{ "id": "218ef685-b098-4e93-b47e-5bea8334dcac", "created_at": "2026-04-06T00:18:50.928305Z", "updated_at": "2026-04-10T03:24:29.560796Z", "deleted_at": null, "sha1_hash": "4fe796d53b7186f5ef32bed06ab027c901c52733", "title": "Pay No More: universal GandCrab decryption tool released for free on No More Ransom", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 37838, "plain_text": "Pay No More: universal GandCrab decryption tool released for\r\nfree on No More Ransom\r\nBy Europol\r\nPublished: 2018-10-25 · Archived: 2026-04-05 15:03:40 UTC\r\nAs of today, victims of the GandCrab ransomware can recover their files without giving into the demands of the\r\ncriminals thanks to a new decryption tool released for free on www.nomoreransom.org.\r\nThis data recovery kit was developed by the Romanian Police in collaboration with its counterparts from Bulgaria,\r\nFrance, Hungary, Italy, Poland, the Netherlands, United Kingdom and United States, together with the security\r\ncompany Bitdefender and Europol. It is the most comprehensive decryption tool available to date for this\r\nparticular ransomware family: it works for all but two existing versions of the malware (v.1,4 and 5), regardless of\r\nthe victim’s geographical location. This tool is released a week after the criminal group behind GandCrab made\r\npublic decryption keys allowing only a limited pool of victims located in Syria to recover their files.\r\nGandCrab in a nutshell\r\nGandCrab is one of the most aggressive malware attacks in recent months, infecting nearly half a million victims\r\nsince it was first detected in January 2018.\r\nOnce GandCrab takes over a victim’s computer and encrypts its files, it demands a ransom ranging from USD 300\r\nto 6 000. The ransom must be paid through virtual currencies known to make online transactions less traceable,\r\nsuch as DASH and Bitcoin.\r\nBack in February, a first decryption tool was made available on No More Ransom by the Romanian Police, with\r\nthe support of the internet security company Bitdefender and Europol. A second version of the GandCrab\r\nransomware was subsequently released by the criminals, this time with an improved coding which included\r\ncomments to provoke law enforcement, security companies and No More Ransom. A third version followed a day\r\nlater.\r\nNow in its fifth version, this file-locking malware continues to be updated at an aggressive pace. Its developers are\r\nconstantly releasing new versions of it, with new, more sophisticated samples being made available to bypass\r\ncybersecurity vendors’ countermeasures. \r\nUnderground alliances\r\nThe rapid spread of GandCrab has been helped along by a ransomware-as-a-service scheme, which offers on the\r\ndark web to wannabee criminals with little to no technical expertise a toolkit for launching quick and easy\r\nmalware attacks, in exchange for a 30% cut from each ransom payment. \r\nhttps://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom\r\nPage 1 of 2\n\nIn order to further maximise the profits, the GandCrab developers are also partnering up with other services in the\r\ncybercrime supply chain, enabling different criminal groups to practice their core competencies while working\r\ntogether to earn more illicit profits than they would be able to gather working individually.\r\nHow to stay safe in the future\r\nVictims who have fallen to this ransomware should visit www.nomoreransom.org where this new decryption tool\r\nis available for free.\r\nThe best cure against ransomware remains diligent prevention. Users are strongly advised to:\r\nAlways keep a copy of their most important files somewhere else: in the cloud, on another drive, on a\r\nmemory stick, or on another computer.\r\nUse reliable and up-to-date anti-virus software.\r\nNot download programs from suspicious sources\r\nNot open attachments in e-mails from unknown senders, even if they look important and credible\r\nAnd if you are a victim, don’t pay the ransom!\r\nFind more information and prevention tips on www.nomoreransom.org\r\nSource: https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom\r\nhttps://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom" ], "report_names": [ "pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434730, "ts_updated_at": 1775791469, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4fe796d53b7186f5ef32bed06ab027c901c52733.pdf", "text": "https://archive.orkl.eu/4fe796d53b7186f5ef32bed06ab027c901c52733.txt", "img": "https://archive.orkl.eu/4fe796d53b7186f5ef32bed06ab027c901c52733.jpg" } }