Anti-Malware Research Free Tools

Bitdefender GandCrab decryptor for Syrian users now available

We’re happy to announce the release of a new decryptor for victims of GandCrab ransomware. The tool can only be used by a limited pool of victims located in Syria, and works for GandCrab ransomware versions 1 through 5.

At the tool’s core is the roughly 1000 decryption keys deliberately released by the group behind GandCrab and shared with us by BleepingComputer journalist Lawrence Abrams from a dump originally spotted by a malware researcher that goes by the Damian1338B handle.

Download the GandCrab decryption tool

The release of these keys is not an act of redemption of the notorious cybercrime ring that allegedly makes hundred of thousand dollars a month from defrauding victims. It is instead the group’s response to the desperate Tweet of a Syrian father who lost his sons to the war and all the memories of his sons to ransomware.

Our decryption utility – the second one we have released so far to help users get GandCrab encrypted files back – can be downloaded from its product page on Bitdefender Labs. However, there are some things that you should know before you download it:

  • This tool is built around the decryption keys released by the GandCrab operators themselves. These keys are associated with Syrian victims, according to their release.
  • While this decryption tool allows Syrian victims to get their information back, there is no guarantee that all victims will be able to successfully decrypt their data. In some circumstances, residents of a country might be inadvertently identified as located somewhere else based on the exit node’s IP address.
  • This tool DOES NOT WORK for GandCrab victims located outside Syria. Of course, there is no harm in running the tool and attempting to decrypt, but we will not be able to provide technical support in case you are located outside Syria and decryption fails.

If your computer has fallen victim to GandCrab and you live somewhere else than Syria, do not despair, and most importantly, do not pay up. Instead, take a backup of the ransomed files, along with the ransom note and store them somewhere safe, because help is coming really soon.

We’re all working on it and we’ll solve this.

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

40 Comments

Click here to post a comment
  • Hi Bogdan , a evil GandCrab 5 encrypted my files 🙁 I tried a recover tool but it also deleted the files is there a way to decrpty ?

    • Are you located in Syria? If you are, send the ransom note to forensics@bitdefender.com and we'll investigate further. Please note that, as per the blog post, this tool does not work for victims outside Syria.

        • It says right there in the title. You can't, it only includes the decryption keys for Syrian users, as they were released publicly by GandCrab. Hang on, we're working on a tool to address other regions.

      • this link https://labs.bitdefender.com/2018/10/bitdefender-law-enforcement-solve-for-multiple-versions-of-gandcrab-with-new-decryptor/

      • Hi and Thanks to the efforts that are being made to deal with the ransomwares.

        First of all, I apologize for my weak English,

        My name is Mohammad and i`m from IRAN, i`m an IT Employee at Karafarin Bank Company, on 22 Aug 2018, 4 devices from my servers were attacked by Gandcrab v4.0 and this created major problems at my workplace.

        After encountering this problem, I began to negotiate with the ransom support team through the link in the Ransome-Note txt file via TOR Browser and through them I managed to get the Decrypter file and private.key file from one of the servers. The problem was that, given the fact that these 4 servers Linked through shared folders, and they were infected. I run the Decrypter and private.key file that I received on each of the four servers, but this key only decrypted one of the servers and deleted all the Ransome-Note txt file from all servers (this feature was located on the Decrypter file) . That's why I do not have any Ransome-Note txt files for my other 3 servers. Now my main problem is Ransome-Note txt files of other 3 Servers to Decrypting files. If you think that the Decryptor and the private.key that have been sent to me will help resolve the issue, please ask me to send them for you.

        Thanks for Help,

        Yours sincerely.
        Mohammad Yari

        • You can send us the decryption tool on one of your servers. Just like the message file on the remaining servers via gmail maytinhcn. The tools that you decode for a good host can be fortunate to support other victims in our country. Thanks.

  • Hello i have removed the malware from my PC BUT the decryptor is not working for me its keep saying .. initialization FAILED! ..

    —= GANDCRAB V5.0.3 =—
    and encrypted files have the .occbc extension

    Please help me all my work are encrypted

    • Hang on, take a backup of the encrypted files + ransom note, clean your PC with an antimalware solution and stand by for a new tool to decrypt 5.0.3.

      • HI i'm infected by

        —= GANDCRAB V5.0.3 =—

        the extension: .TWTBVCKC

        i'm in Italy , is there any decryptor available?
        if i run the recognition tool it finds several different ransomware types

        Rapid
        cerber
        Gandcrab 1 and 2
        satrurn sigma

        what shall i do?
        thanks,
        fabio

  • Hi
    I am PAVAN from INDIA
    My pc infected with Gandcrab V5.0.1. with 5 random letter file extension. I have Cleared the malware but unable to decrypt the Infected Files. Is there any Decryptor?.

    Thank you

    • HI this is the text note i received :

      —= GANDCRAB V5.0.3 =—

      Attention!

      All your files, documents, photos, databases and other important files are encrypted and have the extension: .TWTBVCKC

      is there any decriptor available

      • i try this link but download no completted for network error . please help me
        https://labs.bitdefender.com/2018/10/bitdefender-law-enforcement-solve-for-multiple-versions-of-gandcrab-with-new-decryptor/

        • Download the tool again. Run it. If you encounter any issues, write us at forensics@bitdefender.com and provide us with the logs in %temp%\BDRemovalTool\BDRansomDecryptor. Thanks!

          • Open any folder on your computer. Write that file path as it is – %temp%\BDRemovalTool\BDRansomDecryptor in the address bar above. You will be redirected to the actual folder. Get the contents, attach it to an e=mail and send it our way.

          • Hi,
            my file encrypted by gandcrab v5 0 3 with extension .dofhnir.
            is the decryption tool can recover my files?