Decrypt files attacked with the latest versions of GandCrab ransomware

Share this…

Recover your encrypted files with this free tool

A tool recently launched by experts in cybersecurity and digital forensics allows you to recover files encrypted by some versions of GandCrab, a variant of ransomwarethat has affected hundreds of thousands of users since the beginning of 2018.

The free recovery tool for GandCrab decrypts files encrypted by versions 1, 4 and 5 of the ransomware. These versions are recognizable by the extensions they use: .GDCB, .KRAB and a variable-length random character string (for example. rnsgl). The instructions for performing the file recovery are explained below.

This new software is the result of joint work between several police organizations, including the Romanian police and digital forensics experts from France, Hungary, Italy, Poland, the Netherlands, the United Kingdom and the USA, as well as Europol.

It should be noted that experts are working on a solution to recover the data encrypted by the versions of GandCrab 2 and 3, which use the extension .CRAB; they also asks users to be patient and abstain from paying any ransom. The ransom note usually asks the victims between $600 and $6k USD in exchange for decrypt the files.

Decrypt GandCrab v1, v4 and v5

To use the new GandCrab decryptor, make sure you have an available copy of the ransom note, because it contains a key that will be used to decrypt your files.

Start the tool to get to the main screen of the decryptor. On this screen, place a checkmark in the “Scan entire system” option, then click the “Scan” button.


The tool then starts searching for a decryption key and restores any GandCrab-encrypted file it can find on your system.


When this process is over, the tool will tell you if it had any problems recovering any files. If this happens, the tool will display the message “Some files could not be decrypted”.


To determine which files were not decrypted, you can view the file log located at:


The log file name may vary slightly on each computer. This log file will display a list of all the files that the tool was unable to decrypt.

According to experts in digital forensics from the International Institute of Cyber Security, GandCrab is distributed worldwide thanks to the business model of ransomware-as-a-service (RaaS) implemented by its developers, who provide a toolkit for cybercriminals to deploy the malware into the victims’ systems, in exchange for 30% of the payments they receive for decrypting the files.

This ransomware family has been active since January and its developers launch updates frequently, improving the code and allowing GandCrab to avoid security measures. GandCrab has five versions to date, but it is very possible that a sixth is about to be launched.