{ "id": "92966667-6c0b-4afc-88ad-bf067b0d0d94", "created_at": "2026-04-06T00:11:03.715423Z", "updated_at": "2026-04-10T03:20:53.792126Z", "deleted_at": null, "sha1_hash": "12eec0ef2feb596707c6c582bd0ed6d6ff4eb0b4", "title": "GandCrab ransomware operator arrested in Belarus", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2425822, "plain_text": "GandCrab ransomware operator arrested in Belarus\r\nBy Ionut Ilascu\r\nPublished: 2020-07-31 · Archived: 2026-04-05 21:03:33 UTC\r\nAn affiliate of the GandCrab ransomware-as-a-business (RaaS) has been arrested, according to an official release.\r\nAuthorities were able to identify the individual in cooperation with law enforcement in Romania and the U.K.\r\nThe cybercriminal’s identity has not been published but Office “K” of the Ministry of Internal Affairs in Belarus says that he\r\nis a 31-years old living in Gomel, a city in southeastern Belarus.\r\nEncrypted computers in nearly 100 countries\r\nThe arrested GandCrab member was an affiliate, or 'Advert', for the organization and was responsible for distributing the\r\nransomware to victims.\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"It was established that a 31-year-old resident of Gomel who had no previous convictions infected more than a thousand\r\ncomputers. For decrypting each of them, he demanded an amount equivalent to 1.2 thousand US dollars. Access to the\r\nadmin panel for managing the ransomware botnet was carried out via the darknet, which allowed the attacker to remain\r\nanonymous for a long time,\" said Vladimir Zaitsev, Deputy Head of the High-Tech Crimes Department of the Ministry of\r\nInternal Affairs.\r\n\"Part of the profit was transferred to the administrators (operators) of the server he leased. The victims of the hacker were\r\nusers from almost a hundred countries, and the largest number of victims were in India, the USA, Ukraine, Great Britain,\r\nGermany, France, Italy and Russia,\" Zaitsev added.\r\nIt is unclear how much money the criminal made from this operation but he shared part of the paid ransoms with GandCrab\r\nadministrator(s) who kept a server hidden in the darknet, allowing affiliates to remain hidden.\r\nAs part of their role of infecting victims, GandCrab affiliates would earn 60% for the first three ransom payments they are\r\nresponsible for. After the third payment, their revenue share would jump to 70%.\r\nThis means if the arrested affiliate was demanding $1,200 as a ransom payment, they would earn $840 per victim and the\r\nGandCrab developers would earn $360.\r\nLarger affiliates who demanded millions of dollars would stand to make far greater amounts of payments.\r\nGandCrab shut down their operation on June 1st, 2019, after claiming to have generated more than $2 billion in ransom\r\npayments and personally earning $150 million.\r\nAfter GandCrab was shutdown, the FBI released the master decryption keys for the ransomware and BitDefender released a\r\ndecryptor that allowed victims to recover their files for free.\r\nIt is not known how law enforcement obtained these keys, but it could have been through a seizure of one of the Tor\r\npayment servers.\r\nAfter GrandCrab shut down, another ransomware variant called REvil, or Sodinokibi, was created to fill the void left behind.\r\nIt has been reported that there are code similarities and ties between the operators/affiliates of REvil ransomware and\r\nGandCrab.\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/" ], "report_names": [ "gandcrab-ransomware-operator-arrested-in-belarus" ], "threat_actors": [], "ts_created_at": 1775434263, "ts_updated_at": 1775791253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/12eec0ef2feb596707c6c582bd0ed6d6ff4eb0b4.pdf", "text": "https://archive.orkl.eu/12eec0ef2feb596707c6c582bd0ed6d6ff4eb0b4.txt", "img": "https://archive.orkl.eu/12eec0ef2feb596707c6c582bd0ed6d6ff4eb0b4.jpg" } }