The Romanian police has developed a new free decryptor for GandCrab ransomware, assisted by Bitdefender, Europol and law enforcement bureaus in Austria, Belgium, Canada, Cyprus, Germany, France, Italy, the Netherlands, the United States and the UK. The new decryptor enables victims to recover files encrypted by GandCrab ransomware versions 5.0.4 to 5.1. Past decryptors have only worked on files encrypted by version 1, 4, and a few early v5 ransomware variants.
Cybercriminals began using GandCrab ransomware in January 2018. The first version of the ransomware version was flawed and it was therefore easy to develop a free decryptor, which was made available in February 2018. The following variants were more sophisticated and better at evading detection and analysis. A second GandCrab decryptor was made available in October 2018 which allowed files to be recovered if they had been encrypted by version 4 of the ransomware, although a new version of the ransomware was rapidly released.
Europol remarked that the two decryptors have already had over 400,000 downloads and about 10,000 users have been able to decrypt files for free. Thus far, there have been over 500,000 GandCrab ransomware attacks, which include attacks on healthcare providers in the U.S. Attackers have demanded ransoms from $300 to $6,000, depending on how many devices were encrypted.
GandCrab ransomware was 2018’s major ransomware threat and GandCrab is now the most commonly used ransomware variant under the ransomware-as-a-service model. This model involves paying affiliates to conduct campaigns on behalf of the ransomware developers for a cut of the profits. Part of the reason for the success of GandCrab is due to the marketing of the malware. The developers have been able to spread the word about their ransomware and are good at recruiting affiliates.
Several threat actors are now utilizing the ransomware in diverse attacks. Spam email campaigns are prevalent, though lately the ransomware has been installed utilizing stolen RDP credentials and via exploitation of vulnerabilities in software programs and operating systems. Attackers have also targeted managed service providers. Once access to an MSPs system is gained, the ransomware is then deployed on their clients’ workstations.
While the new decryptor works on the current version of the ransomware, a new and updated version of GandCrab is expected to be released imminently. Bitdefender has worked closely with the Romanian police force and helped develop the decryptor. The firm recommends using up-to-date security solutions and layered defenses to protect against ransomware attacks.
You can download the free decryptor for GandCrab ransomware versions 1, 4, and most v5 variants from the No More Ransom website. https://www.nomoreransom.org/