No More Ransom releases GandCrab decryption tool

The latest decryption tool to be made available through the No More Ransom initiative tackles the latest strand of GandCrab and is expected to save victims millions in ransomware payments.

The No More Ransom website is an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, McAfee and a growing list of security industry partners that aims to help victims of ransomware retrieve their encrypted data.

The latest decryption tool was developed by the Romanian police in close collaboration with internet security company Bitdefender and Europol, with support from law enforcement authorities in Austria, Belgium, Cyprus, France, Germany, Italy, the Netherlands, the UK and Canada, as well as the FBI in the US.

GandCrab is one of the world’s most prolific families of ransomware to date and has surpassed all other strains of ransomware, having infected more than 500,000 victims since it was detected in January 2018.

The ransomware is a favourite among cyber criminals and is believed to have helped them extort hundreds of millions of dollars in ransom payments in the past few months alone by targeting individuals as well as businesses.

Last year, some GandCrab affiliates began attacking organisations via exposed remote desktop protocol (RDP) instances, or by directly logging in with stolen domain credentials.

After authenticating on a compromised PC, attackers typically run the ransomware manually and instruct it to spread across the entire network. Once the network is infected, the attackers wipe their traces clean and contact the victim with a decryption offer.  

Recently, GandCrab operators have also started to deliver ransomware to companies via vulnerabilities in remote IT support software used by managed service providers to manage customer workstations.

The latest decryption tool targets the latest versions of the ransomware and follows decryption tools made available for earlier versions of GandCab that have been downloaded more than 400,000 times and are estimated to have helped about 10,000 victims retrieve their encrypted files, saving around $5m in ransomware payments.

Despite the release of the tool, Europol said the best cure against ransomware remains diligent prevention. Users are strongly advised to use a security system with layered anti-ransomware defences, regularly back up their data and avoid opening attachments delivered with unsolicited messages, said Europol.

Bitdefender warned that although this is the third time GandCrab encryption has been defeated in the past year, the ransomware’s operators are expected to continue changing tactics, keys and techniques.

This persistence is why prevention is crucial, the security firm said. “If you have a security solution, make sure it is up to date and has layered defences against ransomware,” it said. “The better it is at detection, the lower your chances of infection. Also, make sure you are running the latest version of your operating system and third-party software.”

Bitdefender also advised organisations and individuals to make and verify an external backup of important data to ensure that, in the event of a ransomware attack, there is a copy of data to restore from.