GarrantDecrypt ransomware operator charges $5000 for decryption. Price negotiable.

December 17, 2021

The SonicWall Capture Labs threat research team has been tracking ransomware, known to some in the antivirus community as GarrantDecrypt.  The current variant of this ransomware appeared in late November 2021.  The malware is aimed at infecting casual PC users rather than large corporations.  The ransom charge for file decryption is relatively cheap at $5000 in BTC.  This is significantly lower than what we have seen with most ransomware and the price can be negotiated down further with the operator.


Infection Cycle:


Upon infection, files on the system are encrypted.  Each encrypted file is given a “.decrypt” extension.  #file.decrypt#.txt is dropped into every directory containing encrypted files:


#file.decrypt#.txt contains the following message:


The malware disables various security policies on the system.  This can be seen in the decompiled code:


Only the encryption routine is present in the malware.  Decryption requires a seperate program provided by the operator:


We reached out to and had the following conversation with the operator who appears to be German:



After a brief negotiation, we were able to have the price reduced:




SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: GarrantDecrypt.N (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.