GandCrab Ransomware


Belarus law enforcement officials have arrested a 31 year old man believed to be behind the GandCrab Ransomware, extorting over 1000 victims from 2017 to 2018. The hacker demanded fractional Bitcoin payments of $400 to $1500 from his victims. Bitcoin transactions are mostly untraceable online, thus suitable for hacking payments. This hacker attacked victims by sending out millions of Phishing emails. These Ransomware attacks weren’t only in Belarus. The hacker infected systems in the US, UK, Ukraine, France, Italy, and Russia as well. Authorities suspect this hacker to be a career cybercriminal who earned all his income hacking individuals or businesses. The hacker was not only found to use GandCrab Ransomware, he also created and sold malware for buyers on underground forums.

What is GandCrab?

The Internet has enabled the creation of many different “as-a-Service” products, such as: Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). Common “as-a-Service” examples include Salesforce, Slack, and Microsoft O365. The hacker community has also embraced the “as-a-Service” model. Underground Dark Web forums exist to trade and sell hacking tools, credentials, and hacking advice. GandCrab sits squarely in this model. It is referred to as a Ransomware-as-a-Service (RaaS), removing the obstacle of developing, deploying, and running your own hacking tools. GandCrab operators do most of the work for you. Operators charge “fees”, typically 30%, mirroring what Apple and Google do in their SaaS marketplaces respectively. 

The authors of GandCrab shut down their RaaS offering in 2019, bragging that that their “affiliates” had raked in over $2 billion, and hundreds of millions for the operators themselves. GandCrab authors released this statement as to why they shut down GandCrab: 

“For the year of working with us, people have earned more than $2 billion. […] But […] all good things come to an end. We are leaving for a well-deserved retirement. We have proved that by doing evil deeds, retribution does not come.”

REvil and MAZE Ransomware

Sophos believes GandCrab hackers haven’t retired but instead have continued developing new more devastating ransomware services. Ransomware traditionally encrypted files impacting data availability, however, strong backups enabled companies to ignore extortion requests by restoring their files. Experts believe GandCrab authors retired it to build a new ransomware attack focused on data confidentiality. CyberHoot wrote about a more dangerous ransomware called MAZE back in April of this year. MAZE exports company’s critical data and threatens to release it to the public Internet. Likewise, Sophos argues the GandCrab authors developed and released REvil Ransomware to do the same. In June of 2020 GSMLAW experienced this new REvil ransomware attack which threatened to auction personal information about celebrities and popular organizations including: Mariah Carey, Lebron James, Nicki Minaj, MTV, and Universal. 

REvil and MAZE ransomware represent a significant escalation in the threats posed to companies by ransomware. Backups are no longer a mitigating control against these attacks. Companies need a new approach to protecting themselves. CyberHoot would argue companies need an approach that reduces the risk of infection to begin with. 

What To Do?

The best way to defend against most cybersecurity threats is through educating your staff and clients to improve their awareness. Lucy Security CEO, Colin Bastable, commented on the recent Garmin Ransomware attack,

“All the security technology in the world is not going to protect against determined attackers. 97% of losses stem from socially-engineered attacks and over 90% are initiated by email”.

With these statistics in mind, it should be obvious the first step in securing your business: train your users

Ransomware attacks are growing in frequency, sophistication, and impact forcing more organizations to pay the ransom. As long as businesses keep paying, hackers will continue developing more devastating attacks. CyberHoot helps organizations educate their staff and reduce the likelihood of these ransomware infections.

In addition to CyberHoot awareness training, perform these additional actions to protect your business and reduce the chances of falling victim to this all-too-common attack vector:

To learn more about Ransomware, watch this short 3 minute video:

Share this on your social networks. Help Friends, Family, and Colleagues become more aware and secure.