GandCrab ransomware gang member caught: actor from Belarus arrested

Distributor of one of the largest ransomware strains has been arrested in Belarus

Authorities of Belarus arrest a man responsible for GandCrab ransomware distribution

The Ministry of Internal Affairs of Belarus announced last week that one of the GandCrab ransomware actors had been arrested. Malware developers, who operated RaaS (ransomware-as-a-service) scheme, used multiple affiliates to distribute GandCrab to as many as 1.5 million hosts over the span of 1.5 years, resulting in millions of dollars in damages that were paid in ransom demands in Bitcoin or Dash cryptocurrency:^[1]

The virus got to the computers of the victims through spamming pdf files: the cryptolocker encrypted the contents of the disks, making it inaccessible. In addition, the ransomware was equipped with a set of other exploits, the functionality of which included unauthorized tracking of the user, taking possession of his computer information, cryptomining, and other malicious functions.

According to the press release published late last week, the Ministry of Internal Affairs of Belarus, along with Cyber ​​police of Great Britain and Romania, managed to arrest one of the affiliates who was distributing malware from an apartment in Gomel, a small town next to Russian and Ukrainian border. The 31-year old, who was not publicly named, is claimed to have no criminal record in the past, although was previously involved in the distribution of cryptominers.

Just one hundreds affiliates caught

Ransomware-as-a-service is a popular monetization tactic used by larger ransomware strains, including GandCrab, Jokeroo, Paradise, Nefilim, Sodinokibi, and many others. Instead of delivering the malicious payload to victims, malware authors advertise their services on hacking forums and acquire affiliates who perform distribution via various methods. In return to the renting services, threat actors keep a certain percentage of profits retained from ransom payments. However, the percentages might vary depending on the malware strain (GandCrab developers kept 40% of the profits, leaving 60% to the distributors).

According to some sources, GandCrab malware developers held as many as 392 affiliates^[2] that helped them to distribute it across the globe with the help of exploits, spam emails, and other methods. While successful in infecting regular consumers, developers, who remain at large, went big game hunting at large companies and businesses.

The arrested suspect registered on the dark web underground forum to apply as a distributor for the malware. Once he acquired access to the web panel, he tweaked several settings of the ransomware, which allowed him to deliver a customized version of GandCrab via malicious spam email attachments to as many as 1,000 victims in more than 100 countries. He is said to demand around $1,200 per victim, most of which were located in the US, United Kingdom, Germany, France, India, Russia, and Italy.

GandCrab shut down last year, yet the developer remains at large

While GandCrab has been shut down by its developers in mid-2019, it was accountable for more than 50% of ransomware infections in 2018 – it remains as one of the most successful strains. Its developers boasted about earning of as much as $2 billion, although security researchers were skeptical about these numbers, as no proof was provided. Nonetheless, a retirement after just a year and a half came as a surprise, although it was quickly explained by the appearance of new strain – REvil.^[3]

Currently, REvil, also known as Sodinokibi, is one of the most successful ransomware strains that attacks high-profile targets such as Travelex.^[4] Malware made headlines in May when it attacked Grubman Shire Meiselas & Sacks and managed to steal personal information of celebrities such as Lady Gaga, Madonna, Mariah Carey, as well as President Trump – developers demanded $42 million ransom to keep the sensitive details a secret.^[5]

However, while many security researchers believe that REvil is the successor of GandCrab, such information cannot be identified, as the developer of malware still has not been arrested and remains free, most likely performing operations of REvil ransomware.