{
	"id": "4aed0ea4-fc96-4bf7-9ce7-af560e715f61",
	"created_at": "2026-04-06T01:31:11.817441Z",
	"updated_at": "2026-04-10T03:20:51.249297Z",
	"deleted_at": null,
	"sha1_hash": "d1a75aa1b8a394f19b226543c3d3cba4d791b9a6",
	"title": "GandCrab Threat Actors Retire...Maybe",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1587302,
	"plain_text": "GandCrab Threat Actors Retire...Maybe\r\nBy Joie Salvio\r\nPublished: 2019-06-24 · Archived: 2026-04-06 01:16:35 UTC\r\nIn a surprising announcement two weeks ago, the threat group behind the malware operation GandCrab\r\nannounced that they had shut down their operations. Until that point, GandCrab had been one of the most active\r\nmalware campaigns of the past year, both in terms of distribution and rapid development. FortiGuard Labs has\r\ncovered their progress in a series of articles, as well as in a presentation at AVAR2018.\r\nIn an announcement as novel and cavalier as the threat actors themselves – reflecting their public persona since\r\nthey first surfaced – they have now made a grand exit by thanking their affiliates and detailing their earnings.\r\nThey claim that their Ransom-as-a-Service (RaaS) operation had a total of $2 billion in earnings. In a pay scheme\r\nof 60%-40% (70%-30% in some cases), giving the larger percentage of the payments to their affiliates, they claim\r\nthat they personally earned $150 million from their operations. \r\nFigure 1: GandCrab announces retirement (image from twitter: @CryptoInsane)\r\nArrival on the Ransomware Scene\r\nGandCrab first appeared on exploit.in, a Russian hacking forum, on January 28, 2018, at a time when file-encrypting malware distribution was seemingly declining. Despite this, GandCrab was able to make a significant\r\nimpact, infecting more than 50,000 victims in just their first month of operation.\r\nThey were also notable at the time because they were the first criminal organization to only accept DASH\r\ncryptocurrency as ransom payment, although they later decided to accept other cryptocurrencies. They also hosted\r\ntheir C2s using the .BIT TLD using a centralized DNS server (a.dnspod.com), which nominally claimed to mirror\r\nhttps://www.fortinet.com/blog/threat-research/gandcrab-threat-actors-retire.html\r\nPage 1 of 6\n\nthe namespace of Namecoin. While .BIT is commonly associated with the NameCoin organization for their\r\ndecentralized DNS project, GandCrab’s association with NameCoin was later debunked by the organization.\r\nFigure 2: GandCrab’s advertisement post in the Russian forum exploit.in (image from twitter: @CryptoInsane)\r\nAggressive Distribution\r\nGandCrab’s aggressive distribution network was built through its affiliate program and partnerships with other\r\nservices, such as the binary crypter NTCrypt, along with other actors with expertise in distribution through RDP\r\nand VNC. At first, they only targeted western countries, primarily in Latin America. Later, they expanded to\r\npartnering with malware distributors in China and South Korea, with our detection of a spam campaign delivering\r\na GandCrab payload targeting South Korea as recently as last April.\r\nAn Unusual But Probably Effective Marketing Tactic\r\nDue to the rapid development of GandCrab, FortiGuard Labs as well as other security researchers have been\r\nactively monitoring changes between releases. In addition to new features, these have also included public stunts\r\nthrough novelty messages that the threat actors embedded to their binaries as a way to taunt researchers and\r\nsecurity organizations. This approach created noise, which may have made them arguably one of the most covered\r\nhttps://www.fortinet.com/blog/threat-research/gandcrab-threat-actors-retire.html\r\nPage 2 of 6\n\nand talked about Ransomware families of the past year. This unusual strategy demonstrated an almost\r\nunprecedented level of criminal bravado, and even a sense of invincibility, since they were able to release public\r\nannouncements that messed with the security community without any repercussions.    \r\nFigure 3: Messages embedded by threat actors to taunt researchers and organizations\r\nIn another unusual marketing tactic, GandCrab actors also used reports from security companies to promote the\r\nsuccess of their service, while mocking their adversaries.\r\nFigure 4: GandCrab advertisement using reports from security companies as their signature\r\nhttps://www.fortinet.com/blog/threat-research/gandcrab-threat-actors-retire.html\r\nPage 3 of 6\n\nAgile Development\r\nPart of GandCrab’s success was due to their use of an agile development approach that enabled rapid releases of\r\nnew versions. This was best described in our article on the development of GandCrab v4.x. A detailed discussion\r\nof the full timeline of GandCrab development can also be found in our AVAR2018: GandCrab Mentality\r\npresentation.\r\nFigure 5: GandCrab v4.0-v4.4 timeline\r\nBugs, Breaches, and GandCrab’s Demise\r\nUsing this agile development approach enabled them to successfully evade detection by many security companies.\r\nA good example of this is when Ahnlab released a vaccine tool to prevent the malware from executing in a system\r\nby creating a file that the malware checked before performing its encryption routine. This started a tit-for-tat\r\nbetween the two, which even led to the threat actors disclosing a Denial-of-Service attack POC against one of\r\nAhnlab’s products. This was also discussed in our article on the GandCrab v4.x timeline.\r\nHowever, GandCrab was no exception to the drawbacks of using a fast-paced development approach, as bugs and\r\nloopholes began to be discovered in distributed versions. For instance, in the very early versions of the malware\r\nthey were using hardcoded RC4 keys to encrypt their outbound traffic that also contained the private keys, which\r\nwould have enabled to the decryption of the victim’s ransomed files. Another simple but serious slip-up was when\r\nthey failed to set a flag when generating their RSA keys. This led to a copy of the private key being stored locally\r\non the victim’s system. We also discussed a bug that we found when they first added the feature that changed the\r\nwallpaper of their victims. However, they quickly fixed these mistakes in the next release.\r\nBut perhaps their biggest mishap – one that we believe led to their eventual demise – were breaches to their\r\nserver-side infrastructure, which led to leaks of the private keys of victims. A month after their operation began,\r\nBitDefender, in collaboration with Europol, released a free decryption tool for victims of GandCrab v1. At the\r\nhttps://www.fortinet.com/blog/threat-research/gandcrab-threat-actors-retire.html\r\nPage 4 of 6\n\ntime, there was very limited information as to how they were able to do this – at least until the ransomware\r\nperpetrators themselves announced that their payment page has been compromised, which we suspect led to the\r\ncreation of the decryption tool. \r\nFigure 6: GandCrab posts about the breach to their payment page\r\nWe believe that similar breaches eventually led to the subsequent release of the decryption tool used to decrypt\r\nfiles encrypted by new versions of the malware. In fact, just two weeks after GandCrab’s retirement\r\nannouncement, BitDefender released a new version of a decryption tool that supports the latest (v5.2) version of\r\nthe malware.\r\nSolution\r\nFortiGuard customers are protected by the following:\r\nLatest versions of GandCrab are detected by our specific and heuristic detections\r\nFortiSandbox rates the GandCrab’s behavior as high risk\r\nConclusion\r\nGandCrab was a Ransomware-as-a-Service malware managed by a criminal organization known to be confident\r\nand vocal, while running a rapidly evolving ransomware campaign. Through their aggressive, albeit unusual,\r\nmarketing strategies and constant recruitment of affiliates, they were able to globally distribute a high volume of\r\ntheir malware.\r\nHowever, through a recent forum post, the GandCrab team has now publicly announced the end of a little more\r\nthan a year of ransomware operations, citing staggering profit figures. However, considering how witty and novel\r\nthis threat group has been throughout the course of their campaign, it wouldn’t be a surprise if this retirement\r\nannouncement was just another of their many public stunts. If there’s one thing that sets these threat actors apart\r\nfrom other groups, it is that they are unpredictable; so there is always the possibility that they might re-surface in\r\none form or another. In the meantime, FortiGuard Labs will continue to monitor for any new activities from this\r\ngroup.\r\n-= FortiGuard Lion Team =-\r\nLearn more about FortiGuard Labs and the FortiGuard Security Services portfolio. Sign up for our weekly\r\nFortiGuard Threat Brief. \r\nhttps://www.fortinet.com/blog/threat-research/gandcrab-threat-actors-retire.html\r\nPage 5 of 6\n\nRead about the FortiGuard Security Rating Service, which provides security audits and best practices.\r\nSource: https://www.fortinet.com/blog/threat-research/gandcrab-threat-actors-retire.html\r\nhttps://www.fortinet.com/blog/threat-research/gandcrab-threat-actors-retire.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/gandcrab-threat-actors-retire.html"
	],
	"report_names": [
		"gandcrab-threat-actors-retire.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775439071,
	"ts_updated_at": 1775791251,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d1a75aa1b8a394f19b226543c3d3cba4d791b9a6.pdf",
		"text": "https://archive.orkl.eu/d1a75aa1b8a394f19b226543c3d3cba4d791b9a6.txt",
		"img": "https://archive.orkl.eu/d1a75aa1b8a394f19b226543c3d3cba4d791b9a6.jpg"
	}
}