Gandcrab developers show empathy towards Syrian ransomware victims

Last week, an individual with a particularly acute ransomware story took to twitter to plead for help, reaching out to us in the process.

We claim no credit whatsoever for the end result (we get a large volume of fictitious and malicious inbound that looks substantially similar every day), but we’re glad to see the resolution.  The visibility of the individual’s outreach was picked up by other outlets and caught the attention of the GandCrab ransomware developers. In a display of empathy, the GandGrab developers released decryption keys for all victims of Syrian origin. Not adding Syria to the original block list was a mistake they admitted.  

Gandcrab ransomware is unique in that the developers have invested a great deal in the payment and decryptor tool delivery infrastructure. That investment likely paid off in this instance as they were able to programmatically make a change to their TOR payment site to allow residents of Syria to download decryptor tools for free.

This example of ransomware developers releasing decryption keys is not entirely unique. There are other examples of hackers releasing publicly accessible decryption keys after their campaigns end.  When decryption is not urgent we always counsel clients to preserve copies of encrypted data. When decryption tools or keys are publicly released those who preserve their data have the ability to make a full recovery.