GandCrab

GandCrab was a highly influential ransomware-as-a-service (RaaS) operation that emerged in January 2018 and quickly became one of the most widespread and profitable cybercriminal enterprises of its time. It pioneered several features and business models that shaped the modern ransomware landscape.

Key Characteristics

GandCrab operated as a RaaS, allowing affiliates to distribute the malware in exchange for a share of the ransom payments, typically 30–40% to the developers. This model enabled rapid proliferation by leveraging a network of cybercriminals with varying technical skills.

Technical Features

• Utilized RSA encryption to lock victims’ files, appending extensions like .GDCB and .CRAB.
• Demanded ransoms in DASH cryptocurrency, making it one of the first major ransomware strains to use this method.
• Distributed through multiple vectors, including phishing campaigns, exploit kits (RIG, GrandSoft), malvertising, and Remote Desktop Protocol (RDP) brute-force attacks.
• Frequently updated with new versions and features, making detection and decryption challenging.

Scale and Impact

• Infected over 50,000 computers within its first month, with most victims in Europe.
• Its authors claimed to have extorted over $2 billion in ransom payments by the time they announced their retirement in May 2019.
• At its peak, GandCrab was estimated to account for half of the global ransomware market.
• Affiliate System: GandCrab’s affiliate program provided partners with web panels and technical support, lowering the barrier to entry for cybercriminals and enabling a vast, distributed attack network.

Retirement and Transition to REvil

On May 31, 2019, GandCrab’s operators declared they were shutting down operations, boasting about their profits and encouraging affiliates to cease activity or risk losing access to their ransom payments.

Technical analyses have shown that GandCrab’s code, infrastructure, and many affiliates transitioned directly to the REvil (Sodinokibi) ransomware operation. Both families share nearly identical string decoding functions, command-and-control URL patterns, and code components, strongly suggesting that REvil is a direct successor developed by the same group.

Notable Innovations

• Big Game Hunting: GandCrab popularized targeting large organizations (so-called “big game hunting”) for higher ransom payouts, a tactic later perfected by REvil.
• Hybrid Attacks: Later variants were paired with information-stealing malware like Vidar, allowing attackers to profit even if victims refused to pay the ransom.
• Agility: GandCrab was known for its rapid development cycle, quickly patching vulnerabilities and adapting to security countermeasures.