Share this article on:
A free decryptor for GandCrab ransomware has been released that allows victims to recover files encrypted by versions 5.0.4 to 5.1 of the ransomware. Previous decryptors have only worked on version 1, 4, and some of the early version 5 variants.
The new GandCrab ransomware decryptor was developed by the Romanian police with assistance provided by Bitdefender, Europol, and law enforcement agencies in Austria, Belgium, Cyprus, France, Germany, Italy, the Netherlands, UK, Canada and the United States.
GandCrab ransomware was first used in attacks in January 2018. The first version of the ransomware was somewhat crude and a free decryptor was rapidly developed and released in February. Latter variants were more advanced and more adept at evading detection; however, in October, a second GandCrab ransomware decryptor was released that worked on version 4 of the ransomware.
According to Europol, those decryptors have been downloaded more than 400,000 times and have allowed around 10,000 users to decrypt their files free of charge.
To date, GandCrab ransomware has been used in more than 500,000 attacks, including several on U.S. healthcare providers. Ransom demands vary but are typically in the range of $300 to $6,000, depending on the extent of the attack and the number of devices that have been encrypted.
GandCrab ransomware was the biggest ransomware threat in 2018 is now the most widely used ransomware variant. Part of its success is due to regular updates. When decryptors are developed, new versions are rapidly released. The threat actors behind the ransomware are also rather adept at marketing the ransomware and recruiting affiliates to run ransomware campaigns. GandCrab now dominates the ransomware-as-a-service market.
Multiple threat actors are using the ransomware and various methods are used to infect end users. Spam email campaigns are common, although recently the ransomware has been installed using stolen RDP credentials and through exploitation of vulnerabilities in software and operating systems. Managed service providers (MSPs) have also been targeted and privileged access to clients’ systems has been abused to download the ransomware onto clients’ workstations.
The latest free decryptor for GandCrab ransomware is certainly good news and will help healthcare providers recover files without having to pay the ransom demand. However, version 5.2 of the ransomware is expected to be released soon. The latest decryptor will not work on the new version.
“If you have a security solution, make sure it is up-to-date and has layered defenses against ransomware. The better it is at detection, the lower your chances of infection. Also make sure you are running the latest version of your OS and third-party software,” wrote Bitdefender. “If you don’t have a security solution, get one now. It helps a lot, and it’s way less expensive than a $600 ransom payment.”
The free decryptor for GandCrab ransomware works for versions 1, 4, and most version 5 variants, and can be downloaded from the No More Ransom website.