{
	"id": "6af822c6-fe53-4c46-9db3-4d21a20828e3",
	"created_at": "2026-04-06T00:15:39.476247Z",
	"updated_at": "2026-04-10T03:21:06.389109Z",
	"deleted_at": null,
	"sha1_hash": "a862fd419ed61e7b50a5f1e87a33177f3afd2fb5",
	"title": "GandCrab Ransomware Shutting Down After Claiming to Earn $2 Billion",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 906504,
	"plain_text": "GandCrab Ransomware Shutting Down After Claiming to Earn $2\r\nBillion\r\nBy Lawrence Abrams\r\nPublished: 2019-06-01 · Archived: 2026-04-05 17:15:54 UTC\r\nAfter almost a year and a half, the operators behind the GandCrab Ransomware are shutting down their operation and\r\naffiliates are being told to stop distributing the ransomware.\r\nFilling the gaps left behind by the shutdown of large scale ransomware operations such as TeslaCrypt, CryptoWall, and\r\nSpora, GandCrab exploded into the ransomware world on January 28th, 2018, when they started marketing their services on\r\nunderground criminal sites.\r\nSince then, they had become one of the dominant, if not the most dominant, actors in ransomware operations, with their\r\noperations only starting to slow down over the past few months.\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nAccording to security researchers Damian and David Montenegro who have been following the exploits of GandCrab on the\r\nunderground hacking and malware forum Exploit.in, the GandCrab operators have posted that they are shutting down their\r\noperation.\r\nIn images provided to BleepingComputer by Damian, we can see the operators stating that they have generated more than $2\r\nbillion in ransom payments, with average weekly payments of $2.5 million dollars. They go on to say they have personally\r\nearned $150 million, which they have cashed out and invested in legal business entities.\r\nGandCrab Ransomware\r\nWith this announcement GandCrab has said they have stopped promoting the ransomware, asked the affiliates to stop\r\ndistributing the ransomware within 20 days, and asked their topic to be deleted at the end of the month.\r\nModerator closing the topic \r\nThey have also told victims to pay for needed decryption now as their keys will be deleted at the end of the month. This is\r\ncould be a last money grab and we hope that the GandCrab devs will follow other large ransomware operations and release\r\nthe keys when shutting down.\r\nBleepingComputer has reached out to the developers and asked them to do so.\r\nHistorically, BleepingComputer has seen large-scale ransomware operations fill the void left when another ransomware\r\nshuts down. It would not be surprising to see another operation spring up in the near future, especially when as noted by\r\nGandCrab:\r\n\"We have proven that by doing evil deeds, retribution does not come.\"\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/\r\nPage 3 of 6\n\nLofty claims of earnings\r\nWhile the operators behind GandCrab most likely made many millions of dollars, the claims of $2 billion in ransom\r\npayments are very likely to be untrue.\r\nThese lofty claims are not surprising, as the developers of GrandCrab have always been jokesters and have engaged security\r\nresearchers in ways most malware developers do not. \r\nUsing taunts, jokes, and references to organizations and researchers in their code, it was obvious that the GandCrab\r\ndevelopers were monitoring us as much as we were monitoring them and got a big kick out of it.\r\nFor example, in their first release of the ransomware, GandCrab decided to use domain names for their Command \u0026 Control\r\nservers that are based on organizations and sites known for ransomware research. For example, you can bleepingcomputer,\r\nnomoreransom, eset, and emsisoft listed below in their initial C2 servers.\r\nbleepingcomputer.bit\r\nnomoreransom.bit\r\nesetnod32.bit\r\nemsisoft.bit\r\ngandcrab.bit\r\nThey also frequently dropped hellos to researchers who analyzed their ransomware.\r\nIt was not all fun and games, though, for the GandCrab operators also had a vindictive streak. After AhnLab released a\r\nvaccine app for GandCrab, the ransomware developers contacted BleepingComputer to tell us that they were releasing a\r\nzero-day for the AhnLab v3 Lite antivirus.\r\nCaption\r\nTheir antics and success didn't go unnoticed by other members of Exploit.in who wished them farewell or were saddened to\r\nsee them leave.\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/\r\nPage 4 of 6\n\nWhile the GandCrab antics have been amusing at times, they ultimately inflicted a lot of pain and suffering on many people\r\nwho lost their data, work, and potentially even businesses. Their shutdown of operations is a good thing.\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/"
	],
	"report_names": [
		"gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion"
	],
	"threat_actors": [],
	"ts_created_at": 1775434539,
	"ts_updated_at": 1775791266,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a862fd419ed61e7b50a5f1e87a33177f3afd2fb5.pdf",
		"text": "https://archive.orkl.eu/a862fd419ed61e7b50a5f1e87a33177f3afd2fb5.txt",
		"img": "https://archive.orkl.eu/a862fd419ed61e7b50a5f1e87a33177f3afd2fb5.jpg"
	}
}