GandGrab RaaS service to shut down after gaining $2 billion in profits

GandCrab operators shutting down their malicious services after a year and a half of operation

Operators of GandCrab had been informing their customers to stop distributing the ransomware in 20 days

GandCrab ransomware^[1] is widely known as one of the most notorious cyber threats throughout modern malware history. This threat surfaced on January 28th, 2018 and since then, creators have been releasing new variants of this ransomware regularly, all while running Ransomware-as-a-service (RaaS) scheme.

Finally, after causing tremendous losses for regular users and companies in various sectors,^[2] GandCrab operators decided to shut down the operations as they claim to have earned enough of money to retire. The authors state the illegal business earned $2 billion in total, reaching $150 million of personal gain. Surprisingly, the crooks decided to invest the dirty money into legitimate businesses, both online and real-life:^[3]

We successfully cashed this money and legalized it in various spheres of white business both in real life and on the Internet.

The creators of GandCrab urged all other third-party developers to stop distributing the ransomware virus within 20 days of the official announcement.^[4] Operators contacted all RaaS clients by sending them email messages about the upcoming shutdown.

Victims are urged to pay the ransom before the deadline, as all the keys will be destroyed

Even though GandCrab brought great success for its developers, as some money from income gained by RaaS customers also fell straight into the operators' pockets, according to a technology researcher, Michael Gillespie,^[5] clients have been losing their interest in this ransomware throughout the past year.

Despite this fact, GandCrab still has been a very successful piece of malware that was distributed by many affiliates. It has been spread via email spam (malicious attachments clipped to emails), exploit kits, or third-party sources (e.g., peer-to-peer networks). Cybersecurity researchers are looking forward to termination of the dominant ransomware string, which will eventually prevent enormous monetary losses and other damages related to GandCrab attacks.

However, operators of GandCrab urge victims to pay for personal file decryption fast as they will not be able to recover data after threat actors will stop the operations in 20 days.^[6] They claim that all the keys will be deleted, although security researchers believe that this is simply a mere threat to grab as much money as possible before the shutdown. Many other ransomware family authors merely released the keys for victims to decrypt files for free when closing down the operations, for example, CrySiS, FilesLocker and TeslaCrypt.

$2 billion worth of ransom payments are likely to be a lie

Security experts believe that the claims of $2 billion income might be false after all. While there are plenty of people who are willing to pay the ransom, a mere few percents of total victims actually proceed with the Bitcoin transfer.

Such claims of ridiculous amounts of profits do not come as a surprise, however. GandCrab ransomware authors are known of using a variety of jokes and even taunts (directed to malware researchers) within the code of ransomware, while most of the malware developers do not engage in such interactions.

One of such examples occurred when GandCrab devs decided to communicate with malware researchers using dialogue boxes. Also, the names of Command & Control servers were picked based on the most prevalent security research domain names, such as esetnod32.bit, nomoreransom.bit, emsisoft.bit, and other similar ones.

Gladly, all of these jokes and not-so-fun activities are coming up to an end as finally, the operators decided to stop their operations related to GandCrab at the end of this month. This threat has been known worldwide and almost no week had flown by when GandCrab was not mentioned in cybersecurity news sites.

This ransomware virus has shown his face by false email messages that alerted about a fake Flu pandemic as crooks pretended to be from a well-known healthcare organization. Furthermore, hackers even had found a way to inject GandCrab payload via SQL commands. However, this is only a very small part of the infections that GandCrab and other of its variants had caused from the start of their release.