In collaboration with law enforcement agencies around the world, Bitdefender has released an updated decryptor for the GandCrab Ransomware that can decrypt files encrypted by versions 1, 4, and 5 through 5.2.
In announcements by both Bitdefender and Europol, a decryptor for the GandCrab Ransomware was released that decrypts the latest versions of the ransomware.
"The tool is released in partnership with law enforcement agencies from Austria (Bundeskriminalambt – BMI), Belgium (Federal Computer Crime Unit), Bulgaria (Bulgarian Cybercrime Unit), France (Police Judiciaire de Paris – Befti), Germany (LKA Baden-Württemberg), the Netherlands (High Tech Crime Unit), Romania (DIICOT), the United Kingdom (NCA and Metropolitan Police), the United States (FBI) and Europol, together with the private partner Bitdefender."
Similar to previous releases of GandCrab Ransomware decryptors by Bitdefender, this tool is not being made available due to a flaw in the encryption algorithm. Instead, the security firm in collaboration with law enforcement was able to gain access to GandCrab command & control servers in order to download the decryption keys needed to decrypt a victim's files.
Instructions on how to use the GandCrab decryptor can be found at the end of the article. If you need any help, feel free to leave a comment in this article or our GandCrab Support and Help forum topic.
The rise and fall of GandCrab
BleepingComputer has been following GandCrab since it was first released on January 28th, 2018, when it began to be distributed through a Ransomware-as-an-Affiliate system on underground hacker forums like Exploit.in.
When first released, the GandCrab Ransomware was being distributed through the RIG exploit kit and would encrypt a victim's files and append the .GDCB extension to their names.
The GandCrab developers had a penchant for taunting researchers and organizations that monitored ransomware and the first release was no different.
When first release, the GandCrab devs sent BleepingComputer a taunt or message in their executable by naming one of their command & control servers after us and other organizations known to track ransomware.
These original C2s were:
bleepingcomputer.bit
nomoreransom.bit
esetnod32.bit
emsisoft.bit
gandcrab.bit
Since then, we have been following the GandCrab team release multiple versions until their final release of version 5.2.
While the GandCrab team hit some roadblocks along the with way with C2 servers being hacked and researchers releasing decryptors [1, 2, 3], when they announced their retirement this month, they also claimed to have earned massive amount of revenue.
In a retirement post to the hacker forum Exploit.in, the ransomware developers claim to have earned $2 billion in ransom payments and $150 million in personal profit.
With the release of this updated decryptor, the life of the GandCrab Ransomware is officially over and users can now retrieve their files for free.
How to Decrypt GandCrab encrypted files
If you were infected with the GandCrab Ransomware v1, v4, and versions 5-5.2, then you will now be able to get your files back for free using an updated decryptor by Bitdefender.
To get started, download the BDGandCrabDecryptTool.exe file from the following download link.
GandCrab Decryptor
For versions 1,4, and 5-5.2
Once downloaded, double-click on the program and you will be greeted with a license agreement, which you should accept.
The decryptor will open and display a notice that the machine needs to be connected for the Internet to work. This is because the decryptor will need to connect back to the Bitdefender servers in order to check for your decryption key and download it.
You will now be shown the main GandCrab decryptor screen as shown below. At this point you have the option to either decrypt the entire computer or a specific folder.
I suggest you test the decryptor again a folder first to make sure it works and that there are no issues. If successful, you can then select "Scan entire system" to decrypt the whole computer.
Once you select the option you want, to begin decryption you need to click on the Start Tool button.
Once the decryption process is started, the decryptor will look for a ransom note to retrieve certain information, which is then uploaded to Bitdefender's servers. If a key can be found, it will be sent back to the decryptor.
Once a decryption key is retrieved and loaded, the decryptor will start to decrypt the files on your computer. You can track its progress by using the scroll bar in the decryptor window.
When done, the decryptor will state it's finished and alert you to any issues.
If there are issues, you can click on the log file link to automatically open the %Temp%\BDRansomDecryptor\BDRansomDecryptor\BitdefenderLog.txt log file. This file will contain a summary of the decrypted files and any that were not able to be decrypted.
For example, in our test, the decryptor was successfully able to decrypt all but 10 files. Thankfully, these were application specific files that can be recreated simply by reinstalling the application.
If you have any trouble working with this decryptor, feel free to leave a comment here or in our 60 page GandCrab Support and Help forum topic.
Comments
GT500 - 4 years ago
Nice. I was hoping they'd get the keys for this one soon.
RoyalTee - 4 years ago
Not working for me.... :(
Chokopinho - 4 years ago
Try again bro, have circustance to work for you, check and try again
PhilCoraz - 4 years ago
Hello I try to run the "BDGandCrabDecryptTool.exe" but nothing happen, it doesn't load.
Im on Win 10.
Thanks a lot for your help
Phil
yaseenin - 4 years ago
same with me nothing opens ,
yaseenin - 4 years ago
I try to run the "BDGandCrabDecryptTool.exe it asks for permission and then nothing, no window, no pop up ??!!!
Pls help !!
ariandabiri - 4 years ago
if the BDgandCrabDecryptTool.exe doesn't open for you it is because the gandcrab malware still exist in your pc and it has not completely eliminated so make sure you delete that first if you want to see how to remove these malware go and search it on internet because as long as you dont remove it it will prevent you from lunching a decrypt tool on your pc.