Gandcrab Ransomware

GandCrab Ransomware

The GandCrab Ransomware is a malicious software that encrypts a victim's files and demands a ransom from the victim to restore access to the files. It is believed to have been developed by a group of Russian-speaking hackers, who launched the first version of the ransomware in January 2018.


One of the characteristics that sets GandCrab apart from other ransomware strains is its focus on the Russian-speaking market. The ransom note and payment instructions are written in Russian, and the hackers primarily targeted Russian-speaking individuals and businesses. However, the ransomware has also been used to attack victims in other countries, including the United States, the United Kingdom, and Canada.


GandCrab has undergone several versions, with the most recent being version 5.2, which was released in August 2018. Each version has introduced new features and capabilities, including the ability to encrypt files on network drives and the ability to evade detection by anti-virus software.


The ransomware is typically delivered through spam emails, which contain a link to a malicious website or a malicious attachment. Once the victim clicks on the link or opens the attachment, the ransomware is downloaded and installed on the victim's computer. The victim may also be redirected to a webpage that displays a message claiming that their computer has been locked due to illegal activity, and that they need to pay a fine to unlock it.

Once installed, GandCrab begins to encrypt the victim's files, adding a ".GDCB" extension to each encrypted file. The ransomware also creates a ransom note, which is a text file containing instructions on how to pay the ransom and decrypt the victim's files. The ransom amount varies depending on the version of GandCrab and the victim's location, but it typically ranges from $400 to $800.


The ransom payment is typically made through a digital currency, such as Bitcoin or Dash, to a wallet controlled by the hackers. The victim is given a unique decryption key, which they can use to decrypt their files once the ransom has been paid.


However, there are several risks associated with paying the ransom. Firstly, there is no guarantee that the hackers will actually provide the decryption key after receiving the ransom payment. There have been cases where victims have paid the ransom but did not receive the decryption key, resulting in the permanent loss of their files.


Secondly, paying the ransom may also encourage the hackers to continue their activities, as it shows that their tactics are effective. This can lead to more victims being targeted, and the proliferation of similar ransomware strains.


Therefore, it is generally advised that victims do not pay the ransom and instead seek alternative methods of recovering their files. These methods may include using backups, restoring from a system restore point, or seeking the assistance of a cybersecurity expert.

In response to the threat posed by GandCrab, several cybersecurity firms have released decryption tools that can help victims recover their files without paying the ransom. These tools typically work by analyzing the encryption used by the ransomware and finding a way to decrypt the files without the need for the decryption key.


One notable example is a decryption tool released by the cybersecurity firm Bitdefender in February 2018, which was able to decrypt files encrypted by the first three versions of GandCrab. However, the effectiveness of these decryption tools may vary depending on the version of GandCrab being used and the level of encryption applied to the victim's files.