Recently, the cybercriminal group behind GandCrab Ransomware displayed a change of heart and provided keys for ransomware removal to the Syrian demographic. So what made this sudden change? The actual reason goes back to a tweet.
Jamil Suleman –– a Syrian war survivor –– issued a public tweet where he expressed outrage over being hacked by the GandCrab Ransomware. According to Suleman, his sons died during the Syrian war. In the times of despair, he found solace in their videos and photos which assisted him to live. However, in the middle of October 2018, Suleman’s PC was corrupted by GandCrab ransomware where the photos and videos of his sons were encrypted and made inaccessible. For ransomware removal, a ransom note asked for $600.
Suleman explained that due to the war, he was unable to make ends meet for himself and his wife. For this reason, paying $600 was impossible. In the end, he requested help so he could relive the memories of his children. The series of tweet touched the hearts of the GandCrab cybercriminal group, and they decided to make public the decryption keys of Syrian victims.
They explained that their campaign was never meant to hack Syrian users. In fact, they forgot to add the country in its list of exceptions. In an underground forum, they provided a zip file carrying the decryption keys. In the file, there were two text documents: readme.txt and SY_keys.txt. The readme.txt explained the instructions for ransomware removal and detailed the method to use the other file, SY_keys.txt, which stored all the decryption keys.
However, the cybercriminals emphasized that their kindness was only restricted to Syrians. Part of the reason behind this act of generosity is associated with the hackers’ political support for Syria in the on-going war.