Free Tools

GandCrab Ransomware decryption tool

Earlier this year in February, Bitdefender released the world’s first decryption tool to help GandCrab ransomware victims get their data back for free. But since then, victims of subsequent versions of GandCrab and its ‘ransomware-as-a-service’ affiliate approach have been reaching out to us for help.

The good news is that now you can have your data back without paying a cent to the cyber-criminals, as Bitdefender has released a free utility that automates the data decryption process. This tool recovers files encrypted by GandCrab ransomware versions 1, 4 and 5. You can recognize this ransomware and its version, by the extension it appends to the encrypted files and/or ransom-note:

Version 1: file extension is .GDCB. The ransom note starts with —= GANDCRAB =—, ……………. the extension: .GDCB
Version 2: file extension is .GDCB. The ransom note starts with —= GANDCRAB =—, ……………. the extension: .GDCB
Version 3: file extension is .CRAB. The ransom note starts with —= GANDCRAB V3 =— ……….. the extension: .CRAB
Version 4: file extension is .KRAB. The ransom note starts with —= GANDCRAB V4 =— ……….. the extension: .KRAB
Version 5: file extension is .([A-Z]+). The ransom note starts with —= GANDCRAB V5.0 =— ………. the extension: .UKCZA
Version 5.0.1: file extension is .([A-Z]+). The ransom note starts with —= GANDCRAB V5.0.2 =— …. the extension: .YIAQDG
Version 5.0.2: file extension is .([A-Z]+). The ransom note starts with—= GANDCRAB V5.0.2 =— …. the extension: .CQXGPMKNR
Version 5.0.3: file extension is .([A-Z]+). The ransom note starts with—= GANDCRAB V5.0.2 =— …. the extension: .HHFEHIOL

In order for this recovery solution to work, you are required at least 1 available ransom-note on your PC. The ransom-note is required to recover the decryption key. Please make sure that you do not run a clean-up utility which detects and removes these ransom-notes prior to execution of this tool. The information inside the ransom-notes is essential in the decryption process as it allows us to compute the unique decryption key for your files.

How to use the tool

Step 1: Download the decryption utility provided by Bitdefender and save it somewhere on your computer. Please note that this tool requires an active internet connection. Without this prerequisite the decryption process won’t continue.

Download the GandCrab decryption tool

This tool REQUIRES an active internet connection as our servers will attempt to reply the submitted ID with a possibly valid RSA-2048 private key. If this step succeeds the decryption
process will continue.

Step 2: Run the utility – it should be saved on your computer as BDGandCrabDecryptor.exe.

Step 3: Agree to the terms and conditions.

Step 4: Select “Scan Entire System” if you want to search for all encrypted files or just add the path to your encrypted files. We strongly recommend that you also select “Backup files” before starting the decryption process. Then press “Scan”.

Regardless of whether you check the “Backup files” option or not, the decryption tool attempts to decrypt 5 files in the provided path and will NOT continue if decryption is unsuccessful. This extra safety mechanism ensures that the decryption tool has yielded valid files. This approach may not suit testing decryption on 1 or 2 files, or attempting to decrypt files with different extensions.

Step 5: At this point, your files should be decrypted. If you checked the backup option, you will see both the encrypted and the decrypted files. To remove the encrypted files, just search for files matching the extension and remove them in bulk. We do not encurage you to do this, unless you doubled check your files can be safely opened and there is no trace of damage.

If you encounter any issues, please contact us at via the e-mail address provided in the removal tool.

Acknowledgement

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

134 Comments

Click here to post a comment
  • Thank you Bogdan very much for that decryption tool. But unfortunately i could not download it. It downloads to 99% and failed with 'Network error' message.
    I tryied via different internet connections and devices – the same.
    Please fix the Download link !

  • The download is not working…i have tried from 2 dif pc`s (the infected one in safe mode with networking, and a clean one). when the download is getting to 100% it says "failed – network error" . windows defender off, antivirus off, 3 browsers (opera / chrome / firefox)

    • The download should be fixed now. Please try to download the decryption tool again. Thanks!

  • Hello i have removed the malware from my PC BUT the Decrypter is not working for me

    its keep saying .. initialization FAILED! ..

    please help me all my work are encrypted .. here is in image of what its says

    https://ibb.co/nCSv5x

    • Hi there, Mahmoud. There is a new version of the tool that addresses the issue you reported. Download it again and give it another go.

      • Hello Bogdan, I too keep getting initialization FAILED at the end of the scan, i tried it 3 times with the same result each time

      • Hi there, I keep running into the same problem as Mahmoud is with both the initial and now the most recent version. Any help is greatly appreciated.

        • I have in the meantime attached the log to an e-mail message and send it over to the e-mail address indicated in the removal tool. Thank you in advance.

    • No, the tool only decrypts the files. Before starting, take a copy of the ransomed files along with the ransom note. Disinfect the PC and use the tool. Watch out not to get the ransom note deleted in the process – a lot of security solutions would delete the ransom note during clean-up, so make sure you have it saved somewhere safe.

    • Hey, David. The decryption tool generates a log file in %temp%\BDRemovalTool\BDRansomDecryptor\. Just attach the logs to an e-mail message and send it over to the e-mail address indicated in the removal tool. Once we have the logs, we'll be able to see what is causing the initialization issue and hopefully find a fix for you.

      • It doesnt work for me either Initialization failed error

        I sent the logs (I think) to the email address

        • Hi there, Tim. We have an updated decryption tool that is available at the same location. Please remove the first downloaded copy, download it again and give it another shot.

  • Hi Bogdan,

    First of all, thank you and everyone in the BitDefender lab and the people of "No More Runsome" initiative very much for providing this tool and for continuing to fight these malware attacks and the thugs and bullies behind that. My machine got infected two days ago as I run a font install tool on a hotel website (somewhere in Singapore) where the web page text was all jibberish. I realized, a day later, that I was hit.

    I have downloaded the "BDGandCrabDecryptTool.exe" decryptor tool (using WGET as the normal browser Chrome/Firefox/Opera browser download attempts were all failing at 99% initially). I ran the tool and got most of the files decrypted. But some remain encrypted still. Unfortunately, some of these include my VM (vmdk files) for critical virtual machines and also a backup outlook mailbox PST file. The logs indicate that a "size not matches requirements!". The "No runsome portal says that the files uploaded for checking should not be more than 1MB in size. Are there known limitations for this tool as well in the decryption attempts on the affected machine itself?

    I have sent you a separate email with this same message as well a copy of the log files.

    Please let me know if there is anything you can help with.

    Best Regards,

    Mohamed.

  • Hi guys, could anyone confirm if successfully decrypted any files ?
    For me the decryption tool is not working, i tried everything but i only got
    "initialization FAILED! "

    That is info from the logs (located here %temp%\BDRemovalTool\BDRansomDecryptor\ ) :
    – Id not found in ransom note!
    – Could not obtain id!
    – Decryption Initialization Failed!

    Hope soon to be fixed.
    Will have to wait i am sure it is not an easy task …

    • Sounds like you have deleted the ransomware notes. Without the ID in the note it's impossible to decrypt files.

  • finally it works :clapping:

    this is what i did

    first i restored the original GDCB-DECRYPT.txt from Quarantine list in my Antivirus and place it in the file i want to Decrypt

    then i deleted everything in the temp folder and deleted the GDCB-DECRYPT.txt generated by BDGandCrabDecryptTool in my C : DRIVE

    I had a lot of copies of BDGandCrabDecryptTool.exe i only kept one copy

    then i restart the PC and start the Decrypter and its works great ..

    hope i helped

    • John, Can you drop us a message at the mail address in the Feedback field? Please do attach the logs the tool generates in the %temp%\BDRemovalTool\BDRansomDecryptor\ folder? As soon as we get the log file we'll be able to identify the root cause and assist you further.

      Thanks!

  • Hello,

    The decryptor worked great for me. Thank you so much. Just an observation; I noticed that it didn't/couldn't decrypt any files larger than 2 GB. Is this expected behavior or a limitation?

    • This is expected behavior for files larger than 4 GB. During the encryption process, when the ransomware takes data hostage, a programming flaw on the hacker's side makes a part of the file overwrite another part, which ultimately corrupts the file. Files larger than 4 GB cannot be decrypted without some significant information loss. Partial decryption is possible but hat would not help you much unless we're talking about PST or video files.

  • thank yoooooooooooooooooooooooou very very much bitdefender .. thanks to you all my files are back

    • What type of Windows 10 are you running. The "S" SKU won't let you run files that originate outside of the Microsoft Store. Can you link a screenshot of the error you receive, maybe?

      Thanks,
      Bogdan.

  • If my files were ever encrypted by GrandCrab, surely the removal tool would also be encrypted and so unusable? How do people get round that?
    Secondly since I have BitDefender can I assume I will never need this tool as I am protected from such things and so have no need to download it?

    • Hi there, Chris.

      The ransomware encrypts the files and then demands the ransom. It does not encrypt anything past the point where it displays the ransom note, so if you download it when you realize you need it, it will not be automatically encrypted. Secondly, no sane ransomware would encrypt exe files, because this would cause the operating system not to start, which would render the user unable to grasp what happened and /or pay the ransom.

      If you already have Bitdefender installed, there is no need to download the tool. But if you know people who have fallen victim to GandCrab, please do pass the news along that there is a completely free tool, along with complimentary assistance from the engineers at Bitdefender. The more people we save for free, the less cash cyber-criminals make out of this business.

    • You mean decryption 🙂

      Not yet, but if you have fallen victim to it, save a copy of the encrypted files and the ransom note, bring your computer to a working state and watch this space. We might be able to deliver one at some point. Just not yet.

    • Hi, Nancy.

      The Bitdefender antimalware solutions are preventative – they help stop the ransomware from taking over your data in the first place. This tool is more for people whose security solution let the infection through and now they need a way to recover their data without paying. If you have a Bitdefender antimalware solution (either free or paid), you are protected against GandCrab ransomware and you don’t need this tool.

    • A quote from Bogdan BOTEZATU

      "If you already have Bitdefender installed, there is no need to download the tool. But if you know people who have fallen victim to GandCrab, please do pass the news along that there is a completely free tool, along with complimentary assistance from the engineers at Bitdefender. The more people we save for free, the less cash cyber-criminals make out of this business."

  • Thank you Bogdan and Bitdefender !!!!! Excelent work – BIG RESPECT. All my files are decrypted after installed the latest version.

    • No, there is no Mac version, since this piece of ransomware only affects Windows devices.

  • Downloaded and ran, saved to downloads and to desktop. Ran each one, all with the same result – wouldn't initialize.
    running I7-860 8 core, 16 gig memory, 260 gig SSD with Windows 10, all updates and no computer problems.
    I suggest it's fixed and reposted for download. Obviously needs some additional testing.

    • Thanks for the feedback. We would have appreciated your sending the logs more than your sarcasm.

  • sir i have a doubt that if i decrypted some particular files that i wanted (becoz i cant decrypt entire thing) the other files that i didnt decrypt will affect my decrypted files?

    • No, just copy 5 files or more in a designated location and start decrypting. The tool won't initialize for less than 5 files though because of security concerns. You can decrypt the rest at a later time.

    • Daniel, Can you please send over the logs in "%temp%\BDRemovalTool\BDRansomDecryptor\"? We have a dedicated email address in the Feedback section of the decryptor. Thanks!

  • This is Arif, a victim of gandcrab ransomware.
    I want to say thank you that Bitdefender and team have made a decryption tool for gandcrab ransomware. However, Unfortunately, in my case, the decryption tool did not work.

    In my case, I used the ransomware removal tool before and I scanned my computer with it. Then the removal tool removes all ransom-note (GDCB-DECRYPT.txt). No one ransom-note left on my computer.

    Then yesterday, I found your GandCrab decryption tool product, then I download and try to use it 5 times but always "initialization FAILED".
    I thought that it was because of no one ransom-note left on my computer.

    Then, can you help me to fix it?
    I really hope that you can help me fix it.

    • Hi, Steve!

      This is a post-mortem tool. It brings the files back after an infection with GandCrab. I hope you won't need it. Stay safe!

  • Hi Bogdan
    I had my computer infected for almost a month now. Meanwhile I searched internet for tons of suggestions and started them applying one by one e.g. changing registries, spyware hunter, appcheck pro are few examples.
    Someone suggested not to delete data due to disappointment as someone will find its solution and after visiting this page I was hopeful and happy that I did not delete my data so,
    Ran this app, says initialization failed as my computer does not contain ransom note. Same is written in %temp% log file. So having this app but not having that note which must have been deleted during my many days struggle to disinfect my pc is going to cause me problems. Isn't there any other way, surely many other people will come here asking the same question.

    • Junaid,

      The recovery process depends on the ransom note, as it has the infection id that shows us the corresponding decryption key. But do not delete the data yet, as we're working on a solution to help those who dob't have the ransom note anymore. As soon as we have something, I'll take the liberty to follow up via e-mail with you and the rest of the readers who are in a similar situation.

      Thanks for your patience, help is coming.

      • Hi Bogdan,

        On behalf of all of us, thank you for fighting this thing. Got infected today by what I can only describe as a 'virus bomb', I removed around 450 threats using Malwarebytes and Windows Defender and then realised that I had also been hit with ransomware.

        I have tried using the decryption program, but it says 'initialization failed'. From reading on here, this seems to happen to those without the 'ransom note'. However, I have multiple instances of a .txt file called 'CRAB-DECRYPT.txt' containing instructions and I assume this is the ransom note?

        I have also made sure to have at least 6 samples of encrypted (.CRAB) files in the folder I'm searching in. Still no luck.

        Please also let me know if you find a solution to this!

        Keep fighting the good fight!

      • Hi Bogdan,

        (just posted a comment which failed, commenting again)

        First, thanks for your help on this.

        My PC was infected today with over 450 threats including adware and spyware. After removing the threats using Malwarebytes and Windows Defender I soon realised I had been hit by ransomware too.

        I have downloaded your decryption tool but it gives the error 'Initialize failed'. I have made sure there are over 6 samples of encrypted files (.CRAB) in the selected folder.

        However, I have multiple instances of a file named 'CRAB-DECRYPT.txt' which contains what I believe to be the 'Ransom note'. "Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension .GDCB. The only method of recovering files is to purchase a private key etc. etc."

        Is this the 'ransom note' that contains the corresponding decryption key, or could I have accidentally removed the file I need through dis-infection process?

        Any help is greatly appreciated – I've been royally screwed over here!

        • Hello Chris,

          I have a bad news

          I'm in the same case as you, but after some research I found this …
          https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-version-2-released-with-new-crab-extension-and-other-changes/

          We have the great honor to be the victims of version 2 of GanCrab, so for the moment there would be no solution …

          I leave you this link where you can find the details of version 2, but let's hope, a new decryption tool will arrive

        • Chris,

          The CRAB-Decrypt ransom note is generated by a different strain of ransomware, known as version 2 of the GandCrab. We can't decrypt GandCrab v2 right now but we're putting all our efforts in finding a way to get your data back. What I can tell you right now is the following:

          – take a backup of your encrypted files and save them somewhere safe;
          – take a backup of your ransom note and save it along with the encrypted files
          – restore your computer to a working state and clean the infection
          – hang on; we'll find a fix for this issue sooner or later.

  • Boa tarde, estou tentando decriptar um aquivo de 4,5GB, um backup de banco de dados e sempre da erro, pode me ajudar?

    • Hey there Eleison.

      Files larger than 4 GB are corrupted by the ransomware at encryption time. Unfortunately, there is nothing we can do to fully recover those files because they get overwritten 🙁

  • Bravo Bitdefender for your protection.
    You could only succeed with Botezatu, he fights the BOG! (here it means a threat, etwas nicht good)
    HaHa!

    All the best to your team
    Paul Daelman

    • FINALLY someone who understands my contribution to this company. Thank you for your kind words, sir! 🙂

      Glad we could lend a helping hand with the tool.

  • hello Bogdan I have installed the tools and gave the path for scanning but in middle of the scanning suddenly i saw the it faild can you help me ??

  • 2018-03-03 22:14:07.152 000000000031 000824 001980 [BDRansomDecr] [BDRansomDecr] [CRITICAL] [ wWinMain] Bitdefender Decrypt Tool Started.
    2018-03-03 22:17:51.723 000000224595 000824 003152 [BDRansomDecr] [BDRansomDecr] [CRITICAL] [ FileScanner::scanInit] Init Result = -1 "Initialization FAILED!"
    2018-03-03 22:22:39.441 000000512323 000824 002864 [BDRansomDecr] [BDRansomDecr] [CRITICAL] [ FileScanner::scanInit] Init Result = -1 "Initialization FAILED!"

    • This is the log that you want to read, When the tools wanna scan the files suddenly i saw initialization failed, and i checked the log and post here, please help I have really important data from last 15 years ago with out any back up and i tried lots or of way,,,,
      waiting for your attention
      Thanks alot

    • Kiran,

      Can you please send over the logs this tool creates in %temp%\BDRemovalTool\BDRansomDecryptor? There is a feedback e-mail address in the tool – as soon as we have the logs, we can help you further.

      • Hi Bogdan
        I' ve got the same problem : initialization failed !
        Do you have a solution ?
        Bruno

        • Sure thing, Bruno.

          I can isolate the root cause that makes the tool fail but I need the logs the file creates here: %temp%\BDRemovalTool\BDRansomDecryptor.

          Just attach them to a mail message and send it to the mail address in the feedback section of the tool.

          Thanks!

  • Hi Bogand. Thanks for the tool. I tested and for now I have problems with files .log , this files are text files. If I change the extension to .txt the files are decrypted ok.

    • Bogdan: I have this error in the log "Decrypt [D:\DD CANVIO\MOVIES\Blended (2014) 720p BDRip Dual\Blended (2014) 720p BDRip Dual.mkv.GDCB]: ERR_1:>4GB
      [FAILED:CANNOT-CLEAN]"

      The limitation for size can be corrected? any workaround?

      • Jorge,

        Files larger than 4 GB are impossible to fully decrypt because a bug in the ransomware overwrites a large chunk of data after the 4GB block. In other words, when you got your large files encrypted, you also got those files corrupted. Judging by the file path above, I reckon that the file you have issues with is the Blended movie, so I presume that the damage wasn’t too big given that you can get them back via downloads or video disk rips.

        Did the rest of the files decrypt OK?

    • Hi there, Darren!

      Fortunately for everybody, this piece of ransomware does not run on smartphones.It only affects Windows computers and any kind of storage device attached to them.

  • Sir,

    I am unable to decrypt mp3 files. It shows an error "Decryption Test Failed". Kindly help

    • Krishna,

      Can you send over the logs in “%temp%\BDRemovalTool\BDRansomDecryptor\”? We have an e-mail address in the Feedback section of the tool, please attach the logs to an e-mail message and send it to that address.

      Thanks,
      Bogdan.

      • Hi Bogdan,

        i have a problem with the GandCrab Decrypter.
        If my files are greater then 0x100000 (‭1048576‬ bytes) then there is a corruption of 16 bytes EVERY ‭1048576‬ bytes.
        So the corruption is on position 0x100000, 0x200000,0x300000 and so on.

        Is this a problem in the decryptor or is it a bad version of the GandCrab…

  • Cant thank you enough,man. 40 days unable to use many files I desperately need for my work. Had almost given up. The tool worked perfectly i'm very very grateful. Best!!

  • Hi Bogdan thank you,
    but this doesn't works for me (initialization failed) and when i tried to send you an e-mail with log file, the feedback button only open an empty page of my browser.

  • Hi. I tried both versions of the tool and it did give different results.
    2nd version, recover 20% photos in excellent condition, 60% photos with lot of damage in colors and pixels, and 20% damaged photos in their entirety.

    However, when comparing the files with both versions, I realized that this version recovered several photos with less damage than the first tool; but also,
    this version recovered photos with damage that the first tool decrypted in a better way.

    Keeping this in mind, I think that the encrypted files are possibly fine. But there is some failure when it comes to decrypting them.
    Since as I said, files that the first version took damaged, the second recovered them in good part; and files that the first version gave in an acceptable state, the second one damaged them.

    I will always be GRATEFULfor what you've done.
    Stay tuned.

    • Hi there, Onur.

      That limitation exists because of a good reason. Unfortunately, there is no way to bring back files larger than 4GB. When the ransomware encrypts the file, it inadvertently overwrites a chunk of it after the 4GB block. This corrupts the encrypted file. When you decrypt it, it is partially compromised and any format that requires integrity of the file becomes unusable.

      • Multumesc mult Bogdan,
        Pana acum pare sa mearga daca functioneaza numai datorita tie imi cumpar tot pachetul de internet security de la bitdefender. Pe mine cred ca m-ai salvat. Revin cand e gata treaba.

  • Hello there, first of all, thanks for all of your work you did a great job with helping a bunch of ransomware victims. I have some questions about the procedure before I use it;

    Is it necessary to start the computer in safe mode with network?
    Should I delete/remove any files before starting the tool?(GandCrab files or something like that)
    And last, the virus infected my gaming computer, can I recover the game files or should I install them all over again

    • Hi there, Doğaç

      You don't necessarily need to start the computer in safe mode, but you should really clean up the infection before running the tool. Just run a virus sweep on your computer and see if the antivirus solution detects the infection. If not, change it.

      After you have cleaned the computer, run the decryption tool. It will bring your data back.

      Files larger than 4 GB are impossible to decrypt because they get corrupted by the ransomware upon encryption. if you have disk images (ISO) or if your games contain large cutscenes, the tool won't be able to bring them back from their encrypted state.

  • Failed so many times.
    Could you explain me detail please? Over log file, what does it mean?
    My computer knowledge is very weak. Thanks.

  • I still have the ransom note, it's like in every folder, but the app can't find it somehow
    Can you help me?

    • because its a text file created by the ransomware not an encypted file the program decrypts the encypted files, just search "GDCB" in your computer and delete the text files

    • Are you sure that the ransom note is for GandCrab V1 and not for GandCrab v2?you can easily tell the infection version from the file extensions appended: GDCB for version 1 and CRAB for version two.

  • worked perfected for me, just in casekept one text file with warning and run the decryptor and my files were back in several minutes thanks you for your works you guys are life savers of this generation

  • Dear Bogdan BOTEZATU ,

    Thanks a ton for your help. The tool works perfect.I have tried almost all other tools to decrypt gandcrab infected file with no luck .

    Just a query .Is there any option to ensure that the network is free from gandcrab infection ? any network monitoring tool available ?

    • Hi there, Binish. I think that what you are describing here is security solutions for endpoints. In which case the answer is yes – we also provide security solutions for endpoints, both free and paid. Take a look at http://bitdefender.com if you need a new security solution.

  • i have a problem 2 terabytes are infected with this ronsome 🙁 i donload it, and it says network error

    • Jayson,

      Can we get the logs created in %temp%\BDRemovalTool\BDRansomDecryptor? Send us a message with the logs at the feedback address indicated in the tool and we'll do our best to isolate the issue.

    • I suspect you might have been effected by version 2 of GandCrab. Are your files changed into *.CRAB? 🙁
      As far I understand there is no decryption tool available for the newer version as of yet 🙁

      Fingers crossed the great people here will get that sorted soon!

    • Same for me, but I think its because GandCrab has a new version since yesterday, and the decryption tool doesn't work with that (yet).

      • What do you mean by "portable version"? This tool is as portable as it gets, it does not install itself on the device. You can run it off a pen-dive for all that matters.

    • Hi there, John!

      Can we get the logs created in %temp%\BDRemovalTool\BDRansomDecryptor? Send us a message with the logs at the feedback address indicated in the tool and we'll do our best to isolate the issue.

      • Please Help… The Tool say : "Looking for Encryption key…"
        Then say it :" initilization FAILED

        Please help me

        • What file extension do your encrypted files have? Are they marked as CRAB or GDCB? This tool can decrypt GDCB files only. CRAB files cannot currently be decrypted.

  • The Program find no identify Files… but my Computer is full with identify files… my files end with *.CRAB … pleace Help me

    • If your files show the .CRAB extension, then you have been necrypted with version two of this ransomware. There is no way to decrypt these files as of now.

      What you should do now is the following:

      – take a backup of your encrypted files and save them somewhere safe;
      – take a backup of your ransom note and save it along with the encrypted files
      – restore your computer to a working state and clean the infection
      – hang on; we'll find a fix for this issue sooner or later.

  • Hi Bogdan!

    Thanks for developing this tool, it worked perfectly but I have a question. Run the tool with the option "BackUp files", this made the .GDCB files still persist. What I need now is to delete those files. If I run the tool again, will the files that are already decrypted duplicate? Does the tool erase the .GDCB file and since it is decrypted does not decrypt it again?

    Thank you very much, I await your response.

    • Gaston, the simplest way to get the job done is to initiate a windows search for the GCDB file extension and delete them via Windows Explorer once the search has finished.

  • Interrupted network error. I've been trying to download this since morning with no success.

      • My Laptop is strucked by Gandcrab v2
        Is there any way to get my files decrypted?

        • For the moment, we can't help you decrypt .CRAB files. Please do date a backup of your encrypted files and ransom note and save them somewhere safe. We'll let you know when we have a decryptor for them.

          Thanks,
          Bogdan.

  • Too many victims of GrandCrab. 50K is the conservative figure. I think the number is much higher now. One of my friend is also the victim of this ransomware. Sent him the tool link. Lets see if it works or not. It was his office PC that was attacked. He might have opened some malicious email saying receipt or something.

    • Nope, the 50K figure is actually spot on for GandCrab V1. True, added to that is an unknown number of victims, but we know the exact figure for the V1 infections.

  • Hello,

    I have download a tool on Windows 7 Professional 64bits but he not launch

    Below the log i found

    Thank you for your help

    2018-03-08 09:18:19.689 000000000000 003320 007948 [BDRansomDecr] [BDRansomDecr] [CRITICAL] [ wWinMain] Bitdefender Decrypt Tool Started.
    2018-03-08 09:22:55.197 000000275513 003320 004416 [BDRansomDecr] [BDRansomDecr] [CRITICAL] [ FileScanner::scanInit] Init Result = -1 "Initialization FAILED!"
    2018-03-08 09:25:39.292 000000439610 003320 007920 [BDRansomDecr] [BDRansomDecr] [CRITICAL] [ FileScanner::scanInit] Init Result = -1 "Initialization FAILED!"

  • Hello,

    I downloaded the tool on Windows 7 Professional 64 bits but it not launch.

    Below you can see the log

    Thank you for your help

    2018-03-08 09:18:19.689 000000000000 003320 007948 [BDRansomDecr] [BDRansomDecr] [CRITICAL] [ wWinMain] Bitdefender Decrypt Tool Started.
    2018-03-08 09:22:55.197 000000275513 003320 004416 [BDRansomDecr] [BDRansomDecr] [CRITICAL] [ FileScanner::scanInit] Init Result = -1 "Initialization FAILED!"
    2018-03-08 09:25:39.292 000000439610 003320 007920 [BDRansomDecr] [BDRansomDecr] [CRITICAL] [ FileScanner::scanInit] Init Result = -1 "Initialization FAILED!"

  • Ok managed to download it using a Mac. Problem now is the app won't run on a brand new Dell laptop with Windows 10. Clicked it a dozen times but nothing happens. Tried run as administrator but still nothing happens. App is dead. 🙁

    • If you can download them from one computer, but not from another, chances are that there is an issue on your end. If you have successfully downloaded it on a Mac, then simply copy it on a USB drive and move it to the victim PC. Start the scan and let us know if it worked or not. Make sure that it is the right tool for you (This tool can decrypt GDCB files only. CRAB files cannot currently be decrypted).

  • Hi Bogdan,

    Im getting error < please can you help

    Decryptor Started

    initializing scan
    C:\6fb579c40749a51b814e1f0b587684d5\amd64\filterpipelineprintproc.dll no match
    C:\6fb579c40749a51b814e1f0b587684d5\amd64\filterpipelineprintproc.dll no match
    C:\6fb579c40749a51b814e1f0b587684d5\amd64\msxpsdrv.cat no match
    C:\6fb579c40749a51b814e1f0b587684d5\amd64\msxpsdrv.cat no match
    C:\6fb579c40749a51b814e1f0b587684d5\amd64\msxpsdrv.inf no match
    C:\6fb579c40749a51b814e1f0b587684d5\amd64\msxpsdrv.inf no match
    C:\6fb579c40749a51b814e1f0b587684d5\amd64\msxpsinc.gpd no match
    C:\6fb579c40749a51b814e1f0b587684d5\amd64\msxpsinc.gpd no match
    C:\6fb579c40749a51b814e1f0b587684d5\amd64\msxpsinc.ppd no match
    C:\6fb579c40749a51b814e1f0b587684d5\amd64\msxpsinc.ppd no match
    C:\6fb579c40749a51b814e1f0b587684d5\amd64\mxdwdrv.dll no match
    C:\6fb579c40749a51b814e1f0b587684d5\amd64\mxdwdrv.dll no match
    C:\6fb579c40749a51b814e1f0b587684d5\amd64\xpssvcs.dll no match
    C:\6fb579c40749a51b814e1f0b587684d5\amd64\xpssvcs.dll no match
    Ransom note path : C:\6fb579c40749a51b814e1f0b587684d5\GDCB-DECRYPT.txt
    User-Id not found!
    Decryption Initialization Failed!

  • Hi Bogdan

    I downloaded and did a full scan but still no luck. It didn't decrypt any files. Any other suggestions please?

    Regards
    Ran

    • Ran,

      Are the encrypted files marked as CRAB or GDCB? THis tool can decrypt GDCB files only. CRAB files cannot currently be decrypted.

  • Hello Bogdan,

    Big Thanks to you and your team for this decryption tool.

    all my files are back… But when i open a decripted Excel file, GandCrab Attention note in Excel is also opening with that excel file.

    after decryption done i remove all the .GDCB files in my PC but still getting that attention file while opening the existing files in my system.

    can you please suggest why this case happens.

    Thankyou

    • I think I don't exactly understand what is happening over there. Can you please send a couple files at the e-mail adreess in the Feedback section of the tool so we can investigate what is wrong with them?