Dharma Ransomware Decryptor

GandCrab ransomware first became apparent in January 2018. GandCrab ransomware was first discovered in January 2018. It has since been updated with several minor versions and 5 major releases. The majority of the new versions were in response to free decryption tools released by firms such as Bitdefender, For every free decryption tool released, the GandCrab developers quickly responded with a new version. GandCrab is relatively unique in its distribution tactics and serves as a benchmark for how Ransomware-as-a-Service is operated. The operators behind the GandCrab payment TOR site provide support to distributors that purchase a GandCrab kit and lay the attacks. GandCrab is a common threat. Victims must understand the process of a GandCrab ransomware attack and what steps they must follow to decrypt the ransom payment.

What Causes GandCrab Attacks?

GandCrab Ransomware attacks can take place in many ways. The ransomware kit is so widely syndicated that the attack vectors change often. Remote Desktop Protocol continues to be a common attack vector for GandCrab. This is due to the prevalence of poorly secured RDP ports and ease of access through brute force or purchasing credentials on dark market sites. GandCrab Ransomware can target companies that permit remote access without implementing the appropriate protections. GandCrab attacks are also prone to email phishing. Exploit kits such as Trickbot, Mimikatze or Emotet are increasingly used by attackers to procure elevated credentials which allow them to encrypt the entire network of a targeted organization. GandCrab distributors are also known to exploit unpatched CVEs that allow remote code execution.

How does GandCrab encode files?

After GandGrab has been installed, it first kills any processes that could impede the encryption process. It checks for Russian keyboards and stops the process if it finds one. GandCrab uses a Tiny Encryption Algorithm (TEA) to encrypt files on affected machines. It is lightweight and difficult to detect. GandCrab uses a unique random algorithm to generate URLs for each ID it creates. This ID is used to create the encrypted file extension. It is also dropped onto a ransom note on the impacted computer. Each ID is assigned a corresponding TOR website.

How can you identify if GandCrab has encrypted your files?

GandCrab Ransomware adds random strings of letters to encrypted files. It generates a ransom notice that has the encrypted extension +manual.txt.

A file encrypted would look like the following (example: a word document).


ABCDEF-manual.txt would be the ransomware note. The full file must not be deleted from an encrypted computer as the key contained within it is required for decryption. If there is a possibility of it being deleted or modified, AV software should not be used. Below is an example of a typical GandCrab ransom notice:

GandCrab Ransom Note: Components


The version of GandCrab Ransomware can be found in the upper left corner of the ransom notes. Victims need to identify this version before taking any recovery steps as several versions of GandCrab have free decryption tools available. Distributors may also use decryptable versions for a period of time after the tool is released.


After commenting about the encryption of the files, the note instructs victims how to download the TOR browser and visit the unique TOR website that corresponds with the ransom note.


To decrypt the encrypted files, the key at the bottom must be used. Victims mustn’t move or delete ransom notes. The GandCrab decryptor may search for them during decryption. The decryption process will be impossible if they are deleted.

How to Unlock GandCrab Ransomware Encrypted Files

GandCrab’s TOR site is easy to navigate for victims. If you would like an in-depth review of the TOR site’s features, please see our prior guide. Be leery of any company that claims to be able to decrypt current versions of GandCrab using proprietary methods. Before deciding whether to pay, make sure you check the version.

You will need to wait for 3 blockchain confirmations to receive the link to the decryptor if you paid the ransom. Chatbox users can receive multiple decryptors if they choose to exchange IDs.

Get a Free Public GandCrab Encryptor

Recall that previous versions of GandCrab were decrypted and made available to the public by the IT security community. You may have luck if the GandCrab version that encrypted your files is older. Head over to No More Ransom to see if a decryption tool is available. To continue your ransomware recovery, if you don’t find one, please read the following.

Instructions for GandCrab Decryption from the TOR Website

GandCrab ransomware victims should make a 1×1 backup of all encrypted files before they begin the decryption process. Please follow this guide for a more detailed plan on how to safely make copies of encrypted data. You must also ensure that you have enough disk space to enable decryption. To run the decryptor, you will need twice as much disk space (to decrypt 100GB files, you’ll need 100GB). You can move encrypted files to another location if you don’t have enough disk space. Make sure to also move the -manual.txt file. The decryptor will create a backup of each encrypted file and then decrypt it.

Although the instructions on the TOR website are basic, they do a good job of explaining how the decryptor works. These are the steps:

1. As an administrator, open the machine

2. 2.Disable your Antivirus (it will interfere with the tool);

3. Make sure that the -manual.txt files are kept with encrypted files. If the.txt file isn’t on your machine, the decryptor tool will not run.

4. Get the decryptor software

5. Run decryptor.exe as administrator.

GandCrab Decryptor Options

Two command-line options are available to users who wish to use the console (cmd.exe), to run the decryptor. You can either direct the decryptor to a particular path, instead of decrypting all mapped drives, or you can run it without creating a copy. You can combine these options.

You can specify a target folder or file to decrypt to specify a decryption pathway. You can use this example:

cmd.exe C:\Users\Username\Desktop\Decryptor_5. [x].exe –path E:some_folder

No copies: If you need the decryptor faster and have backups of encrypted data, you may choose to use ‘back. In this mode, decryptors will not create a copy. This is riskier and could cause data loss or damage if the encryption fails. This option is strongly discouraged.

How to use the GandCrab decryptor tool

  • You will find the decryptor in a.zip file. The file should be opened. Next, open the.exe. This will create the following file:

2. The decryptor executable will open and display the following application. It has a countdown to begin the encryption process.

Before the GandCrab Decryptor starts, you can see the application window

3. The application will look as follows while the decryptor runs. The upper right corner will display a file count and a success or failure file count.

GandCrab Decryptor’s application window as it scans for and decrypts

4. After the decryptor finishes, you’ll see a success metric appear like this.

Once the GandCrab Decryptor is complete, the application window will close.

Troubleshooting the GandCrab Decoder

When you run the decryptor, it will create a log file called: decryption_log_utf16.txt. This file is located in the same directory that the decryptor. Log files contain errors that are identified as “error codes”. These codes are used to write to the log files after each file operation. Here are some common errors.

  • 0x5This error is usually a sign that the decryptor doesn’t have enough rights. To avoid this error, you should run a decryptor with administrator rights.
  • 0x3?0x27?0x70This means that the decryptor can’t create a copy of your file. First, ensure you have enough space for a backup file.
  • Do not hesitate to contact us if you have any ransomware issues involving GandCrab or any other variant.