The authors behind GandCrab ransomware virus have released decryption keys for citizens of Syria.
The public release of these decryption keys became a reality due to a tweet made by a Syrian victim. He asked for help with the recovery of encrypted files, among which were photographs of his deceased children who were casualties of the civil war in Syria.
After a little while, the cybercriminals behind the GandCrab ransomware noticed the tweet and responded with a post of their own on a forum. The post states that they have released the keys for all victims of Syrian origin.
In addition to that announcement they explained how it was a mistake for Syria not to be added to the exclusion list in the first place. If a given country is put inside that exclusivity list, its people won’t get their files encrypted by GandCrab ransomware, even if they download it to their computer systems. Interestingly enough, the message from the developers of GandCrab did not specify Syria will be added in the exclusivity list in the future.
Below you can see a preview of the forum post mentioned in the above paragraph:
Inside the post, there is a link to an archived file that contains the released decryption keys for Syrian victims. The file is a .zip file and it contains a readme.txt and SY_keys.txt files.
The readme.txt file contains information on how the key file is organized and information on why the keys were released. The contents of these files are in Russian so a machine translation is showcased down here:
id – ver – key
GandCrab for help SY people.
Decryptor to develop independently for each version.
We believe in the “power” of Bitdefender, since they all promise the decryptor constantly, and it is not yet ready, but now it is being developed and will soon be ready. Without keys, true. We would very much like the decryptor to be written by Kaspersky or Eset.
The most important thing is not to indicate that he will help everyone. He will help only a citizen of Syria. Because of their political situation, economic and relations with the CIS countries.
We regret that we did not initially add this country to the exceptions. But at least that way we can help them now.
Whose keys are not (only for citizens of Syria and the CIS, Ukraine including) – you need to come to us and take a picture of yourself with a passport and payment page. After that, we will issue a decryptor for free.
This is indicated just in case any clever people patch the file so that it works everywhere. Hi, Polish kurvy.
As for other countries – we will not share the keys, even if we are closed someday. We will remove them. It is necessary to resume the punitive process in respect of some countries.
Let me remind you that you can only decrypt using our keys that are stored on our server. We issue them only after payment. There are no other miracle ways.
With love from crabs, representatives of different countries, religions, beliefs and beliefs.
— With the support of the forum xss.is (ex. Damagelab) —
The SY_keys.txt file contains a list of around 1000 decryption keys for Syrian victims. GandCrab Ransomware versions from 1.0.0 all through 5.0 are supported and each line contains a victim id, version, and decryption key.
If a Syrian citizen is not included in this list, the ransomware developers state that they will release new keys for them on the condition that they take a picture of themselves along with their passport and specific payment page. However, we at SensorsTechForum advise against sharing private data such as a picture of your passport (or an Identification document).
As for victims residing in other countries, the cybercriminals share no mercy and state that even if they give up the ransomware project, no other GandCrab decryption keys will be released, but they will be deleted instead.
A decryption is not yet available, but with the keys we should expect one to be made in the near future.