GarrantDecrypt ransomware operator charges $5000 for decryption. Price negotiable.


The SonicWall Capture Labs threat research team has been tracking ransomware, known to some in the antivirus community as GarrantDecrypt.  The current variant of this ransomware appeared in late November 2021.  The malware is aimed at infecting casual PC users rather than large corporations.  The ransom charge for file decryption is relatively cheap at $5000 in BTC.  This is significantly lower than what we have seen with most ransomware and the price can be negotiated down further with the operator.


Infection Cycle:


Upon infection, files on the system are encrypted.  Each encrypted file is given a “.decrypt” extension.  #file.decrypt#.txt is dropped into every directory containing encrypted files:


#file.decrypt#.txt contains the following message:


The malware disables various security policies on the system.  This can be seen in the decompiled code:


Only the encryption routine is present in the malware.  Decryption requires a seperate program provided by the operator:


We reached out to and had the following conversation with the operator who appears to be German:



After a brief negotiation, we were able to have the price reduced:




SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: GarrantDecrypt.N (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.