The contingent of cybercriminals behind the GandCrab strain of ransomware are reportedly calling it quits - but not without raking in what the group is suggesting has been a boatload of cash.
In a message posted to an underground hacking forum over the weekend, the authors behind the malware claimed to have personally earned more than 150 million dollars per year and that the ransomware itself has generated over $2 billion in ransom payments.
The ransomware, which encrypts documents, photos, databases and other files with the file extension “.GDCB”, “.CRAB” or “.KRAB” first arrived on the scene last January and quickly ramped up in the months following.
"We are leaving for a well-deserved retirement," one of the alleged operators wrote, “... we proved that in a year you can earn money for a lifetime. We have proved that it is possible to become number one not in our own words, but in recognition of other people.”
The post also asks affiliates to stop distributing the ransomware within 20 days and encourages victims to pay up or their keys will be deleted by the end of the month. It's unclear if this is a legitimate claim or a last-ditch power move by the authors in hopes of making one final cash grab, however.
Lawrence Abrams, who runs the tech help forum BleepingComputer and specializes in ransomware research doesn't doubt the attackers made millions but questions whether the attackers made $2 billion.
“These lofty claims are not surprising, as the developers of GrandCrab have always been jokesters and have engaged security researchers in ways most malware developers do not,” Abrams wrote on Saturday, “Using taunts, jokes, and references to organizations and researchers in their code, it was obvious that the GandCrab developers were monitoring us as much as we were monitoring them and got a big kick out of it.”
If this is indeed the end for GandCrab, the authors' efforts have proved successful. For more than a year, even in the face of the SamSam ransomware and the blossoming popularity of cryptocurrency miners, GandCrab was one of the most widely distributed and updated variants. Earlier this spring, a year after it was released, it held roughly 40 percent of the ransomware market.
Last fall the ransomware had infected half a million machines in the U.S. A fraction of those, 1,700 victims, were able to decrypt their files after the antivirus company BitDefender released a decryption tool. The tool, which was developed with help from Europol and the Romanian Police, and supported by the FBI, helped victims of GandCrab versions 1, 4, 5.0.1 through 5.1, decrypt their files. The most recent iteration, released in February, allowed victims of GandCrab versions 1, 4, and up to version 5.1 (with the exemption of v2 and v3) to decrypt their files.
While GandCrab likely resulted in the loss of hundreds of millions, it's believed the decryption tool helped save upwards of $18 million by the end of February.
The ransomware has been dropped by spam campaigns, in addition to exploit kits, like Rig and GrandSoft but also spread on legitimate, compromised websites. Last May, researchers with Cisco Talos discovered the ransomware being spread on websites thanks to attackers leveraging vulnerabilities in web frameworks.
Earlier this year a campaign spreading GandCrab took aim at organizations running MySQL, simply by running persistent searches for MySQL databases; in the months before that, it targeted managed security providers running a remote monitoring tool, Kaseya.
