- A decryption tool has been released for Syrian victims who have been affected by the GandCrab ransomware that encrypts user files.
- The tool, developed by ESET Security, is a free decryption tool and works on all versions of the ransomware.
- The decryption keys were released by the malware authors themselves.
With the political and economic situation in Syria being at an all-time low, creators of the GandCrab malware have released the required keys to an underground forum. The developers of the malware released the keys shortly after a Syrian victim posted that he lost photos of his deceased children due to the encrypting malicious code.
They want 600 dollars to give me back my children, that's what they've done, they've taken my boys away from me for a some filthy money. How can I pay them 600 dollars if I barely have enough money to put food on the table for me and my wife?
— جميل سليمان (@kvbNDtxL0kmIqRU) October 16, 2018
Developers of the GandCrab malware released a public message stating that the “political and economic situation as well as relations with CIS countries” were the primary reasons for releasing the keys. They also revealed that they are making an exception and will not be sharing keys or ceasing operations regardless of any future circumstances going forward. The malware operators revealed that it was a mistake to keep Syria as one of the targeted countries. However, it is unknown if future malware campaigns will include Syria as one of the target countries because the latest version of the malware does not list Syrian languages as exceptions.
The batch of keys released by the GandCrab developers will work only on systems that have affected Syrian victims. A number of security companies like BitDefender and ESET Security have published decryption tools that work on all known versions of the ransomware. 979 known Syrian victims are known to be affected, and the tools should work regardless of the version for all of the affected individuals.
It is not the first time that malware creators have released decryption keys with TeslaCrypt, Crysis and AESNI developers releasing their keys in the past. Using proper security tools and keeping an OS updated are two fundamental measures one can take to prevent being affected by ransomware.