Update June 2019: Our collaboration with the Romanian Police, Europol and other law enforcement agencies has yielded another new decryptor for all GandCrab ransomware versions released, except for v2 and v3. If you need to decrypt versions 1, 4, 5.0.1 through 5.2, then download and run our new tool linked below.
We’re happy to announce the release of a new decryptor for victims of GandCrab ransomware. The tool can only be used by a limited pool of victims located in Syria, and works for GandCrab ransomware versions 1 through 5.
At the tool’s core is the roughly 1000 decryption keys deliberately released by the group behind GandCrab and shared with us by BleepingComputer journalist Lawrence Abrams from a dump originally spotted by a malware researcher that goes by the Damian1338B handle.
Download the GandCrab decryption tool
The release of these keys is not an act of redemption of the notorious cybercrime ring that allegedly makes hundred of thousand dollars a month from defrauding victims. It is instead the group’s response to the desperate Tweet of a Syrian father who lost his sons to the war and all the memories of his sons to ransomware.
Our decryption utility – the second one we have released so far to help users get GandCrab encrypted files back – can be downloaded from its product page on Bitdefender Labs. However, there are some things that you should know before you download it:
- This tool is built around the decryption keys released by the GandCrab operators themselves. These keys are associated with Syrian victims, according to their release.
- While this decryption tool allows Syrian victims to get their information back, there is no guarantee that all victims will be able to successfully decrypt their data. In some circumstances, residents of a country might be inadvertently identified as located somewhere else based on the exit node’s IP address.
- This tool DOES NOT WORK for GandCrab victims located outside Syria. Of course, there is no harm in running the tool and attempting to decrypt, but we will not be able to provide technical support in case you are located outside Syria and decryption fails.
If your computer has fallen victim to GandCrab and you live somewhere else than Syria, do not despair, and most importantly, do not pay up. Instead, take a backup of the ransomed files, along with the ransom note and store them somewhere safe, because help is coming really soon.
We’re all working on it and we’ll solve this.
Hi Bogdan , a evil GandCrab 5 encrypted my files 🙁 I tried a recover tool but it also deleted the files is there a way to decrpty ?
initialized failed.
I get an error. It's exactly what's wrong. Or how can I run
Are you located in Syria? If you are, send the ransom note to forensics@bitdefender.com and we'll investigate further. Please note that, as per the blog post, this tool does not work for victims outside Syria.
no im located Turkish.
how can i use this tool
It says right there in the title. You can't, it only includes the decryption keys for Syrian users, as they were released publicly by GandCrab. Hang on, we're working on a tool to address other regions.
understood thanks. I'm waiting. good work
are you have tool for Sri Lanka users now, please mentioned
this link https://labs.bitdefender.com/2018/10/bitdefender-law-enforcement-solve-for-multiple-versions-of-gandcrab-with-new-decryptor/
Hi and Thanks to the efforts that are being made to deal with the ransomwares.
First of all, I apologize for my weak English,
My name is Mohammad and i`m from IRAN, i`m an IT Employee at Karafarin Bank Company, on 22 Aug 2018, 4 devices from my servers were attacked by Gandcrab v4.0 and this created major problems at my workplace.
After encountering this problem, I began to negotiate with the ransom support team through the link in the Ransome-Note txt file via TOR Browser and through them I managed to get the Decrypter file and private.key file from one of the servers. The problem was that, given the fact that these 4 servers Linked through shared folders, and they were infected. I run the Decrypter and private.key file that I received on each of the four servers, but this key only decrypted one of the servers and deleted all the Ransome-Note txt file from all servers (this feature was located on the Decrypter file) . That's why I do not have any Ransome-Note txt files for my other 3 servers. Now my main problem is Ransome-Note txt files of other 3 Servers to Decrypting files. If you think that the Decryptor and the private.key that have been sent to me will help resolve the issue, please ask me to send them for you.
Thanks for Help,
Yours sincerely.
Mohammad Yari
Your case is currently with one of our threat researchers. Thanks for your patience!
You can send us the decryption tool on one of your servers. Just like the message file on the remaining servers via gmail maytinhcn. The tools that you decode for a good host can be fortunate to support other victims in our country. Thanks.
I ask for your decoding tool
Getting initialization error sent the log to the email in tool please have a look and reply back.
Grandcrab v5.0.4
All your files, documents, photos, databases and other important files are encrypted and have the extension: .MOEDPKMQ
Hello i have removed the malware from my PC BUT the decryptor is not working for me its keep saying .. initialization FAILED! ..
—= GANDCRAB V5.0.3 =—
and encrypted files have the .occbc extension
Please help me all my work are encrypted
Hi, how did you remove the malware?
Thanks!
How did you removed the malware?
Hi,
I have the same problem like saman with the same GandCrab version but my extension is dofhnir.
is any problem solution to decrypte my files?
tnx
All my data was hit its the 5.0.3 version Its very stress full but will have to wait on a fix
Hang on, take a backup of the encrypted files + ransom note, clean your PC with an antimalware solution and stand by for a new tool to decrypt 5.0.3.
HI i'm infected by
—= GANDCRAB V5.0.3 =—
the extension: .TWTBVCKC
i'm in Italy , is there any decryptor available?
if i run the recognition tool it finds several different ransomware types
Rapid
cerber
Gandcrab 1 and 2
satrurn sigma
…
what shall i do?
thanks,
fabio
Decrypting all files encrypted by GANDCRAB V5.0.3 with extension OGOWN from Tanzania. A BIG THANK YOU
Stay safe!
Hi, thanks for putting this out. Will it work on Windows Server 2008?
Thanks!
Hey, Fabrici! Yes, it would work with Windows Server 2008 as well, but ONLY if you are in Syria. The tool contains decryption keys for Syrian users only, as clearly specified in the article.
A big thank you for all your hard work Bogdan
HI
THE DOWNLOAD LINK NOT WORKING
i am in burkina faso no way for us please
Sure there is. Download the tool again – it has been updated in between. Run it and, if anything fails, write us at forensics@bitdefender.com. Please attach the logs in %temp%\BDRemovalTool\BDRansomDecryptor. Thanks!
The link not working??'
Everything works just fine now.
hello Bogdan please, i received this link but but download link not working : download not completted for network error
Try again, the pipes get clogged from time to time. Downloads are working OK now.
Hi
I am PAVAN from INDIA
My pc infected with Gandcrab V5.0.1. with 5 random letter file extension. I have Cleared the malware but unable to decrypt the Infected Files. Is there any Decryptor?.
Thank you
HI this is the text note i received :
—= GANDCRAB V5.0.3 =—
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: .TWTBVCKC
is there any decriptor available
i try this link but download no completted for network error . please help me
https://labs.bitdefender.com/2018/10/bitdefender-law-enforcement-solve-for-multiple-versions-of-gandcrab-with-new-decryptor/
mine is bvwdwmyz. Could any one help me please!
Download the tool again. Run it. If you encounter any issues, write us at forensics@bitdefender.com and provide us with the logs in %temp%\BDRemovalTool\BDRansomDecryptor. Thanks!
hi, where can i find this %temp%\BDRemovalTool\BDRansomDecryptor im using windows 7? Thank you
Open any folder on your computer. Write that file path as it is – %temp%\BDRemovalTool\BDRansomDecryptor in the address bar above. You will be redirected to the actual folder. Get the contents, attach it to an e=mail and send it our way.
didnt work. Where can i find the temp file?
Hi,
my file encrypted by gandcrab v5 0 3 with extension .dofhnir.
is the decryption tool can recover my files?
I tried using the decryptor for version 5.0.4 but the program fails to even start the scan with Initialization failed error. I have send in some files with the text file along with logs from the folder to the team. Hoping that this issue will be addressed. May be there is a command line tool? or any one who was able to successfully run the program can provide some help and decrypt the files of other people somehow?
I want to know if the files can be decrypted some how else i want to do a clean installation of windows and forget about them for ever.