14 DAY TRIAL // Bitdefender, in cooperation with Europol, the Romanian Police, and a number of other law enforcement agencies, has developed and released a free decryption utility for victims of ransomware who had their files encrypted by GandCrab versions 1, 4, or 5.
To know if Bitdefender's BDGandCrabDecryptTool can help you recover your files you have to check the extension appended by GandCrab to all locked documents on your computer.
If the locked files have .GDCB, .KRAB, or random ten character extension made out of capital letters you have been infected by GandCrab v1, v4, or v5, versions supported by Bitdefender's free GandCrab ransomware decryptor.
More details regarding the versions of GandCrab ransomware BDGandCrabDecryptTool supports and a detailed step by step tutorial on how to unlock your files are available on Bitdefender Labs or in the how-to guide (.PDF) provided by the No More Ransom portal.
"In order for this recovery solution to work, you are required at least 1 available ransom-note on your PC. The ransom-note is required to recover the decryption key. Please make sure that you do not run a clean-up utility which detects and removes these ransom-notes prior to execution of this tool," said Bitdefender's Bogdan Botezatu.
The GandCrab decryptor requires an Internet connection to work and at least one ransom note on the compromised machine
"The information inside the ransom-notes is essential in the decryption process as it allows us to compute the unique decryption key for your files."
Furthermore, to successfully decrypt your files, the GandCrab decryptor requires an active Internet connection for attempting to "reply the submitted ID with a possibly valid RSA-2048 private key."
It's also important to mention that although you can recover all your encrypted files using the BDGandCrabDecryptTool developed by the Bitdefender Team, it will not disinfect the computer in the process. For that, you will have to use a security solution to scan for and hunt down all the GandCrab infected files on your machine.
According to Bitdefender, "the decryption tool can be downloaded from Bitdefender Labs or the NoMore Ransom website – a joint project between the National Dutch Police and Europol to combat ransomware at the European Union level."
The GandCrab ransomware is a malware strain highly active throughout 2018, which would request up to $3000 from its victims to decrypt locked files.
Bitdefender is also working on a decryptor for GandCrab V2 and V3; victims are advised to wait until its release
Moreover, the actor behind GandCrab uses a ransomware-as-a-service (RaaS) "business" model which allows other threat actors to deploy the malware in their own malware campaigns as long as they share a part of the profits.
GandCrab is also known to use a wide range of methods for infiltrating and compromising victims, either via malvertising campaigns, by disguising itself as harmless software or cracked utilities, by exploiting JBoss, Weblogic, Struts and Apache Tomcat vulnerabilities, or even attempting password cracking attacks when everything else fails.
To conclude, you should download the GandCrab ransomware decryptor released by Bitdefender if your files were infected by GandCrab v1, v4, or v5, run it on the affected machine, and recover all your documents in one go.
The victims of the GandCrab versions 2 or 3 which appends the CRAB file extension are advised by Bitdefender to not pay the ransom because a decryptor tool for these versions is actively being developed.
As protection measures against GandCrab and all other ransomware strains, we recommend making regular data backups, never opening e-mail attachments from unknown senders, keeping the operating system and all apps up to date, and making sure that an AntiMalware solution is running in the background to detect and block a possible ransomware infection.
