{
	"id": "7b90d651-8d07-4262-8e24-d6fbbf335995",
	"created_at": "2026-04-06T01:29:28.773628Z",
	"updated_at": "2026-04-10T03:21:08.895021Z",
	"deleted_at": null,
	"sha1_hash": "5c5c769df33dabb7e3c3b4a3ea28025ff22e6699",
	"title": "GandCrab ransomware operators put in retirement papers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3150318,
	"plain_text": "GandCrab ransomware operators put in retirement papers\r\nBy Doug Olenick\r\nPublished: 2019-06-04 · Archived: 2026-04-06 01:28:25 UTC\r\nMalware\r\nJune 3, 2019\r\nAfter operating for about 18 months, the RaaS gang operating under the name GandCrab has announced it has\r\ncashed out of the game and has retired.\r\nGandCrab’s operators posted a message on a dark web forum indicating the group had made more than $2 billion\r\nwith its RaaS operation, had laundered the money and was planning a life of leisure, ZD Net reported.\r\nGandCrab uses various exploit kits to deliver a wide variety of malware, including ransomware and\r\ncryptocurrency mining malware, and has undergone several upgrades and revisions since it was rolled out in\r\nJanuary 2018.\r\nThe retirement notice said the group would stop operations within a month and at that time it would delete all its\r\ndecryptor keys essentially stranding any victims who have not yet paid.\r\nSherrod DeGrippo, ProofPoint’s senior director of threat research and detection, told SC Media she has noticed a\r\nsteady decline in the volume and frequency of the ransomware over the last few weeks, mainly small campaigns\r\ninvolving Sodinokibi ransomware, but she noted GandCrab’s retirement move is something being seen more\r\noften.\r\n“This appears to be a case of actors getting out while they are still on top. While malware strains often come and\r\ngo, we have seen some cybercriminals announce their ‘retirement’ such as the actor behind the Zeus banking\r\nTrojan. Interestingly, this actor returned to the scene later with an updated version of the malware,” she said.\r\nDeGrippo noted the GandCrab portal is still active and will likely remain so as affiliates cash out their earnings.\r\nPierluigi Stella, CTO of Network Box USA, offered several reasons why the GandCrab folks decided to hang up\r\ntheir hats ranging from having a bit more intelligence than other criminals to the possible fact that ransomware\r\nmay becoming less of a threat due to better defensive methods.\r\n“Are they actually 'giving up' or have they made enough money that they don't need to continue risking being\r\ncaught?  Hackers usually get caught only when they get greedy and don't know when to stop. This group seems to\r\nbe smarter - they have made enough money, haven't been caught, and are retiring at the height of their career,”\r\nStella said.\r\nMalwarebytes Malware Intelligence Analyst Marcelo Rivero, called the move a suprise and that \"Considering\r\ntheir history of jokes and irony we probably should wait for those 20 days to see what really happens.\"\r\nhttps://www.scmagazine.com/home/security-news/ransomware/gandcrab-ransomware-operators-put-in-retirement-papers/\r\nPage 1 of 4\n\nAlthough many companies, municipalities and other types of organizations are frequently victimized, Stella said,\r\n“Personally, I am not aware of any of our clients ever actually getting ransomware.  And, disaster recovery\r\nprocedures now cover ransomware as a possible case of disaster.  Therefore, it is possible that ransomware is\r\nbecoming less lucrative and this group is getting out while they're still \"on top\", maybe because they are going to\r\nfocus on something else, i.e. cryptojacking.”\r\nOthers do not believe the GandCrab actors are giving up their day job.\r\n“It is astonishing to read that a cybergang has made so much money they are retiring, and they are publicly\r\nannouncing it. They are thumbing their noses at all of us. I wouldn’t believe a word of it, though – I would\r\nimagine it would be hard to stop, and they will likely resurface soon in another form, helping crooks damage\r\nunprotected businesses,” said Dan Tuchler, CMO at SecurityFirst.\r\nRivero added, \"Generally they do not usually retire until they are arrested (there are also the so-called \"Exit\r\nScams\") or they simply leave the game without prior announcement as in this case.\"\r\nDoug Olenick\r\nRelated\r\nhttps://www.scmagazine.com/home/security-news/ransomware/gandcrab-ransomware-operators-put-in-retirement-papers/\r\nPage 2 of 4\n\nGet daily email updates\r\nSC Media's daily must-read of the most current and pressing daily news\r\nhttps://www.scmagazine.com/home/security-news/ransomware/gandcrab-ransomware-operators-put-in-retirement-papers/\r\nPage 3 of 4\n\nSource: https://www.scmagazine.com/home/security-news/ransomware/gandcrab-ransomware-operators-put-in-retirement-papers/\r\nhttps://www.scmagazine.com/home/security-news/ransomware/gandcrab-ransomware-operators-put-in-retirement-papers/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.scmagazine.com/home/security-news/ransomware/gandcrab-ransomware-operators-put-in-retirement-papers/"
	],
	"report_names": [
		"gandcrab-ransomware-operators-put-in-retirement-papers"
	],
	"threat_actors": [],
	"ts_created_at": 1775438968,
	"ts_updated_at": 1775791268,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5c5c769df33dabb7e3c3b4a3ea28025ff22e6699.pdf",
		"text": "https://archive.orkl.eu/5c5c769df33dabb7e3c3b4a3ea28025ff22e6699.txt",
		"img": "https://archive.orkl.eu/5c5c769df33dabb7e3c3b4a3ea28025ff22e6699.jpg"
	}
}