Andrea Danti - Fotolia

GandCrab decryption tool helps victims recover data

The No More Ransom initiative released one last GandCrab decryption tool to help victims recover data after the ransomware was allegedly shut down by its authors.

Victims of one of the most widespread ransomware threats are now able to recover their data after the fourth and potentially last GandCrab decryption tool was released on Monday.

Earlier this month, the authors behind the GandCrab ransomware as a service (RaaS) announced the project would be shut down. Originally posted by BleepingComputer, the threat group claimed it was time for a "well-deserved retirement," following earnings of more than $150 million. The group promised to delete the decryption keys, which would have left victims without proper backups, with little recourse to recover encrypted data.

However, Bitdefender and law enforcement from around the world released an updated GandCrab decryption tool through the No More Ransom initiative. The tool "neutralizes the latest versions of GandCrab, including version 5.2," according to a blog post by Bogdan Botezatu, director of threat research and reporting at Bitdefender, a cybersecurity company based in Bucharest, Romania.

"These tools totaled more than 30,000 successful decryptions and have saved victims roughly [$50 million USD] in unpaid ransom," Botezatu wrote. "Most importantly, it helped us weaken the ransomware operators by cutting off their monetization mechanisms and establishing a positive mindset among new victims, who would rather wait for a new decryptor than give in to hackers' ransom demands."

In the blog post, Botezatu said the GandCrab RaaS family had "grabbed more than 50% of the ransomware market share by August 2018." But he told us it was difficult to accurately estimate how many successful attacks there had been in total since GandCrab was first released in January 2018.

"We estimate that GandCrab affected around 1.5 million computers until now, but this is only an estimate," Botezatu said. "The only way to accurately tell how many victims GandCrab has made is to take a look at a key server and count the number of victims logged in the infrastructure. We don't have access to such infrastructure."

The GandCrab decryption tool was released via the No More Ransom initiative in a partnership between Bitdefender and law enforcement agencies from around the world, including Europol, the FBI, and agencies from Austria, Belgium, Bulgaria, France, Germany, the Netherlands, Romania and the U.K.

Companies covered by cybersecurity insurance have more frequently chosen to pay in order to minimize downtime and costs.
Bogdan BotezatuDirector of threat research and reporting, Bitdefender

In a press release, Europol wrote that the tool "counters versions 1 and 4 and versions 5 to 5.2" of GandCrab.

"Most importantly, the joint efforts have weakened the operators' position on the market and have led to the demise and shutdown of the operation by law enforcement," Europol wrote. "This shutdown was a global law enforcement effort supported by Bitdefender and McAfee."

McAfee is a co-founder of No More Ransom, but it is unclear what role McAfee played in developing this tool. Bitdefender declined to comment on the specific tactics used in this investigation, because the investigation is still ongoing. Neither Europol nor McAfee responded to requests for comment at the time of this post.

Botezatu said he believes the GandCrab ransomware is truly dead, but added that this might not be the last we see of this threat group.

"They might come back with a different product shortly, something that has no ties with GandCrab, as their past business has started losing trust and respect inside the community following the four decryptors built in collaboration with law enforcement," Botezatu said. "This is a quick exit, rather than 'retirement.'"

In the retirement announcement from the GandCrab authors, the group claimed the affiliates using the GandCrab RaaS had earned more than $2 billion, but Botezatu said that number "is clearly exaggerated."

"While $2 billion might be an exaggerated figure, we still assume that GandCrab has made more than $1 billion. As of last year, GandCrab affiliates have focused their efforts on business customers, as they were seen as much more likely to pay up in exchange for decryption," Botezatu said. "Companies covered by cybersecurity insurance have more frequently chosen to pay in order to minimize downtime and costs, knowing that a big part of these costs would be absorbed by the insurer. This type of behavior might have contributed significantly to GandCrab's financial success as advertised in the shutdown message."

Dig Deeper on Threats and vulnerabilities