Decrypt GandCrab Ransomware for free [ Guide ]

Ransomware have become a big issue in recent times. A lot of people often reach out to me when their files get locked by some ransomware. But once your system is encrypted by ransomeware, you can do very little about it unless its decryptor is available already. Gandcrab is One of the most popular ransomeware and in this article we will discuss how we can decrypt Gandcrab Ransomware using a decryption tool developed by Romanian Police, Europol and Bitdefender.

The tool is an update on a first version that was released in February by Bitdefender. The new GandCrab decrypter is more potent and can recover data for more GandCrab versions --v1 (GDCB extension), v4 (KRAB extension), and v5 (random 10-character extension, also the current/latest GandCrab version), respectively.

The free GandCrab decryption tool will decrypt files encrypted by versions 1, 4 and 5 of the ransomware. These versions are recognizable by the extensions they use: GDCB, KRAB, and a series of random characters of various length (example: .rnsgl). Instructions on using the decryptor are available later in the article.

Bitdefender was able to create the decrypter after the developer of Gandcrab released legitimate and authentic decryption keys for victims located in Syria , out of compassion.

The most targeted countries based on all versions of GandCrab are: US, UK, China, India, Brazil, and Germany," says Bitdefender.

Decrypting GandCrab v1, v4, and v5

To use the new GandCrab Ransomware decryptor, you need to make sure you have an available copy of the ransom note as it contains a key that will be used to decrypt your files.

Once you confirm that you have an available ransom note on the computer, you should download the decryptor using the following link.

Once downloaded, start the decryptor and accept the license agreement. You will then be shown the main decryptor screen. At this screen, put a checkmark in "Scan entire system", as shown below, and then click on the "Scan" button.

The decryptor will now begin to scan for a decryption key and decrypt any files encrypted by GandCrab that it can find.

When finished, the decryptor will indicate if it had any problems decrypting files. As you can see from the image below, the decryptor stated "Some files could not be decrypted".

To determine what files were not decrypted, you can view the log files located at %Temp%\BDRemovalTool\BDRansomDecryptor\BDRansomDecryptor1600.log. The log file name may be slightly different per computer. This log file will list all files that it could not decrypt.

The Top 3 Reasons to Monitor a Cell Phone

Telephone booths were essential items in the early twentieth century because they facilitated long
distance communication. Then landlines became a reality in the latter years of this century.
Today, we have mobile devices. These devices help you talk to anyone in the globe at any time as
long as the other person accepts the call. Sadly, these devices are as harmful as they are helpful.
Kids are particularly vulnerable to the harm that results from misusing them. Therefore, tracking
mobile devices is critical in many instances. Here are the top 3 reasons to monitor a cell phone.

1. Protect Your Loved Ones from Cyber Bullying

Twenty-five percent of teenagers have experienced cyberbullying at some point in their lives. Statistics also show that most of this bullying occurs through mobile devices. Shielding them from this vice is critical because bullying devastates children emotionally. Sadly, protecting your kids from cyberbullies is a daunting task because kids are afraid to speak about it. Remember, only 10% of bullied teens report such incidents to their parents. Monitoring their cellular activity is an excellent way of helping them. More specifically, you will discover cases of harassment. Then you will talk to them about it in addition to dealing with the culprit. Protecting fellow adults from cyber bullies is also necessary in some cases.

2. Catch Unscrupulous People Including Predators

Unscrupulous people often use smartphones to harm or defraud their victims. Remember, these people rely on isolating their targets. Then they can manipulate them without their loved ones knowing about it. For example, imagine someone blackmailing your spouse over an embarrassing incident that occurred years ago. Another person can take advantage of an employee at your office convincing him or her to reveal sensitive information about your organization. Moreover, predators rely on the impressionable nature of children. That is how they lure them away from home. Did you know that 8% of teenagers have met someone they came across online? Monitoring cell phones would help you catch these unscrupulous people so that you can protect your spouse, employees, and kids.

3. Discovering the Truth about Events and Situations

People often lie about specific events and situations. Unfortunately, they fail to realize the impact of those lies on everyone involved. Usually, explaining to them why telling the truth is essential bears no fruit. The only recourse you have under such circumstances is monitoring their cellphones. Doing so is especially critical in cases where someone is suffering from depression, negative influence from peers, or addiction among other problems. You need to know what kind of websites this person is visiting. What plans does his peer group have? What kind of purchases is your child making? Relationships are worth monitoring as well. For example, is there an inappropriate workplace relationship that is happening under your nose? Is your daughter dating someone? What is his intention towards her? In this post, you will discover a highly specialized spy app that will enhance your monitoring capabilities.

Freelancers in Fiverr and Freelancer.com are baited with job offers to download malwares

Freelancer.com and Fiverr are two of the most popular freelancer platform in the internet. Thousands of people visit the website to get job or get their work done. And wherever a lot of people gather, hackers make it their target. Cybercriminals are targeting freelancers in a new malware campaign sending malicious macros disguised as job offers.

Security researchers at MalwareHunter team have discovered a new piece of malware that is targeting freelancers.

In one example, the threat actors sent an email asking the intended victim to check the attached document and then get back to them with a “cost and time frame,” while in another example the threat actor sent over a document entitled “My details.doc,” which also contained malware.

Once clicked, The recipient is asked to enable macros which work as malware dropper. MalwareHunterTeam has urged users to refrain from enabling macros and keep their anti-virus software activated once digging into new files. For instance, one of the victims who had their anti-virus software enabled was able to detect the malicious document.

Cryptojacking and India - Government Websites and Being Used to Mining Cryptocurrency and Routers are used to spread Cryptojacking malwares

Ever since Coinhive launched their service in September 2017 , cryptojacking is getting very popular ( mostly for bad usages ). Earlier people use to mine cryptocurrencies using their own hardwares but now as its difficulty level increased so its hardware requirements too increased. But services like Coinhive gave people the power to use some one else's system to mine cryptocurrency and make money.

What Is CryptoJacking ?

Cryptojacking is defined as the secret use of user's computing device to mine cryptocurrency. Cryptojacking used to be confined to the victim unknowingly installing a program that secretly mines cryptocurrency. In-browser cryptojacking doesn’t need a program to be installed which makes it more scary.

In the last few months we saw a lot of news regarding cryptojacking . few of them are :

1. Cryptojacking rates increased by 85 times in Q4 2017 as bitcoin prices spiked: report
2. Cryptocurrency Mining Malware Infected Over Half-Million PCs Using NSA Exploit

Its a new topic and not much research is done on it and as it helps hackers make money anonymously so a lot of hackers are into it.

As I'm in my final year of Computer science ( Undergraduate ) so I together with two of my friends - Shakil Ahmed and Anisha Sharma decided to do research on the topic Cryptojacking - Its detection and prevention. 

Before moving ahead with our research we wanted to do a small experiment and see if Indian websites ( mainly Government websites ) and systems are infected with cryptominers and its impact.

The Experiment

Our first aim was to make a list of all the government websites of India and see if they are infected by cryptominers. We searched online for list of government websites but did not get any so we headed over to the website goidirectory.nic.in which list all government websites. So from that website we got around 4,000+ Indian government websites.

Now the next step was to see if the websites have any cryptojacking scripts in it. Today there are many services which allows users to create account and start using their cryptomining scripts. The most popular among them is CoinHive.com . So for our experiment we  checked “coinhive.min.js” - which is  the original Coinhive JavaScript library used in cryptojacking.

It was not a deep analysis, in our experiment we only checked the html of the hompage of each websites so if the script is not present in the homepage we moved on to the next step. We skipped sub-domains too.

We got the following two websites infected by cryptojacker :

1. http://cdma.ap.gov.in 

It is a subdomain of ap.gov.in which have a global ranking of 2495 (Alexa ) . According to Similar Web, cdma.ap.gov.in gets more than 160k+ visits per month. ( Source ) . Since a lot of people visits the website its a perfect target for hacker as more number of views means more money.

cdma.ap.gov.in affected by cryptojacking

We did a reverse IP Lookup on the website and found two more websites :

            a. tirupati.cdma.ap.gov.in
            b. http://macherla.cdma.ap.gov.in/

Both of them were infected by cryptojacking scripts.

2. http://www.ngcnalgonda.org

It is the website of Nagarrjuna Government College, Nalgonda.


Here is how a coinhive script looks like :

<script src="https://coin-hive.com/lib/coinhive.min.js"></script>
<script>
 var miner = new CoinHive.Anonymous('USER ID', {throttle: 0.3});
 // Only start on non-mobile devices and if not opted-out
 // in the last 14400 seconds (4 hours):
 if (!miner.isMobile() && !miner.didOptOut(14400)) {
  miner.start();
 }
</script>

In Coinhive each user have their own unique USER ID so we decided to dig further and see how many other websites were infected by the same person who infected the above mentioned websites.

Here are the coinhive USER ID of above websites :

1. http://cdma.ap.gov.in -- T9UtNcvcu9o197o4xvHWm49rC3Ba81QR
2. http://www.ngcnalgonda.org -- FEYZ3nALPTlIN0OtzyC78vPpTBYCJzde

We used PublicWWW to see how many other websites were infected by these two users.

1. T9UtNcvcu9o197o4xvHWm49rC3Ba81QR  -- 36 Websites 
2. FEYZ3nALPTlIN0OtzyC78vPpTBYCJzde -- 49 Websites

From this experiment it is clear that hackers are now targeting government websites for mining cryptocurrency as those websites get high traffic and mostly people trust them. Earlier we saw a lot of government websites getting defaced but now injecting cryptojackers are trending as it makes money for the hacker.

After this experiment in Government based websites we tried to see if any Indian system is affected by cryptojackers. Few days back we read the following news : Hackers Infect Over 200,000 MikroTik Routers With Crypto Mining Malware .

We used shodan.io to see how many routers are currently infected any where they are located. we used the following command " http.component:"coinhive" product:"MikroTik http proxy".

To our surprise India ranked second with more than 13,500 routers affected by Cryptojackers which are spreading it further more among users. Top cities include :

1. Raipur
2. Pune
3. Udaipur
4. Mumbai

Conclusion

Through our experiment we got to know that Cryptojacking is spreading fast as it is profitable and majority of people are unaware of it and don't know how to prevent from it. There was a time when hackers use to deface websites and it was easy to detect . But now they simply add cryptojacking scripts in compromised websites making it difficult for users and website owners to detect.

Support our research by donating ETH :

ETH Address : 0xDB6ec3eFD47EC5971FA05b13C8c159Eb2E2547BF

How to recover permanently deleted files in Windows [ Full Guide ]

Our files are very important for us. These days we store a lot o information in our PC, be it our favorite photos, our tax details, academic records etc. But often due to some reason it gets deleted. I'm sure you must have faced a situation where you deleted a file to free up some space only to later realize that you actually needed that file. I guess i'm not the only one who does this often. And due to this reason windows came up with the Recycle Bin feature so that atleast you can restore files.

But But But , * I know you have guessed it already * what if we did a permanent delete of files or what if our Hard disk crashed and all our data is gone. In such cases we often feel lost as our data is gone and there is no way to recover it. Well its not the end of the world. We have something called as data recovery software which helps users recover permanently deleted files. Don't expect it to recover all of your files but hey something is better than nothing. Right ?

If your hard disk keeps on crashing you should definetly check this article : 5 Best External Hard Drives To Buy In 2018

I this article I'll be showing you a software called EaseUS Data Recovery Wizard which can help you recover permanently deleted files. EaseUs Data Recovery Wizard Free makes the task of recovering deleted data, a breeze. The interface of the program is quite user-friendly, and the recovered files are displayed in a typical Explorer format. EaseUS Data Recovery Wizard can typically recover files from:

• An existing partition
• Deleted data from a deleted partition
• Deleted data from a corrupted partition
• Deleted data from a partition that had been deleted, then overwritten with another.

Here is a step by step guide on how you can use it :

Step 1 : Download the software and install it and this is how the first screen will look like.

 

Here you need to select on which folder you had your deleted files.

Step 2 : Now it will start scanning , you can see the progress bar in top

Step 3 : After the quick scan is done the software will show you few files which were deleted. If you have not yet found the file you can go for deep scan.

Step 4 : Now you can see the preview of the deleted files. You can recover it by clicking the recover button

Step 5 : Once the operation of preview or search is completed, you can select the targeted files and press Recover button to recover and save them on your computer or storage device. At this point, make sure you save all the recovered files on another disk to avoid data overwriting.

Decryption Tool for LockCrypt Ransomware released

Popular antivirus company Bitdefender release a decryption tool which can recover files encrypted by LockCrypt ransomware . But the catch is that it can only decrypt files encrypted by an older version of LockCrypt ransomware that locks the files with .1btc extension

The Bitdefender decryption tool may not be useful for current victims of the LockCrypt ransomware, but users who still have copies of their (.1btc) encrypted files can use it to recover files. Using the tool is pretty simple, as the interface is self-explanatory.

The LockCrypt ransomware is a ransomware strain that infects victims after hackers use brute-force attacks to break into companies' networks via RDP connections, and then manually run the ransomware's binary.

LockCrypt version	Status
.BI_D	Not decryptable
.1btc	Decryptable using Bitdefender tool
.lock	Decryptable (contact Michael Gillespie)
.2018	Decryptable (contact Michael Gillespie)
.mich	Decryptable (contact Michael Gillespie)

The ransomware was first spotted in June 2017, and security researchers tracked its authors to a group who was previously active on the Satan Ransomware-as-a-Service portal.