Knockout - Ransomware Client Case 1 : Gandcrab v4 & how I solved

Follow me : @acharya_bijay

Before starting. . .
Let's dissect title of this article . . .

Knockout : Nothing complex in knockout. I prepare article and video on how I solved my client's problem, and knockout is special name given to these actions. (actions = solving process)

(Problem Solved = Problem Knocked Out)

Ransomware Client Case 1 : You knew that Knockout is just actions. Ransomware Client Case 1 is related to one of my client (ransomware victim), & it's all about Gandcrab v4 ransomware.

Let's start : Knockout - Ransomware Client Case 1 : Gandcrab v4 & how I solved

Yes, I know that decryptor for Gandcrab v4 is available. (Tool made by Bitdefender), but first read the issue below. (issue is, "no ransom note available", "client formatted hdd")

How Process started ? 

✔ They came with Desktop PC
✔  I asked, "what's the problem?"
✔  They replied, "Ransomware"
✔  Immediately I asked, "you formatted ? or you ran malware clean up ? or any sorts of actions you tried ???
✔  They replied, "Yes we ran antivirus scan, then clean up utility. Not worked, then we backed up our files in external harddisk and we clean formatted windows, and again copied file from ext hdd to pc. But not worked. File still can't be opened"
✔  ME : (WoW). You did great. No chance of getting your files back now. (more other conversations, let's stop conversation details here...)

"Why most people think that they can solve each and every problem on their own just by googling ???" 

Running Clean up utility and clean formatting windows,
(biggest mistake of client)

So, now I placed desktop in my lab section, and prepared to turn it on. Since it was turning on . . . In my head I was thinking, "there must be at least ransom-note" for .krab extension, note like below (that I got later on) :

Important in this note is :

lAQAAFRLqZccGaFVt/tF5OBR7Z1Yy(long, but i pasted only portion here)

wfKD6iudumBkmpL8IRr4U7Ox (long, but i pasted only portion here)

None this sort of single note was available inside folders (where .krab encrypted files were available). It was headache. Why ? because without having ransom note (as mentioned above), decryption tool from BitDefender will not work, and cannot decrypt files locked with .krab extension.

Look screenshot below, from bitdefender pdf.


So, I tried to know if all notes are available with same Key or not (for different victims) & i ended up finding that, Keys are different. See 2 screenshot below, key I found in 2 site :



Right after comparing keys from screenshot, I stopped to search for Key related confusion, and took some steps ahead. 

Now, what can I do to get that ransom-note ? Steps I gone through :

✔ Backed up all locked file to my own drive
✔ Removed harddisk from desktop
✔ Connected it to external hdd case.
✔ Connected hdd to my data recovery system (at the moment, there was no hope to get that one ransom-note)
✔ After about 8 hours of recovery process, I got some files recovered. 
✔ But, couldn't access image and text file. (Since, recovered image and text files were in .dat extensions, as shown in image below)


✔ Since we can open .dat as a text, (only if file is text file) so I started to search for KRAB-DECRYPT.dat, and quickly got that (within 10 minutes) 
✔ With the help of excel, I opened .dat file as .txt file and got the key.

After this,

✔ I downloaded .krab decryptor tool from here (bitdefender). Screen like below will appear, once you run the downloaded tool. 


Finally, .KRAB was knocked out successfully :) 

Video :