# GANDCRAB RANSOMWARE DECRYPTION TOOL **Technical description:** This tool recovers the encrypted files, affected by GandCrab ransomware (V1,V4,V5). You can recognize this ransomware and its version, by the extension it appends to the encrypted files and/or ransom-note: **Versio** **Extension** **Ransom-note Info** **n** 1 .GDCB ---= GANDCRAB =---, ……………. the extension: .GDCB 2 .GDCB ---= GANDCRAB =---, ……………. the extension: .GDCB 3 .CRAB ---= GANDCRAB V3 =--- ……….. the extension: .CRAB 4 .KRAB ---= GANDCRAB V4 =--- ……….. the extension: .KRAB 5 .([A-Z]+) ---= GANDCRAB V5.0 =--- …...…. the extension: .UKCZA ---= GANDCRAB V5.0.2 =--- …. the extension: .YIAQDG ---= GANDCRAB V5.0.2 =--- …. the extension: .CQXGPMKNR ---= GANDCRAB V5.0.2 =--- …. the extension: .HHFEHIOL In order for this recovery solution to work, you are required at least 1 available ransom-note on your PC. The ransom-note is required to recover the decryption key. Please make sure that you do not run a clean-up utility which detects and removes these ransom-notes prior to execution of this tool. The information inside the ransom-notes, taken as input for the key-recovery procedure, may look in one of the two ways, shown below. Judging by this information, GandCrab ransomware had a significant shift since January 2018, which relates to encryption mechanism. GandCrab V1,V2,V3: |Versio n|Extension|Ransom-note Info| |---|---|---| |1|.GDCB|---= GANDCRAB =---, ……………. the extension: .GDCB| |2|.GDCB|---= GANDCRAB =---, ……………. the extension: .GDCB| |3|.CRAB|---= GANDCRAB V3 =--- ……….. the extension: .CRAB| |4|.KRAB|---= GANDCRAB V4 =--- ……….. the extension: .KRAB| |5|.([A-Z]+)|---= GANDCRAB V5.0 =--- …...…. the extension: .UKCZA ---= GANDCRAB V5.0.2 =--- …. the extension: .YIAQDG ---= GANDCRAB V5.0.2 =--- …. the extension: .CQXGPMKNR ---= GANDCRAB V5.0.2 =--- …. the extension: .HHFEHIOL| ----- GandCrab V4,V5 The shift of the ransomware was about using a different encryption type and, and if versions 1,2,3 of the ransomware used AES-256-CBC, versions 4 and 5 use Salsa20. The ransomware kept constant the encryption flow, but considered the damages they have done to files exceeding 4GB in their first versions, and now they only encrypt at most 1MB. ----- **Steps for decryption:** **Step 1: Download the decryption tool from ​** **[http://download.bitdefender.com/am/malware_removal/BDGandCrabDecryptor.exe](http://download.bitdefender.com/am/malware_removal/BDGandCrabDecryptor.exe)** and save it somewhere on your computer _This tool ​REQUIRES ​an active internet connection as our servers will attempt to reply the_ _submitted ID with a possible valid RSA-2048 private key. If this step succeeds the decryption_ _process will continue._ **Step 2: Double-click the file (previously saved as BDGandCrabDecryptor.exe) and allow it to ​** run by clicking Yes in the UAC prompt. **Step 3: Select “I Agree” for the End User License Agreement ​** ----- **Step 4: Select “Scan Entire System” if you want to search for all encrypted files or just add** the path to your encrypted files. We strongly recommend that you also select “Backup files​ ” before starting the decryption​ process. Then press “Scan”. Regardless of whether you check the “Backup files” option or not, the decryption tool attempts to decrypt ​5 files in the provided path and will NOT continue if the test is not successfully passed. The chances that something goes wrong are actually low, however we make these supplementary checks to make sure that nothing goes wrong nor on your, nor our side. This approach may not suits some testers, which might want to decrypt 1-2 files at most, or not conforming file extensions. Users may also check the “Overwrite existing clean files” option under “Advanced options” so the tool will overwrite possible present clean files with their decrypted equivalent. ----- At the end of this step, your files should have been decrypted. If you encounter any issues, please contact us at [forensics@bitdefender.com​](mailto:forensics@bitdefender.com) .​ If you checked the backup option, you will see both the encrypted and decrypted files. You can also find a log describing decryption process, in ​%temp%\BDRemovalTool folder: To get rid of your left encrypted files, just search for files matching the extension and remove them bulk. We do not encurage you to do this, unless you doubled check your files can be opened safely and there is no trace of damage. **Silent execution (via cmdline)** The tool also provides the possibility of running silently, via a command line. If you need to automate the deployment of the tool inside a large network, you might want to use this feature. **●** **-help ​- will provide information on how to run the tool silently (this information will** be written in the log file, not on console) **●** **start​ - this argument allows the tool to run silently (no GUI)** **●** -​path​ - this argument specifies the path to scan **●** **o0:1 ​- will enable ​Scan entire system ​option (ignoring ​-path​ argument)** **●** **o1:1​ - will enable ​Backup files ​option** **●** **o2:1​ - will enable ​Overwrite existing files ​option** ----- **Examples:** **BDGandCrabDecryptor.exe start -path:C:\ ​-> the tool will start with no GUI and scan ​C:\** **BDGandCrabDecryptor.exe start o0:1 ​-> the tool will start with no GUI and scan entire** system **BDGandCrabDecryptor.exe start o0:1 o1:1 o2:1 ​-> the tool will scan the entire system,** backup the encrypted files and overwrite present clean files **Acknowledgement: ​** This product includes software developed by the OpenSSL Project, for use in the [OpenSSL Toolkit (http://www.openssl.org/​](http://www.openssl.org/) ) ​ -----