View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 25, 2018

New GandCrab Ransomware Decryptor Released

The white hat vs ransomware race continues as Bitdefender, Europol, the FBI and Romanian police release free new tool

By CBR Staff Writer

Cybersecurity company Bitdefender, Europol, the Romanian Police and the FBI have teamed up to release a free GandCrab ransomware decryptor, which allows those impacted to break the malware (up to version 5.03) without paying a ransom.

The new decryption tool can be downloaded from Bitdefender Labs or the No More Ransom website – a joint project between the National Dutch Police and Europol to combat ransomware at the European Union level.

See also: 5 Things to do Before a Ransomware Attack

The tool is the latest effort to stay ahead of rapidly evolving ransomware variants, with an initial decryption tool developed by Romania-headquartered Bitdefender rapidly met by mutations in the GandCrab ransomware that rendered it useless.

GandCrab has infected nearly half a million victims since it was first detected in January 2018, Europol said.

What is the GandCrab Ransomware?

gandcrab ransomware decryption

A GandCrab ransomware threat screen

V1 of GandCrab (first discovered this January) encrypted users’ files with a unique key and extorted a ransom in the DASH crypto-currency.

The version was distributed via exploit kits such as RIG EK and GrandSoft EK. As New Jersey-based Comodo Cybersecurity notes: “The ransomware copied itself into the“%appdata%\Microsoft” folder and injected to the system process nslookup.exe.”

“It made the initial connection to to find out the public IP of the infected machine, and then run the nslookup process to connect to the network gandcrab.bit using the “.bit” top-level domain.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

V4 of the ransomware, identified in July, uses the Tiny Encryption Algorithm (TEA) to avoid detection. This “minimal” (rapid) and efficient cryptographic algorithms developed by David Wheeler and Roger Needham on the symmetric encryption base. V5 came with a random five-character extension for encrypted files (for example turning cbr.doc into cbr.doc.zxcvb) and has a HTML ransom note.

New Tool Decrypts Versions 1, 4 and 5 of the GandCrab Ransomware

GandCrab Ransomware decryptorThe new tool can now decrypt data ransomed by versions 1, 4 and 5 of the GandCrab malware.

Bitdefender, which is not naming spokespeople for fear of reprisals, said in an emailed statement: “The release of this decryption tool is a spectacular breakthrough that highlights the effectiveness of collaboration between security vendors and law enforcement agencies.”

“We have spent months on crypto-research and deployed considerable infrastructure to make this possible and help victims regain control of their digital life at no cost.”

Europol added: “The rapid spread of GandCrab has been helped along by a ransomware-as-a-service scheme, which offers on the dark web to wannabee criminals with little to no technical expertise a toolkit for launching quick and easy malware attacks, in exchange for a 30% cut from each ransom payment.

In order to further maximise the profits, the GandCrab developers are also partnering up with other services in the cybercrime supply chain, enabling different criminal groups to practice their core competencies while working together to earn more illicit profits than they would be able to gather working individually.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.