Bitdefender has released a free decrypter that helps victims of GandCrab ransomware infections recover files without paying the ransom.
The decrypter is available for download via the NoMoreRansom project, of which Bitdefender is a member of.
Romanian Police and Romania's DIICOT (Directorate for Investigating Organized Crime and Terrorism) announced the decrypter's launch in statements published on their sites, minutes ago. Europol is also expected to make a formal announcement later today.
Arrests were also made, a source in Romanian law enforcement has told Bleeping Computer, although they did not detail how many suspects were apprehended, their nationality, or the place of their arrest.
Bogdan Botezatu, Senior E-Threat Analyst, denied rumors that Bitdefender had taken control over one of the GandCrab command and control servers, and said that the company only created a simple decryptor.
Bitdefender claims the decrypter works with all known GandCrab versions, but several users and security researchers [1, 2] reported problems with the decryption routine. But, bare in mind, this is the decrypter's first version, and the decrypter may have bugs like any recently launched software. In these cases, Bitdefender recommends that users consult the official GandCrab decrypter documentation, and if they keep having issues, optionally send an email to the address included in the PDF file.
GandCrab is one of 2018's top ransomware strains
The GandCrab ransomware first appeared at the end of January, this year, and was first detailed in a Bleeping Computer article, here. It was advertised as a Ransomware-as-a-Service offering on a cybercrime forum for Russian-speaking users.
The ransomware became very popular right away, being distributed via both exploit kits and email spam.
Microsoft says GandCrab became the third most prevalent ransomware family this year, likening its meteoric rise to Spora's burst on the ransomware scene in 2017.
GandCrab is hardcoded to avoid making victims in former Soviet states and according to Microsoft has made most victims in Brazil, the US, India, Indonesia, and Pakistan.
Using Bitdefender's Gandcrab decryptor to decrypt GDCB files
To see if your files can be decrypted by Bitdefender's GandCrab decryptor, you must have at least one ransom note present on your computer and 5 encrypted files that will be tested for decryption. This ransom note is used to retrieve the victim's unique ID, which is then uploaded to Bitdefender to determine if a decryption key is available for it.
If you have a ransom note and at least 5 GDCB encrypted files that you wish to decrypt, you can download the GandCrab Decryptor and save it on your desktop. Before we run the program, you should create a folder called test-decryption on your desktop and copy, not move, 5-10 encrypted files and a ransom note into that folder. We will use that folder to test if the decryptor can decrypt your files.
Once you have created the test-decryption folder, double-click on the BDGandCrabDecryptTool.exe executable to start the program. Once started, a license agreement will be displayed, which you should click on the I Agree button to continue. Once you agree to the license agreement, the Bitdefender GandCrab Decryptor screen will be displayed as shown below.
Now browse to the test-decryption folder on your desktop and click on the Scan button. The decryption tool will now retrieve your victim ID from the ransom note and upload it to the Bitdefender servers to see if they have a matching decryption key.
If a decryption key can be found, the decryptor will test it against the 5 encrypted files. If it is unable to decrypt those files, the decryptor will not attempt to decrypt any other files. If it is successful, the program will state that the scan has been finished and all the files in the specified folder will be decrypted.
The folder should now be filled with decrypted files as shown below.
Now that you know the program can decrypt your files properly, you can put a checkmark in the Scan entire system checkbox and scan again. To be safe, you may also want to check the Backup files button so that you have backups in the event the decryption fails and files become corrupted. Please note that doing so will leave a lot of extra files behind that you will need to clean up manually.
If you need help or have questions regarding this decryption process, you can ask in our dedicated GandCrab Ransomware Help & Support topic.
Developing story. This article will be updated with more information later today.
Comments
Bloodthunder - 6 years ago
Looks like the download link is 404'd
campuscodi - 6 years ago
Worked fine when we tested. Might have been a temporary issue with the Bitdefender server.
mcrnelc - 6 years ago
BD an me we are working on decrypter issues. Most of my files are decrypted we are fighting with PST files larger than 5GB.
As soon as a new version will be released I will put a link in forum topic for download
Esquirla - 6 years ago
Hi, a need help, this tools no works for me. Today my all my files was infect with a ransomware. All my files change the extension @cock.li].arrow. Exist any tools o any information about that ransomware? thk
Wak_Anip - 6 years ago
Why is it took so long to scan and decrypt the infected files even I tested only one excel file with 94kb size.
mugur71 - 6 years ago
Buna seara
Am folosit instrumentul de decriptare BD pentru fisierele cu extensie .gdcb.
a functionat perfect pentru tot de aveam in calculator (poze, filme, pdf etc), mai putin pe unele fisiere audio salvate de pe telefonul mobil.
este vorba despre inregistrari ale convorbirilor facute cu o aplicatie denumita call recorder ACR (luate din google play).
credeti ca exista vreo sansa sa apara vreun update la instrumentul dvs care sa decripteze fisierele respective?
fisierul arata cam asa "0d20170403101313p0741321742.m4a".
va multumesc pentru amabilitate.
cu respect
daniel
F1L1O - 6 years ago
having issue with the tool.
2018-11-02 22:49:34.367 000000000015 023292 051168 [BDRansomDecr] [BDRansomDecr] [CRITICAL] [ wWinMain] Bitdefender Decrypt Tool Started.
2018-11-02 22:49:51.821 000000017468 023292 023824 [BDRansomDecr] [BDRansomDecr] [CRITICAL] [ FileScanner::scanInit] Init Result = -1 "Decryption TEST FAILED!"