GandCrab decryption tool released by No More Ransom

Victims of the GandCrab ransomware can recover their files without giving into the demands of the criminals thanks to a new decryption tool released for free on www.nomoreransom.org.

This data recovery kit was developed by the Romanian Police in collaboration with its counterparts from Bulgaria, France, Hungary, Italy, Poland, the Netherlands, UK and the US, together with the security company Bitdefender and Europol.

It is the most comprehensive decryption tool available to date for this particular ransomware family, working for all (versions 1,4 and 5) but two existing versions of the malware (versions 2 and 3).

This tool is released a week after the criminal group behind GandCrab made public decryption keys allowing only a limited pool of victims located in Syria to recover their files.

GandCrab is one of the most aggressive malware attacks in recent months, infecting nearly half a million victims since it was first detected in January 2018.

Once GandCrab takes over a victim’s computer and encrypts its files, it demands a ransom ranging from $300 to $6,000. The ransom must be paid through virtual currencies known to make online transactions less traceable, such as Dash and bitcoin.

In February, a decryption tool was made available on No More Ransom by the Romanian Police, with the support of the internet security company Bitdefender and Europol.

But a second version of the GandCrab ransomware was subsequently released by the criminals, this time with an improved coding which included comments to provoke law enforcement, security companies and No More Ransom. A third version followed a day later.

Now in its fifth version, this file-locking malware continues to be updated at an aggressive pace. Its developers are constantly releasing new versions of it, with more sophisticated samples being made available to bypass cyber security suppliers’ countermeasures, according to Europol.

The rapid spread of GandCrab, said Europol, has been helped along by a ransomware-as-a-service scheme. Found on the dark web, it offers criminals with little to no technical expertise a toolkit for launching quick and easy malware attacks, in exchange for a 30% cut from each ransom payment. 

To further maximise the profits, the GandCrab developers are also partnering up with other services in the cyber crime supply chain, enabling different criminal groups to practice their core competencies while working together to earn more illicit profits than they would be able to gather working individually.

“The release of this decryption tool is a spectacular breakthrough that highlights the effectiveness of collaboration between security vendors and law enforcement agencies,” said a Bitdefender spokesperson. “We have spent months on crypto-research and deployed considerable infrastructure to make this possible and help victims regain control of their digital lives at no cost.”

The No More Ransom website is an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and McAfee, with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.

Despite the growing collection of decryption tools on the No More Ransom website, Europol said the best cure against ransomware remains diligent prevention. Users are strongly advised to always keep a copy of their most important files somewhere else: in the cloud, on another drive, on a memory stick, or on another computer; use reliable and up-to-date anti-virus software; not download programs from suspicious sources; not open attachments in emails from unknown senders, even if they look important and credible; and not pay ransom if they are targeted.