Bitdefender has released a decryption tool that can be used to recover files encrypted by all GandCrab ransomware variants, including 5.0 and 5.2.
Three decryptors have previously been developed for specific GandCrab ransomware versions. However, as soon as a decryptor was developed, a new version of the ransomware was released.
GandCrab ransomware was one of the most widely used ransomware variants in 2018. Since it was first detected in January 2018, the threat actors behind the campaign have offered their malware under the ransomware-as-a-service model. Affiliates have paid to use the ransomware and retain a cut of any ransoms they can generate.
The RaaS business model along with regular redevelopment of the ransomware to stay one step ahead of security companies has proven very profitable. So much so that the creators of the ransomware announced they were bringing their operations to a close, decommissioning the ransomware, and would be retiring on the profits.
They claimed in a recent post on a forum where they offered their ransomware that they were shutting down the RaaS program. They said their ransomware had been used to obtain more than 2 billion in payments, including $150 million in laundered profit for the creators. The post instructed all affiliates to wind down their operations and said that once the program stopped, any devices that had not been decrypted would be permanently locked.
It is highly likely that the above figures have been exaggerated but the developers feel they have earned enough to retire and shut down a still highly profitable operation. That demonstrates just how prolific the operation really was.
According to Europol, the GandCrab ransomware operation held a 50% share in the ransomware market by mid-2018. Affiliates were allowed to keep 60% of any ransom payments made through their campaigns after paying to use the ransomware. Many affiliates signed up and used the ransomware to attack businesses and consumers via a variety of methods. There are believed to have been around 1.5 million victims.
The ransomware tool was developed by Bitdefender in collaboration with law enforcement agencies throughout Europe and the United States. Europol reports that its previous tool helped approximately 30,000 people recover without paying the ransom and helped to ensure that approximately $50 million in ransoms remained unpaid.
Fortunately, the release of the GandCrab Ransomware decryptor for the latest version of the ransomware means anyone who has been attacked and whose files remain encrypted will be able to recover them for free.
While it will not be any consolation to the victims of the attacks that the operation has finally been shut down, at least the release of the decryptor has rendered the ransomware dead and no further ransoms will need to be paid.