Brief History of GandCrab Criminal Case
In August of 2020, a distributor of the infamous GandCrab ransomware was arrested in Belarus on charges of hacking and profiting off of more than 1,000 victims around the world.
The 31-year-old male was alleged to have distributed the malware between 2017 and 2018, demanding up to $1,500 in bitcoin to decrypt the victims’ data. It was not believed that the man in custody created the ransomware, but he was described as a distributor who rented access to an admin panel and could send off customized malware campaigns in return for a portion of any ransom payments.
This arrest came more than a year after GandCrab’s creators announced they were retiring. Since then, another dangerous ransomware strain dubbed ‘REvil’ has come to the forefront. Due to similarities in code and behavior, many experts believe there are strong links between the GandCrab and REvil ransomware developers.
What Exactly Do We Know About GandCrab?
GandCrab ransomware was first discovered in January 2018. This malware targets Microsoft Windows devices to encrypt victims’ files, and then demands payment of a ransom to recover stolen data.
According to Bitdefender, GandCrab ransomware has targeted more than 1.5 million victims worldwide, and its operators have claimed to have made over $2 billion in ransom payments. Little is known about the people behind GandCrab ransomware. However, the ransomware’s code had specific language-based rulesets that would not allow it to infect machines in Russia and former Soviet Union countries.
GandCrab uses the Ransomware-as-a-Service (RaaS) model, meaning that the authors sell access to the malware to clients, most often through a customizable admin portal, and the customers of the malware’s authors then conduct their own cybercrime campaigns.
REvil Ransomware the Heir Apparent to GandCrab Ransomware
Before the supposed shutdown of GandCrab ransomware, a ransomware named ‘REvil’ or Sodinokibi ransomware victimized high-profile targets including Travelex, a law firm representing several big-ticket celebrities and even President Donald Trump!
The Travelex attack forced the company offline and saw the attackers demand $6 million in return to restore their customers’ data, sensitive customer data like credit card information and birth dates. REvil ransomware also crippled local governments in the state of Texas in August of 2019.
Additionally, data stolen from a US IT staffing organization known as Artech Information Systems was published online in January of 2020 after the attackers claimed it failed to pay the ransom.
The shutdown announcement related to GandCrab ransomware added fuel to rumors that REvil ransomware was, in fact, being run by the same outfit, due to the two pieces of ransomware being remarkably similar.