In a post to an underground hacking and cybercrime forum, the GandCrab developers have released the decryption keys for Syrian victims.
The release of these decryption keys was in response to a Tweet where a Syrian victim asked for help after photos of his deceased children were encrypted.
They want 600 dollars to give me back my children, that’s what they’ve done, they’ve taken my boys away from me for a some filthy money. How can I pay them 600 dollars if I barely have enough money to put food on the table for me and my wife?
— جميل سليمان (@kvbNDtxL0kmIqRU) October 16, 2018
After seeing this tweet, the GandCrab developers posted on a forum that they have released the keys for all Syrian victims. They also stated that it was a mistake that Syria was not added to the original list of countries that GandCrab would not encrypt, but did not say if they would be added going forward.
In the post is a link to a zip file that contains the released decryption keys for Syrian victims. This zip file contains the readme.txt and SY_keys.txt files.
The readme.txt file contains information on how the key file is organized and information on why the keys were released. As the contents of this file are in Russian, I have included the translated version below.
format: id - ver - key GandCrab for help SY people. For antiviruses: Decryptor to develop independently for each version. We believe in the "power" of Bitdefender, since they all promise the decryptor constantly, and it is not yet ready, but now it is being developed and will soon be ready. Without keys, true. We would very much like the decryptor to be written by Kaspersky or Eset. The most important thing is not to indicate that he will help everyone. He will help only a citizen of Syria. Because of their political situation, economic and relations with the CIS countries. We regret that we did not initially add this country to the exceptions. But at least that way we can help them now. Whose keys are not (only for citizens of Syria and the CIS, Ukraine including) - you need to come to us and take a picture of yourself with a passport and payment page. After that, we will issue a decryptor for free. This is indicated just in case any clever people patch the file so that it works everywhere. Hi, Polish kurvy. As for other countries - we will not share the keys, even if we are closed someday. We will remove them. It is necessary to resume the punitive process in respect of some countries. Let me remind you that you can only decrypt using our keys that are stored on our server. We issue them only after payment. There are no other miracle ways. With love from crabs, representatives of different countries, religions, beliefs and beliefs. --- With the support of the forum xss.is (ex. Damagelab) ---
The SY_keys.txt file contains a list of 978 decryption keys for Syrian victims. These includes keys for GandCrab version 1.0.0r through 5.0 and each line contains the victim id, version, and decryption key.
For Syrian victims who are not on this list, the ransomware devs stated they will release their keys if they take a picture of themselves, their passport, and their payment page. Obviously, it should be a concern to send your passport to any unknown individual.
For victims, in other countries, the developers continue to have no sympathy and have stated they will never release those keys and will delete them when they shut down GandCrab.
Even though these keys have been released, we still need to wait for an antivirus company or security researcher to create a decryptor that can utilize them.
A big thanks to Damian1338 who alerted me to this release.
Not unheard of for ransomware devs to release keys
While it is not very common for ransomware developers to release keys for free, it is not unheard of either.
In May 2016, the reigning ransomware called TeslaCrypt began to shutdown. When an ESET researcher noticed this, he reached out to devs and asked if they would release the keys. To everyone’s surprise, they released the master decryption key so that any remaining victims could decrypt their files for free.
Later that year, after the CrySiS Ransomware developers switched to a new version, they released the keys for an older one. These decryption keys were released through posts to the BleepingComptuer.com forums as shown below.
Two more times that year, the CrySiS devs released their keys on internetnewsblog when they switched to new versions. Unfortunately, this practice has long since been discontinued, but we hope they continue to release more keys in the future.