A free GandCrab ransomware decryptor has been made available on the No More Ransom depository. The decrypt works for files encrypted by versions 1, 4, early versions of 5, and versions 5.0.4 to 5.1 can now be decrypted without paying the ransom.
Ransomware is malware variant which denies the user access to their device, or specific files on the device until a ransom has been paid to the scammer. Ransomware attacks are becoming increasingly common, particularly against organisations in the healthcare industry due to the high black-market of healthcare data. The malware is readily available on the dark web. If a campaign were successful, it would prove a lucrative endeavour for the hacker with minimal effort on their part. The malware is often delivered through targeted phishing attacks.
GandCrab was one of the most significant ransomware variants used in 2018. GandCrab ransomware is particularly dangerous as it can also automatically map and encrypt files on network shares, resulting in both local and widespread file encryption.
A Europol report stated that hackers had infected 500,000 devices with GandCrab since January 2018. The threat actors demand ransoms between $300 to $6,000, to be paid in Dash or other cryptocurrencies. GandCrab is available as Ransomware-as-a-Service (RaaS), allowing many cybercriminals to launch ransomware campaigns and earn commission for the use of this ransomware. GandCrab dominates the ransomware-as-a-service market as the most widely-used variant.
The cybercriminal gang behind the ransomware has updated the code regularly over the past 12 months, although several flaws have been identified that have allowed GandCrab ransomware decryptors to be developed.
In February 2018, a tool was released which allowed files to be recovered without paying the ransom for specific versions of GandCrab. October 2018 saw an updated tool released which worked on all but two versions of the ransomware.
Europol reports that the two tools have been downloaded more than 400,000 times and have allowed around 10,000 victims to recover their files without sending the threat actors any payment.
However, the latest variants of the ransomware have proven difficult to crack due to their method of RSA encryption. The Romanian police, in conjunction with Europol, Bitdefender, and law enforcement agencies in the US, Canada, and throughout Europe, developed a new GandCrab ransomware decryptor that allows files to be recovered that have been encrypted by the latest version 5 variants.
This relief may be short-lived. The threat actors behind GandCrab ransomware are working on an updated version of the ransomware, and it is likely that is will be protected against these tools. Some reports suggest version 5.2 is almost ready for release.