Update June 2019: Our collaboration with the Romanian Police, Europol and other law enforcement agencies has yielded another new decryptor for all GandCrab ransomware versions released, except for v2 and v3. If you need to decrypt versions 1, 4, 5.0.1 through 5.2, then download and run our new tool linked below.
We’re happy to announce the release of a new decryptor for victims of GandCrab ransomware. The tool can only be used by a limited pool of victims located in Syria, and works for GandCrab ransomware versions 1 through 5.
At the tool’s core is the roughly 1000 decryption keys deliberately released by the group behind GandCrab and shared with us by BleepingComputer journalist Lawrence Abrams from a dump originally spotted by a malware researcher that goes by the Damian1338B handle.
The release of these keys is not an act of redemption of the notorious cybercrime ring that allegedly makes hundred of thousand dollars a month from defrauding victims. It is instead the group’s response to the desperate Tweet of a Syrian father who lost his sons to the war and all the memories of his sons to ransomware.
Our decryption utility – the second one we have released so far to help users get GandCrab encrypted files back – can be downloaded from its product page on Bitdefender Labs. However, there are some things that you should know before you download it:
- This tool is built around the decryption keys released by the GandCrab operators themselves. These keys are associated with Syrian victims, according to their release.
- While this decryption tool allows Syrian victims to get their information back, there is no guarantee that all victims will be able to successfully decrypt their data. In some circumstances, residents of a country might be inadvertently identified as located somewhere else based on the exit node’s IP address.
- This tool DOES NOT WORK for GandCrab victims located outside Syria. Of course, there is no harm in running the tool and attempting to decrypt, but we will not be able to provide technical support in case you are located outside Syria and decryption fails.
If your computer has fallen victim to GandCrab and you live somewhere else than Syria, do not despair, and most importantly, do not pay up. Instead, take a backup of the ransomed files, along with the ransom note and store them somewhere safe, because help is coming really soon.
We’re all working on it and we’ll solve this.