Security researchers have released a decryptor that works against the latest variants of GandCrab ransomware, including version 5.2.
On 17 June, Bitdefender announced that users can download the tool from the No More Ransom Project’s website. They can then use the utility to freely decrypt any and all files which samples of GandCrab through version 5.2 of the ransomware family have previously encrypted.
The release of this decryptor comes at an important time. In early June, the creators of the ransomware stated on the underground hacking and malware forum Exploit.in that they would be deleting all of GandCrab’s decryption keys as part of their transition into retirement. They went on to explain that they had made this decision after allegedly generating $2 billion in revenue from their ransomware campaigns, including $150 million every year since the threat’s inception.
These numbers seem a bit high to Bitdefender. Bogdan Botezatu, director of threat research at the Roman digital security and anti-virus software firm, explains that two previous GandCrab decryptors developed in partnership with law enforcement agencies particularly helped limit the profitability of the ransomware. He clarifies this impact in a blog post:
These tools totaled more than 30,000 successful decryptions and have saved victims roughly $US 50 MILLION in unpaid ransom. Most importantly, it helped us weaken the ransomware operators by cutting off their monetization mechanisms and establishing a positive mindset among new victims, who would rather wait for a new decryptor than give in to hackers’ ransom demands.
Users who’ve fallen victim to GandCrab ransomware who haven’t paid the ransom should leverage Bitdefender’s updated tool to recover their affected files.
Going forward, it’s reasonable to expect that other ransomware families will fill the void previously occupied by GandCrab once its creators pull the plug on their threat. Organizations and users need to be ready for this shift in the ransomware landscape by preparing themselves now for the threat of a crypto-malware infection. In particular, they should work to prevent a ransomware infection in the first place by keeping their software up-to-date, by maintaining an updated anti-virus solution on their computers and by backing up their data on a regular basis.
Additional ransomware prevention tips can be found here.