The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

GandCrab Ransomware Gang Calling It Quits

by Chris Brook on Tuesday June 4, 2019

Contact Us
Free Demo
Chat

The cybercriminals are reportedly winding down operations around the ransomware after claiming to have made $2 billion in ransom payments

The contingent of cybercriminals behind the GandCrab strain of ransomware are reportedly calling it quits - but not without raking in what the group is suggesting has been a boatload of cash.

In a message posted to an underground hacking forum over the weekend, the authors behind the malware claimed to have personally earned more than 150 million dollars per year and that the ransomware itself has generated over $2 billion in ransom payments.

The ransomware, which encrypts documents, photos, databases and other files with the file extension “.GDCB”, “.CRAB” or “.KRAB” first arrived on the scene last January and quickly ramped up in the months following.

"We are leaving for a well-deserved retirement," one of the alleged operators wrote, “... we proved that in a year you can earn money for a lifetime. We have proved that it is possible to become number one not in our own words, but in recognition of other people.”

The post also asks affiliates to stop distributing the ransomware within 20 days and encourages victims to pay up or their keys will be deleted by the end of the month. It's unclear if this is a legitimate claim or a last-ditch power move by the authors in hopes of making one final cash grab, however.

Lawrence Abrams, who runs the tech help forum BleepingComputer and specializes in ransomware research doesn't doubt the attackers made millions but questions whether the attackers made $2 billion.

“These lofty claims are not surprising, as the developers of GrandCrab have always been jokesters and have engaged security researchers in ways most malware developers do not,” Abrams wrote on Saturday, “Using taunts, jokes, and references to organizations and researchers in their code, it was obvious that the GandCrab developers were monitoring us as much as we were monitoring them and got a big kick out of it.”

If this is indeed the end for GandCrab, the authors' efforts have proved successful. For more than a year, even in the face of the SamSam ransomware and the blossoming popularity of cryptocurrency miners, GandCrab was one of the most widely distributed and updated variants. Earlier this spring, a year after it was released, it held roughly 40 percent of the ransomware market.

Last fall the ransomware had infected half a million machines in the U.S. A fraction of those, 1,700 victims, were able to decrypt their files after the antivirus company BitDefender released a decryption tool. The tool, which was developed with help from Europol and the Romanian Police, and supported by the FBI, helped victims of GandCrab versions 1, 4, 5.0.1 through 5.1, decrypt their files. The most recent iteration, released in February, allowed victims of GandCrab versions 1, 4, and up to version 5.1 (with the exemption of v2 and v3) to decrypt their files.

While GandCrab likely resulted in the loss of hundreds of millions, it's believed the decryption tool helped save upwards of $18 million by the end of February.

The ransomware has been dropped by spam campaigns, in addition to exploit kits, like Rig and GrandSoft but also spread on legitimate, compromised websites. Last May, researchers with Cisco Talos discovered the ransomware being spread on websites thanks to attackers leveraging vulnerabilities in web frameworks.

Earlier this year a campaign spreading GandCrab took aim at organizations running MySQL, simply by running persistent searches for MySQL databases; in the months before that, it targeted managed security providers running a remote monitoring tool, Kaseya.

Tags: Malware, Ransomware

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.