 

Instructions on how to use the GandCrab decryptor can be found at the end of the article. If you need any help, feel free to leave a comment in this article or our GandCrab Support and Help forum topic.

The rise and fall of GandCrab

BleepingComputer has been following GandCrab since it was first released on January 28th, 2018, when it began to be distributed through a Ransomware-as-an-Affiliate system on underground hacker forums like Exploit.in.

 

When first released, the GandCrab Ransomware was being distributed through the RIG exploit kit and would encrypt a victim's files and append the .GDCB extension to their names.

 

Original GandCrab Ransom Note

 

 

The GandCrab developers had a penchant  for taunting researchers and organizations that monitored ransomware and the first release was no different.

 

When first release, the GandCrab devs sent BleepingComputer a taunt or message in their executable by naming one of their command & control servers after us and other organizations known to track ransomware.

 

These original C2s were:

bleepingcomputer.bit
nomoreransom.bit
esetnod32.bit
emsisoft.bit
gandcrab.bit

 

Since then, we have been following the GandCrab team release multiple versions until their final release of version 5.2.

 

 

GandCrab 5.2 Ransom Note

 

While the GandCrab team hit some roadblocks along the with way with C2 servers being hacked and researchers releasing decryptors [1, 2, 3], when they announced their retirement this month, they also claimed to have earned massive amount of revenue. 

 

In a retirement post to the hacker forum Exploit.in, the ransomware developers claim to have earned $2 billion in ransom payments and $150 million in personal profit.

 

GandCrab Retirement Announcement

 

 

With the release of this updated decryptor, the life of the GandCrab Ransomware is officially over and users can now retrieve their files for free.

How to Decrypt GandCrab encrypted files

If you were infected with the GandCrab Ransomware v1, v4, and versions 5-5.2, then you will now be able to get your files back for free using an updated decryptor by Bitdefender.

To get started, download the BDGandCrabDecryptTool.exe file from the following download link.

 

GandCrab Decryptor For versions 1,4, and 5-5.2

https://labs.bitdefender.com/wp-content/uploads/downloads/gandcrab-removal-tool-v1-v4-v5/

 

Once downloaded, double-click on the program and you will be greeted with a license agreement, which you should accept.

 

The decryptor will open and display a notice that the machine needs to be connected for the Internet to work. This is because the decryptor will need to connect back to the Bitdefender servers in order to check for your decryption key and download it.

 

You will now be shown the main GandCrab decryptor screen as shown below. At this point you have the option to either decrypt the entire computer or a specific folder.

 

Bitdefender GandCrab Decryptor

 

 

I suggest you test the decryptor again a folder first to make sure it works and that there are no issues. If successful, you can then select "Scan entire system" to decrypt the whole computer.  

Once you select the option you want, to begin decryption you need to click on the Start Tool button.

 

Once the decryption process is started, the decryptor will look for a ransom note to retrieve certain information, which is then uploaded to Bitdefender's servers. If a key can be found, it will be sent back to the decryptor.

 

Retrieving Decryption Key

 

Once a decryption key is retrieved and loaded, the decryptor will start to decrypt the files on your computer. You can track its progress by using the scroll bar in the decryptor window.

 

Decrypting GandCrab Encrypted Files

 

 

When done, the decryptor will state it's finished and alert you to any issues.

 

If there are issues, you can click on the log file link to automatically open the %Temp%\BDRansomDecryptor\BDRansomDecryptor\BitdefenderLog.txt log file. This file will contain a summary of the decrypted files and any that were not able to be decrypted.

 

Decryptor Finished

 

 

For example, in our test, the decryptor was successfully able to decrypt all but 10 files. Thankfully, these were application specific files that can be recreated simply by reinstalling the application.

 

If you have any trouble working with this decryptor, feel free to leave a comment here or in our 60 page GandCrab Support and Help forum topic.

 

Source

[vitorio]

Great news. From one who suffered one of the variations of  Ransomware  some months ago and need to reset my PC to its original factory settings.