Popular Torrents Uploader Caught Sharing "GandCrab" Ransomware [Updated with GandCrab v.5.1 decryptor]

Torrent sites are banning CracksNow, a popular source of torrent uploads, after discovering that the uploader of cracks and keygens was distributing ransomware.

CracksNow was labeled as “trusted” before a number of users started noticing bad things happening to their computers. Torrentfreak shows one of the more recent examples in a screenshot depicting comments to a now-removed torrent. According to the thread, the resulted download contained GandCrab version 5.1, the latest version of a nasty ransomware family. As any ransomware, GandCrab encrypts users” files and demands a crypto-ransom in exchange for the keys.

An administrator at torrent site 1337x.to told the publication, “He was banned by myself because I found ransomware in his uploads.”

“I also checked the same uploads from him on a couple other torrent sites and got the same results. I immediately alerted their staff about it so they could investigate and take appropriate action, which they did,” he said.

Several torrent sites banned the uploader upon hearing the news. 1337x reportedly still has some CracksNow uploads on file but assures Torrentfreak that the uploads have been checked for malware and are clean.

“I must admit that it is rare for a trusted uploader of this caliber to go rogue. It”s normally new guys that have the infected files,” the 1337x admin added.

As a rule of thumb, torrents are a risky affair, especially those that ask you to disable your AV. Always download software from trusted sources, and avoid pirated (cracked) executables at all times. Downloading pirated software increases your risk of malware infection.

Update: the latest version of our GandCrab decryption tool is available for download here. The new tool addresses infections with versions 5.0.4 through 5.1 – the latest used by cyber-criminals in recent attacks.