In a rather unusual move, developers of the notorious GandCrab have made the decryption keys for Syrian victims available for free. The keys were posted on an underground cybercrime forum by the developers after they read a series of tweets from a Syrian man who had photos and videos of his deceased sons encrypted by GandCrab V5.0.3.
They want 600 dollars to give me back my children, that’s what they’ve done, they’ve taken my boys away from me for a some filthy money. How can I pay them 600 dollars if I barely have enough money to put food on the table for me and my wife? – جميل سليمان (@kvbNDtxL0kmIqRU) October 16, 2018
After reading the tweets, GandCrab developers decided to help the victims in Syria by posting the keys. They also claim that it was a mistake to not include Syria in the list of countries that GandCrab would bypass. However, while they claim to have made a mistake, it is not known whether future versions of GandCrab will encrypt files of Syrian users or not.
According to the post on the cybercrime forum, Syrian victims can download a decryption tool from the payment page, or if that is not an option, they should wait for antivirus developers to release a decryption tool. A zip file containing the decryption keys for Syrian victims was also added to the post. In the zip file, there are readme.txt and SY_key.txt files. In the former, GandCrab developers explain that because of Syria’s political situation, economy and relations with the CIS countries, they have made the decision to help Syrian victims. They also state that if a Syrian victim’s decryption key is no included in the posted list, that person needs to take a picture of themselves, their payment page and their passport, and send it to them. If you find yourself in this situation, we suggest you approach the matter with extreme caution as sending a picture of your passport can lead to serious consequences, such as identity theft.
Unfortunately, if you are a victim of GandCrab but are based outside of Syria, this sudden generosity of ransomware developers will not apply to you. They specifically state that they will not release keys for victims in other countries. Even if they close down the ransomware project, they will simply destroy the keys.
The SY_keys.txt file contains almost a thousand decryption keys for different GandCrab versions. Software company Bitdefender has updated their GandCrab decryptor with the keys, allowing Syrian users to decrypt files. The decryptor can be downloaded here. While it will most likely not work, you can try using the decryptor even if you are outside of Syria.
If you are located in another country, Bitdefender also advises against paying.
“Instead, take a backup of the ransomed files, along with the ransom note and store them somewhere safe, because help is coming really soon. We’re all working on it and we’ll solve this,” the company says.