Earlier this year in February, Bitdefender released the world’s first decryption tool to help GandCrab ransomware victims get their data back for free. But since then, victims of subsequent versions of GandCrab and its ‘ransomware-as-a-service’ affiliate approach have been reaching out to us for help.
The good news is that now you can have your data back without paying a cent to the cyber-criminals, as Bitdefender has released a free utility that automates the data decryption process. This tool recovers files encrypted by GandCrab ransomware versions 1, 4 and 5. You can recognize this ransomware and its version, by the extension it appends to the encrypted files and/or ransom-note:
|Version 1:||file extension is .GDCB.||The ransom note starts with —= GANDCRAB =—, ……………. the extension: .GDCB|
|Version 2:||file extension is .GDCB.||The ransom note starts with —= GANDCRAB =—, ……………. the extension: .GDCB|
|Version 3:||file extension is .CRAB.||The ransom note starts with —= GANDCRAB V3 =— ……….. the extension: .CRAB|
|Version 4:||file extension is .KRAB.||The ransom note starts with —= GANDCRAB V4 =— ……….. the extension: .KRAB|
|Version 5:||file extension is .([A-Z]+).||The ransom note starts with —= GANDCRAB V5.0 =— ………. the extension: .UKCZA|
|Version 5.0.1:||file extension is .([A-Z]+).||The ransom note starts with —= GANDCRAB V5.0.2 =— …. the extension: .YIAQDG|
|Version 5.0.2:||file extension is .([A-Z]+).||The ransom note starts with—= GANDCRAB V5.0.2 =— …. the extension: .CQXGPMKNR|
|Version 5.0.3:||file extension is .([A-Z]+).||The ransom note starts with—= GANDCRAB V5.0.2 =— …. the extension: .HHFEHIOL|
In order for this recovery solution to work, you are required at least 1 available ransom-note on your PC. The ransom-note is required to recover the decryption key. Please make sure that you do not run a clean-up utility which detects and removes these ransom-notes prior to execution of this tool. The information inside the ransom-notes is essential in the decryption process as it allows us to compute the unique decryption key for your files.
How to use the tool
Step 1: Download the decryption utility provided by Bitdefender and save it somewhere on your computer. Please note that this tool requires an active internet connection. Without this prerequisite the decryption process won’t continue.
This tool REQUIRES an active internet connection as our servers will attempt to reply the submitted ID with a possibly valid RSA-2048 private key. If this step succeeds the decryption
process will continue.
Step 2: Run the utility – it should be saved on your computer as BDGandCrabDecryptor.exe.
Step 3: Agree to the terms and conditions.
Step 4: Select “Scan Entire System” if you want to search for all encrypted files or just add the path to your encrypted files. We strongly recommend that you also select “Backup files” before starting the decryption process. Then press “Scan”.
Regardless of whether you check the “Backup files” option or not, the decryption tool attempts to decrypt 5 files in the provided path and will NOT continue if decryption is unsuccessful. This extra safety mechanism ensures that the decryption tool has yielded valid files. This approach may not suit testing decryption on 1 or 2 files, or attempting to decrypt files with different extensions.
Step 5: At this point, your files should be decrypted. If you checked the backup option, you will see both the encrypted and the decrypted files. To remove the encrypted files, just search for files matching the extension and remove them in bulk. We do not encurage you to do this, unless you doubled check your files can be safely opened and there is no trace of damage.
If you encounter any issues, please contact us at via the e-mail address provided in the removal tool.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)
*** This is a Security Bloggers Network syndicated blog from Bitdefender Labs authored by Bogdan Botezatu. Read the original post at: https://labs.bitdefender.com/2018/10/gandcrab-ransomware-decryption-tool-available-for-free/