Cybersecurity company Bitdefender, Europol, the Romanian Police and the FBI have teamed up to release a free GandCrab ransomware decryptor, which allows those impacted to break the malware (up to version 5.03) without paying a ransom.
The new decryption tool can be downloaded from Bitdefender Labs or the No More Ransom website – a joint project between the National Dutch Police and Europol to combat ransomware at the European Union level.
The tool is the latest effort to stay ahead of rapidly evolving ransomware variants, with an initial decryption tool developed by Romania-headquartered Bitdefender rapidly met by mutations in the GandCrab ransomware that rendered it useless.
GandCrab has infected nearly half a million victims since it was first detected in January 2018, Europol said.
What is the GandCrab Ransomware?
V1 of GandCrab (first discovered this January) encrypted users’ files with a unique key and extorted a ransom in the DASH crypto-currency.
The version was distributed via exploit kits such as RIG EK and GrandSoft EK. As New Jersey-based Comodo Cybersecurity notes: “The ransomware copied itself into the“%appdata%\Microsoft” folder and injected to the system process nslookup.exe.”
“It made the initial connection to pv4bot.whatismyipaddress.com to find out the public IP of the infected machine, and then run the nslookup process to connect to the network gandcrab.bit a.dnspod.com using the “.bit” top-level domain.”
V4 of the ransomware, identified in July, uses the Tiny Encryption Algorithm (TEA) to avoid detection. This “minimal” (rapid) and efficient cryptographic algorithms developed by David Wheeler and Roger Needham on the symmetric encryption base. V5 came with a random five-character extension for encrypted files (for example turning cbr.doc into cbr.doc.zxcvb) and has a HTML ransom note.
New Tool Decrypts Versions 1, 4 and 5 of the GandCrab Ransomware
The new tool can now decrypt data ransomed by versions 1, 4 and 5 of the GandCrab malware.
Bitdefender, which is not naming spokespeople for fear of reprisals, said in an emailed statement: “The release of this decryption tool is a spectacular breakthrough that highlights the effectiveness of collaboration between security vendors and law enforcement agencies.”
“We have spent months on crypto-research and deployed considerable infrastructure to make this possible and help victims regain control of their digital life at no cost.”
Europol added: “The rapid spread of GandCrab has been helped along by a ransomware-as-a-service scheme, which offers on the dark web to wannabee criminals with little to no technical expertise a toolkit for launching quick and easy malware attacks, in exchange for a 30% cut from each ransom payment.
In order to further maximise the profits, the GandCrab developers are also partnering up with other services in the cybercrime supply chain, enabling different criminal groups to practice their core competencies while working together to earn more illicit profits than they would be able to gather working individually.