Bitdefender has released a free decrypter that helps victims of GandCrab ransomware infections recover files without paying the ransom.

The decrypter is available for download via the NoMoreRansom project, of which Bitdefender is a member of.

Romanian Police and Romania's DIICOT (Directorate for Investigating Organized Crime and Terrorism) announced the decrypter's launch in statements published on their sites, minutes ago. Europol is also expected to make a formal announcement later today.

Arrests were also made, a source in Romanian law enforcement has told Bleeping Computer, although they did not detail how many suspects were apprehended, their nationality, or the place of their arrest.

Bogdan Botezatu, Senior E-Threat Analyst, denied rumors that Bitdefender had taken control over one of the GandCrab command and control servers, and said that the company only created a simple decryptor.

Bitdefender claims the decrypter works with all known GandCrab versions, but several users and security researchers [1, 2] reported problems with the decryption routine. But, bare in mind, this is the decrypter's first version, and the decrypter may have bugs like any recently launched software. In these cases, Bitdefender recommends that users consult the official GandCrab decrypter documentation, and if they keep having issues, optionally send an email to the address included in the PDF file.

GandCrab is one of 2018's top ransomware strains

The GandCrab ransomware first appeared at the end of January, this year, and was first detailed in a Bleeping Computer article, here. It was advertised as a Ransomware-as-a-Service offering on a cybercrime forum for Russian-speaking users.

The ransomware became very popular right away, being distributed via both exploit kits and email spam.

Microsoft says GandCrab became the third most prevalent ransomware family this year, likening its meteoric rise to Spora's burst on the ransomware scene in 2017.

GandCrab is hardcoded to avoid making victims in former Soviet states and according to Microsoft has made most victims in Brazil, the US, India, Indonesia, and Pakistan.

Using Bitdefender's Gandcrab decryptor to decrypt GDCB files

To see if your files can be decrypted by Bitdefender's GandCrab decryptor, you must have at least one ransom note present on your computer and 5 encrypted files that will be tested for decryption. This ransom note is used to retrieve the victim's unique ID, which is then uploaded to Bitdefender to determine if a decryption key is available for it.

If you have a ransom note and at least 5 GDCB encrypted files that you wish to decrypt, you can download the GandCrab Decryptor and save it on your desktop. Before we run the program, you should create a folder called test-decryption on your desktop and copy, not move, 5-10 encrypted files and a ransom note into that folder. We will use that folder to test if the decryptor can decrypt your files.

Test-decryption Folder on Desktop

Once you have created the test-decryption folder, double-click on the BDGandCrabDecryptTool.exe executable to start the program. Once started, a license agreement will be displayed, which you should click on the I Agree button to continue. Once you agree to the license agreement, the Bitdefender GandCrab Decryptor screen will be displayed as shown below.

Bitdefender GandCrab Decryptor

Now browse to the test-decryption folder on your desktop and click on the Scan button. The decryption tool will now retrieve your victim ID from the ransom note and upload it to the Bitdefender servers to see if they have a matching decryption key.

Checking for decryption key

If a decryption key can be found, the decryptor will test it against the 5 encrypted files. If it is unable to decrypt those files, the decryptor will not attempt to decrypt any other files. If it is successful, the program will state that the scan has been finished and all the files in the specified folder will be decrypted.

Caption

The folder should now be filled with decrypted files as shown below.

Decrypted Folder

Now that you know the program can decrypt your files properly, you can put a checkmark in the Scan entire system checkbox and scan again. To be safe, you may also want to check the Backup files button so that you have backups in the event the decryption fails and files become corrupted. Please note that doing so will leave a lot of extra files behind that you will need to clean up manually.

If you need help or have questions regarding this decryption process, you can ask in our dedicated GandCrab Ransomware Help & Support topic.

Developing story. This article will be updated with more information later today.