In collaboration with law enforcement agencies around the world, Bitdefender has released an updated decryptor for the GandCrab Ransomware that can decrypt files encrypted by versions 1, 4, and 5 through 5.2.
In announcements by both Bitdefender and Europol, a decryptor for the GandCrab Ransomware was released that decrypts the latest versions of the ransomware.
"The tool is released in partnership with law enforcement agencies from Austria (Bundeskriminalambt – BMI), Belgium (Federal Computer Crime Unit), Bulgaria (Bulgarian Cybercrime Unit), France (Police Judiciaire de Paris – Befti), Germany (LKA Baden-Württemberg), the Netherlands (High Tech Crime Unit), Romania (DIICOT), the United Kingdom (NCA and Metropolitan Police), the United States (FBI) and Europol, together with the private partner Bitdefender."
Supported GandCrab Versions
The below table shows the versions of GandCrab this tool can decrypt and how to identify the version you have been inflicted with. You can recognize this ransomware and its version by the extension it appends to the encrypted files and/or from the first line of the ransom-note.
Decryption Tool Requirements
- Active Internet connection. This tool REQUIRES an active Internet connection as our servers will attempt to reply to the submitted ID with a possibly valid RSA-2048 private key. Only if this step succeeds will the decryption process continue.
- The ransom-note. For this recovery solution to work, you must have at least (1) copy of the ransom-note on your PC. The ransom-note is needed to recover the decryption key, as it allows us to compute the unique decryption key for your files. Please make sure that you do not run a clean-up utility which detects and removes the ransom-note prior to execution of this tool.
How to Use the Tool
Step 1: Download our decryption tool and save it somewhere on your computer. Please note that this tool requires an active internet connection. Without it, the decryption process won’t continue.
Download the Grandcrab Decryption Tool
This tool REQUIRES an active internet connection as our servers will attempt to reply the submitted ID with a possibly valid RSA-2048 private key. If this step succeeds the decryption process will continue.
Step 2: Run the utility. It should be saved on your computer as BDGandCrabDecryptor.exe.
Step 3: Agree to the terms and conditions.
Step 4: Select “Scan Entire System” if you want to search for all encrypted files or just add the path to your encrypted files. We strongly recommend that you also select “Backup files” before starting the decryption process. Then press “Scan”.
Regardless of whether you check the “Backup files” option or not, the decryption tool initially attempts to decrypt (5) files in the provided path and will NOT continue if decryption is unsuccessful. This extra safety mechanism ensures that the decryption tool has yielded valid files. This approach will however, impact potential tests ran on 1 or 2 files, or rypting files with different extensions.
Step 5: At this point, your files should be decrypted. If you selected the backup option, you will see both the encrypted and the decrypted files. We recommend that you now validate that your files may be safely opened and there is no trace of damage.
Once you have validated your files, you can remove the encrypted files in bulk by searching for files matching the GandCrab extension.