In an FBI Flash Alert, the FBI has released the master decryption keys for the Gandcrab Ransomware versions 4, 5, 5.0.4, 5.1, and 5.2. Using these keys, any individual or organization can create and release their very own GandCrab decryptor.

On June 1st, 2019, the developers behind the wildly successful GandCrab Ransomware announced that they were closing shop after allegedly amassing $2 billion in ransom payments and personally earning $150 million.

Two weeks later, in collaboration with Europol, the FBI, numerous law enforcement agencies, and NoMoreRansom, Bitdefender released a decryptor for files encrypted by GandCrab versions 1, 4, and 5 through 5.2.

While it was not stated how Bitdefender gained access to these keys, it is widely thought that they were able to gain access to the ransomware’s command and control servers in order to download the keys.

FBI lets anyone create a GandCrab decryptor

In a “FBI Flash Alert” shared with BleepingComputer, three master decryption keys for the GandCrab Ransomware were released to members of the FBI’s InfraGard program.

Bulletins released by the FBI through InfraGard are categorized using the Traffic Light Protocol, which dictates how the information can be shared. This alert titled “Master Decryption Keys for GandCrab, versions 4 through 5.2” was released as a TLP:White bulletin, which means that the information can be disclosed without restriction.

In addition to the master decryption keys, the bulletin explains how the GandCrab RaaS operated and related statistics.

“On 17 June 2019, the FBI, in partnership with law enforcement agencies from 8 European countries, as well as Europol and BitDefender, released a decryption tool applicable to all versions of GandCrab ransomware. The decryption tool can be found at The collaborative efforts further identified the master decryption keys for all new versions of GandCrab introduced since July 2018. The FBI is releasing the master keys in order to facilitate the development of additional decryption tools.

GandCrab operates using a ransomware-as-a-service (RaaS) business model, selling the right to distribute the malware to affiliates in exchange for 40% of the ransoms. GandCrab was first observed in January 2018 infecting South Korean companies, but GandCrab campaigns quickly expanded globally to include US victims in early 2018, impacting at least 8 critical infrastructure sectors. As a result, GandCrab rapidly rose to become the most prominent affiliate-based ransomware, and was estimated to hold 50% of the ransomware market share by mid-2018. Experts estimate GandCrab infected over 500,000 victims worldwide, causing losses in excess of $300 million.”

GandCrab master decryption keys

Below are the master decryption keys for GandCrab versions 4, 5, 5.0.4, 5.1, and 5.2. 

To use them properly, you would need to familiarize yourself with the encryption methods used by the various versions of GandCrab. A good introduction to the encryption algorithm used in version 4 can be found in this article by Fortinet.


Source: Bleeping Computer | By Lawrence Abrams | July 16, 2019 |

To learn more about FBI and GandCrab Ransomware, contact us today!

Roberto Baires
Contact us!

Micro Tech Resources | 5700 Stoneridge Mall Road, Suite 285, Pleasanton, CA, 94588