The attackers behind the vicious ransomware known as GandCrab have made their money (loosely estimated at over $2 billion) and are retiring. Most of us work for a living and then retire, but these guys steal money to retire. A lot of money. Shortly after their announcement that they are retiring (no doubt to figure out a new way to steal from us), a decryption tool to nullify the ransomware is being offered through a collaboration led by the FBI, Europol, Bitdefender, and others.
According to ZDNet, “It is thought that over 1.5 million Windows users have been infected with GandCrab since it first emerged in January 2018…by…one of the most aggressive forms of ransomware.”
The decryption tool being offered responds to the most recent versions of the ransomware (GandCrab 5.0 through GandCrab 5.2) and allows users who have been previously attacked by older versions to retrieve the encrypted files.
Although it is good news that the GandCrab attackers are shutting down their operation, it could present problems for victims, because it means that when GandCrab shuts down, all of the keys that can open files for victims will be deleted and the victims will lose forever the ability to restore the files. Further, once the keys are deleted, even if they pay the ransom, they will not be able to get the key.
Therefore, FBI, Europol, Bitdefender, and others have recommended that companies which have fallen victim to GandCrab use the tool to restore any affected files before the encryption keys are destroyed.