Bitdefender, with the support of Europol, the Romanian and French police, the DIICOT, the FBI and other law enforcement agencies, such as the NCA, the Metropolitan Police and the Bulgarian police, has developed a new free utility for recovering blocked data for victims of the latest version of the class of the GandCrab ransomware.
The new descriptor allows victims to access encrypted data without paying reward to attackers and can decrypt versions 1, 4 and 5 to 5.2 of GandCrab. Over time, the attackers have continuously developed new versions of GandCrab, and the IT security industry has worked on multiple decryption tools to enable victims to be given access to digital life at no cost.
Strong collaboration between authorities and the IT security industry has weakened the position of offenders on the market and diminished the trust of affiliates in the service of attackers, which has led to a significant reduction in operations.
The decryptor for the previous version, released in February 2019, was used by more than 30,000 users who recovered their data without paying more than USD 50 million, money that could otherwise have gone into attackers’ accounts.
“Our efforts to provide decryption tools to GandCrab victims have led to the loss of the position of the cybercrime group behind this threat. With the release of free tools to recover data, victims understood that they could get their personal information free of charge, and they began to pay no reward, sometimes even waiting for a new writer to give them access to blocked data,” say Bitdefender representatives.
Since the first release in January 2018, GandCrab has grown aggressively to become the world’s most widespread ransomware, with a 50 percent market share in 2018, using an affiliate model where operators monetize GandCrab as a franchise. They enlist affiliates attracted to Dark Web, provide them with all the tools to conduct attacks – including a non-stop customer service department – and charge a commission on their profits.
Bitdefender and GandCrab’s law enforcement agencies advise infected users not to pay the attackers the requested decryption fees, but to create copies of compromised data and address the police. Once they pay the reward, victims have no guarantee that the offenders will honor their promise and give them access to the data and, moreover, they could be targeted again by the same group, as they already have a good pay history. Last but not least, proceeds will help attackers develop increasingly sophisticated computer threats, which will lead to more and more infected victims in the long run.
To prevent infection with ransomware, users are advised to keep copies of important data, use a secure security solution, and avoid accessing links or files from unsolicited emails.