Anti-Malware Research Free Tools

Bitdefender GandCrab decryptor for Syrian users now available

Update June 2019: Our collaboration with the Romanian Police, Europol and other law enforcement agencies has yielded another new decryptor for all GandCrab ransomware versions released, except for v2 and v3. If you need to decrypt versions 1, 4, 5.0.1 through 5.2, then download and run our new tool linked below.

We’re happy to announce the release of a new decryptor for victims of GandCrab ransomware. The tool can only be used by a limited pool of victims located in Syria, and works for GandCrab ransomware versions 1 through 5.

At the tool’s core is the roughly 1000 decryption keys deliberately released by the group behind GandCrab and shared with us by BleepingComputer journalist Lawrence Abrams from a dump originally spotted by a malware researcher that goes by the Damian1338B handle.

Download the GandCrab decryption tool

The release of these keys is not an act of redemption of the notorious cybercrime ring that allegedly makes hundred of thousand dollars a month from defrauding victims. It is instead the group’s response to the desperate Tweet of a Syrian father who lost his sons to the war and all the memories of his sons to ransomware.

Our decryption utility – the second one we have released so far to help users get GandCrab encrypted files back – can be downloaded from its product page on Bitdefender Labs. However, there are some things that you should know before you download it:

  • This tool is built around the decryption keys released by the GandCrab operators themselves. These keys are associated with Syrian victims, according to their release.
  • While this decryption tool allows Syrian victims to get their information back, there is no guarantee that all victims will be able to successfully decrypt their data. In some circumstances, residents of a country might be inadvertently identified as located somewhere else based on the exit node’s IP address.
  • This tool DOES NOT WORK for GandCrab victims located outside Syria. Of course, there is no harm in running the tool and attempting to decrypt, but we will not be able to provide technical support in case you are located outside Syria and decryption fails.

If your computer has fallen victim to GandCrab and you live somewhere else than Syria, do not despair, and most importantly, do not pay up. Instead, take a backup of the ransomed files, along with the ransom note and store them somewhere safe, because help is coming really soon.

We’re all working on it and we’ll solve this.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as director of threat research. When he is not documenting sophisticated strains of malware or planning removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.


Click here to post a comment

    • Are you located in Syria? If you are, send the ransom note to and we'll investigate further. Please note that, as per the blog post, this tool does not work for victims outside Syria.

      • Hi and Thanks to the efforts that are being made to deal with the ransomwares.

        First of all, I apologize for my weak English,

        My name is Mohammad and i`m from IRAN, i`m an IT Employee at Karafarin Bank Company, on 22 Aug 2018, 4 devices from my servers were attacked by Gandcrab v4.0 and this created major problems at my workplace.

        After encountering this problem, I began to negotiate with the ransom support team through the link in the Ransome-Note txt file via TOR Browser and through them I managed to get the Decrypter file and private.key file from one of the servers. The problem was that, given the fact that these 4 servers Linked through shared folders, and they were infected. I run the Decrypter and private.key file that I received on each of the four servers, but this key only decrypted one of the servers and deleted all the Ransome-Note txt file from all servers (this feature was located on the Decrypter file) . That's why I do not have any Ransome-Note txt files for my other 3 servers. Now my main problem is Ransome-Note txt files of other 3 Servers to Decrypting files. If you think that the Decryptor and the private.key that have been sent to me will help resolve the issue, please ask me to send them for you.

        Thanks for Help,

        Yours sincerely.
        Mohammad Yari

      • Getting initialization error sent the log to the email in tool please have a look and reply back.

        Grandcrab v5.0.4

        All your files, documents, photos, databases and other important files are encrypted and have the extension: .MOEDPKMQ

  • Hello i have removed the malware from my PC BUT the decryptor is not working for me its keep saying .. initialization FAILED! ..

    —= GANDCRAB V5.0.3 =—
    and encrypted files have the .occbc extension

    Please help me all my work are encrypted

  • Hi
    I am PAVAN from INDIA
    My pc infected with Gandcrab V5.0.1. with 5 random letter file extension. I have Cleared the malware but unable to decrypt the Infected Files. Is there any Decryptor?.

    Thank you

    • HI this is the text note i received :

      —= GANDCRAB V5.0.3 =—


      All your files, documents, photos, databases and other important files are encrypted and have the extension: .TWTBVCKC

      is there any decriptor available

      • i try this link but download no completted for network error . please help me

        • Download the tool again. Run it. If you encounter any issues, write us at and provide us with the logs in %temp%\BDRemovalTool\BDRansomDecryptor. Thanks!

          • Open any folder on your computer. Write that file path as it is – %temp%\BDRemovalTool\BDRansomDecryptor in the address bar above. You will be redirected to the actual folder. Get the contents, attach it to an e=mail and send it our way.

          • Hi,
            my file encrypted by gandcrab v5 0 3 with extension .dofhnir.
            is the decryption tool can recover my files?

          • I tried using the decryptor for version 5.0.4 but the program fails to even start the scan with Initialization failed error. I have send in some files with the text file along with logs from the folder to the team. Hoping that this issue will be addressed. May be there is a command line tool? or any one who was able to successfully run the program can provide some help and decrypt the files of other people somehow?
            I want to know if the files can be decrypted some how else i want to do a clean installation of windows and forget about them for ever.