GandCrab is a form of ransomware that encrypts all the user's files and changes the extension. The family consists of numerous variants, such as GDCB, KRAB, CRAB virus, GandCrab 2, GandCrab 3, GandCrab 4, and GandCrab 5.
In the beginning, after two months of active distribution, the first versions of ransomware were defeated by the Romanian police, experts from Bitdefender, and Europol. After revealing the flaw in the ransomware code, authorities hacked cybercriminals and Bitdefender created a free GandCrab decryptor which is available on NoMoreRansom project.
In version 1, the extension is .GDCB. Version 2 and 3 have the .CRAB extension. In version 4, the extension is .KRAB. Version 5 and current versions have a random 5-10 character extension. During the first months of 2019, they presented several new versions that are demanding the 2000 USD ransom in Dash or Bitcoin in exchange for the decryption key.The improved versions Gandcrab 5.0.4 and GandCrab 5.1 haven't been decrypted because hackers patched the critical flaw within 24 hours after the Bitdefender decryptor was released. The latest version of the ransomware as of right now is GandCrab V5.2.
On June 1st, 2019, GandCrab announced that the ransomware would shutdown. They eventually retired on June 17th, 2019.
The virus appends .[random characters] file extension. Additionally, the victim is given a Tor address to buy the so-called Gandcrab Decryptor from virus creators. The quote from one of the latest victims reveals that the user can be left with nothing:
Our outsourced IT, Protek Support, received a ransomware on their master server affecting all their 80 clients including us yesterday morning. They’ve paid the ransom this morning about 7 am, but we are still waiting to get our files decrypted and it’s already 4:45 pm.
BitDefender released a decryption tool that works with version 1, 4, and 5, 5.0.4, 5.1, and 5.2.
The decryption tool can be found here: