Scribd
Upload
113 views

Gandcrab Ransomware Decryption Tool

This tool decrypts files encrypted by versions 1, 4, and 5 of the GandCrab ransomware virus. The tool identifies the GandCrab version based on file extensions added to encrypted files. It requires a ransom note left on the infected system to retrieve the decryption key from the author's servers. The tool scans for encrypted files, attempts to decrypt a test set, and if successful will decrypt all identified encrypted files.

Uploaded by

gogu777
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
113 views

Gandcrab Ransomware Decryption Tool

This tool decrypts files encrypted by versions 1, 4, and 5 of the GandCrab ransomware virus. The tool identifies the GandCrab version based on file extensions added to encrypted files. It requires a ransom note left on the infected system to retrieve the decryption key from the author's servers. The tool scans for encrypted files, attempts to decrypt a test set, and if successful will decrypt all identified encrypted files.

Uploaded by

gogu777
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

GANDCRAB RANSOMWARE DECRYPTION TOOL

Technical description:

This tool recovers the encrypted files, affected by GandCrab ransomware


(V1,V4,V5). You can recognize this ransomware and its version, by the extension it appends
to the encrypted files and/or ransom-note:
Versio Extension Ransom-note Info
n

1 .GDCB ---= GANDCRAB =---, ……………. the extension: .GDCB

2 .GDCB ---= GANDCRAB =---, ……………. the extension: .GDCB

3 .CRAB ---= GANDCRAB V3 =--- ……….. the extension: .CRAB

4 .KRAB ---= GANDCRAB V4 =--- ……….. the extension: .KRAB

5 .([A-Z]+) ---= GANDCRAB V5.0 =--- …...…. the extension: .UKCZA


---= GANDCRAB V5.0.2 =--- …. the extension: .YIAQDG
---= GANDCRAB V5.0.2 =--- …. the extension: .CQXGPMKNR
---= GANDCRAB V5.0.2 =--- …. the extension: .HHFEHIOL

In order for this recovery solution to work, you are required at least 1 available
ransom-note on your PC. The ransom-note is required to recover the decryption key. Please
make sure that you do not run a clean-up utility which detects and removes these
ransom-notes prior to execution of this tool. The information inside the ransom-notes, taken
as input for the key-recovery procedure, may look in one of the two ways, shown below.
Judging by this information, GandCrab ransomware had a significant shift since January
2018, which relates to encryption mechanism.

GandCrab V1,V2,V3:
GandCrab V4,V5

The shift of the ransomware was about using a different encryption type and, and if
versions 1,2,3 of the ransomware used AES-256-CBC, versions 4 and 5 use Salsa20.
The ransomware kept constant the encryption flow, but considered the damages they
have done to files exceeding 4GB in their first versions, and now they only encrypt at most
1MB.
Steps for decryption:

Step 1:​ Download the decryption tool from


http://download.bitdefender.com/am/malware_removal/BDGandCrabDecryptor.exe  
and save it somewhere on your computer 
 
​ EQUIRES ​an active internet connection as our servers will attempt to reply the
This tool R
submitted ID with a possible valid RSA-2048 private key. If this step succeeds the decryption
process will continue.

Step 2:​ Double-click the file (previously saved as BDGandCrabDecryptor.exe) and allow it to
run by clicking Yes in the UAC prompt.

Step 3:​ Select “I Agree” for the End User License Agreement
Step 4: Select “Scan Entire System” if you want to search for all encrypted files or just add
the path to your encrypted files.

We strongly recommend that you also select “​Backup files​” before starting the decryption
process. Then press “Scan”.

Regardless of whether you check the “Backup files” option or not, the decryption tool
attempts to decrypt ​5 files in the provided path and will NOT continue if the test is not
successfully passed. The chances that something goes wrong are actually low, however we
make these supplementary checks to make sure that nothing goes wrong nor on your, nor
our side. This approach may not suits some testers, which might want to decrypt 1-2 files at
most, or not conforming file extensions. Users may also check the “Overwrite existing clean
files” option under “Advanced options” so the tool will overwrite possible present clean files
with their decrypted equivalent.
At the end of this step, your files should have been decrypted.

If you encounter any issues, please contact us at ​[email protected]​.


If you checked the backup option, you will see both the encrypted and decrypted
files. You can also find a log describing decryption process, in ​%temp%\BDRemovalTool
folder:

To get rid of your left encrypted files, just search for files matching the extension and
remove them bulk. We do not encurage you to do this, unless you doubled check your files
can be opened safely and there is no trace of damage.

Silent execution (via cmdline)


The tool also provides the possibility of running silently, via a command line. If you need to
automate the deployment of the tool inside a large network, you might want to use this feature.

● -help ​- will provide information on how to run the tool silently (this information will
be written in the log file, not on console)
● start​ - this argument allows the tool to run silently (no GUI)
● -​path​ - this argument specifies the path to scan
● o0:1 ​- will enable ​Scan entire system ​option (ignoring ​-path​ argument)
● o1:1​ - will enable ​Backup files ​option
● o2:1​ - will enable ​Overwrite existing files ​option
Examples:

BDGandCrabDecryptor.exe start -path:C:\ ​-> the tool will start with no GUI and scan ​C:\
BDGandCrabDecryptor.exe start o0:1 ​-> the tool will start with no GUI and scan entire
system
BDGandCrabDecryptor.exe start o0:1 o1:1 o2:1 ​-> the tool will scan the entire system,
backup the encrypted files and overwrite present clean files

Acknowledgement​:
This product includes software developed by the OpenSSL Project, for use in the
OpenSSL Toolkit (​http://www.openssl.org/​)

You might also like