Gandcrab developers show empathy towards Syrian ransomware victims


GandCrab Decryption keys released for Syrian victims

Last week, an individual with a particularly acute ransomware story took to twitter to plead for help, reaching out to us in the process.  

Gandcrab twitter outreach

We claim no credit whatsoever for the end result (we get a large volume of fictitious and malicious inbound that looks substantially similar every day), but we’re glad to see the resolution.  The visibility of the individual’s outreach was picked up by other outlets and caught the attention of the GandCrab ransomware developers. In a display of empathy, the GandGrab developers released decryption keys for all victims of Syrian origin. Not adding Syria to the original block list was a mistake they admitted.  

Gandcrab ransomware is unique in that the developers have invested a great deal in the payment and decryptor tool delivery infrastructure. That investment likely paid off in this instance as they were able to programmatically make a change to their TOR payment site to allow residents of Syria to download decryptor tools for free.  

This example of ransomware developers releasing decryption keys is not entirely unique. There are other examples of hackers releasing publicly accessible decryption keys after their campaigns end.  When decryption is not urgent we always counsel clients to preserve copies of encrypted data. When decryption tools or keys are publicly released those who preserve their data have the ability to make a full recovery.


*** This is a Security Bloggers Network syndicated blog from Blog | Latest Ransomware News and Trends | Coveware authored by Bill Siegel. Read the original post at:

Bill Siegel

Bill Siegel is the CEO and Co-founder of Coveware, a ransomware incident response firm. Before founding Coveware, Bill Siegel was the CFO of SecurityScorecard, a NY based cyber security ratings company. Prior to SecurityScorecard, Bill was the CEO of Secondmarket, and served as the Head of NASDAQ Private Market following Nasdaq’s acquisition of SecondMarket in 2015.

bill-siegel has 55 posts and counting.See all posts by bill-siegel