Final Decryption Tool Published As ‘GandCrab’ Ransomware Developers Retire

Security researchers have released what they say is likely to be the last decryption tool for the widespread GandCrab ransomware, after the developers of the attack code said they planned to retire.

GandCrab was first released in January of last year and has grown to become the most common strain of ransomware globally, at one point accounting for some 50 percent of all infections, said security firm Bitdefender.

It is thought to have infected more than 1.5 million Windows systems since launch.

The tool’s spread was helped along by an affiliate model that allowed criminals to buy ready-made kits in exchange for returning 40 percent of their takings to the developers.

Affiliate network

“This fostered a diverse distribution system,” Bogdan Botezatu, director of threat research and reporting at Bitdefender, said in an advisory.  “Some affiliates would spam out their payloads, while others would infect victims through, for instance, exploit kits or remote access to enterprise computers.”

Earlier this month it was reported that the GandCrab developers plan to retire, after having earned millions from their efforts and, they claimed on a hacking forum, investing it in legitimate businesses.

The developers have barred affiliates from new versions of the software and said they plan to shut the network down soon, deleting all decryption keys.

The move means attackers would be unable to decrypt targets’ files, even if they were paid to do so.

Final release

Bitdefender has, however, released a new version of its free decryptor tool that covers the latest versions of GandCrab, up to version 5.2, likely to be the final release, as well as all older versions.

The company has released several versions of the tool, which has been developed and made available in cooperation with Europol, the FBI, the UK’s National Crime Agency and Metropolitan Police, as well as other crime agencies and police forces.

The tools have decrypted more than 30,000 systems and saved targets more than $50 million (£40m) in unpaid ransoms.

The tool can be downloaded immediately from Bitdefender or from the No More Ransom project.

Ransomware remains a significant threat to businesses and other organisations, with recent high-profile attacks affecting the city of Baltimore, aeroplane manufacturer ASCO and others.

Bitdefender said organisations can defend themselves by keeping software up to date and maintaining regular backups.