{
	"id": "da8680d0-d324-4961-b889-96cd490ecd9c",
	"created_at": "2026-04-06T00:12:48.114578Z",
	"updated_at": "2026-04-10T03:33:56.993297Z",
	"deleted_at": null,
	"sha1_hash": "f5c522bd454b267a9ddbd5bb6ef3bb393453a9fb",
	"title": "Behind the scenes of GandCrab’s operation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2533203,
	"plain_text": "Behind the scenes of GandCrab’s operation\r\nArchived: 2026-04-05 17:47:34 UTC\r\nAhnLab Security Analysis Team\r\nAhnLab, South Korea\r\nAbstract\r\nThe GandCrab ransomware was active from January 2018 to May 2019. During its active state, numerous variants\r\nwere distributed worldwide, causing much damage.\r\nThis report examines the battle that went on between security vendor AhnLab and the GandCrab ransomware and\r\nincludes details about GandCrab that have been unpublished until now.\r\nIntroduction\r\nThe GandCrab ransomware, which is no longer active, was actively distributed for a little over a year. GandCrab\r\nvariants caused a great deal of damage worldwide, including in South Korea.\r\nThe GandCrab ransomware shares an interesting history with AhnLab. Like many other examples of ransomware,\r\nGandCrab searches for any running or pre-installed anti‑malware program and when it finds one it interferes with\r\nits normal execution and shuts it down. However, when it came to AhnLab, GandCrab went the extra mile,\r\nspecifically targeting the company and its anti-malware program V3 Lite by mentioning it in its code. It even\r\nrevealed a vulnerability in the security program and made attempts to delete it entirely.\r\nTo effectively respond to and protect against GandCrab attacks, the AhnLab Security Analysis Team analysed\r\nGandCrab and all its different versions by thoroughly investigating the distributed code, encryption method,\r\nrestoration method, and the evasive method it used to avoid behaviour-based detection. Each time a new attack\r\nfeature targeting AhnLab and V3 was identified, the company’s product developers promptly addressed it to ensure\r\nmaximum security.\r\nThe interesting conflict between AhnLab and the GandCrab ransomware was widely discussed in the IT security\r\nindustry. However, the details that were revealed at the time were only the tip of the iceberg, with more details\r\nbeing kept private for reasons of confidentiality.\r\nAnalysis by timeline\r\nScene #01: The prelude to war (GandCrab v2.x)\r\nOn 8 February 2018 AhnLab reported in a blog post [1] the active distribution of GandCrab ransomware in South\r\nKorea. Shortly afterwards, on 17 April, we released a kill switch to the public [2] after having analysed how the\r\nhttps://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/\r\nPage 1 of 11\n\nransomware worked. The kill switch prevented the encryption of files, thus interfering with GandCrab’s operation.\r\nThis triggered a battle between GandCrab and AhnLab. Three days later, a profanity directed at AhnLab was found\r\nwithin the malware’s mutex name. The GandCrab creator did not stop here but continued to express anger towards\r\nthe company by changing the host address from ‘google.com’ to ‘ahnlab.com’. The host address was used for\r\nC\u0026C server communication and was randomly adjusted to avoid network filters.\r\nFigure 1: Mutex including profanity directed at AhnLab.\r\nThe encryption-blocking method that the kill switch had been based on was patched, and changes were made to\r\nthe internal version of GandCrab v3.0.0. However, we were able to identify a new method of blocking encryption\r\nby utilizing the ransomware’s pop-up message, and we duly published this finding [3].\r\nScene #02: The adversary revealed (GandCrab v4.1.x)\r\nBy July 2018, GandCrab was being distributed by various means including drive-by downloads, email, executable\r\nfiles and fileless malware. There was even a case where a malicious script named ‘ahnlab.txt’ was distributed\r\nduring a fileless attack using PowerShell.\r\nWhile AhnLab was engaged in battle with GandCrab in Southeast Asia, Fortinet was actively analysing and\r\nresponding to GandCrab in real time halfway across the globe. On 9 July, Fortinet released a method [4] that\r\nstopped the malware from infecting the system if there existed a file named ‘\u003c8hex-chars\u003e.lock’ (e.g.\r\n‘2078FBF8.lock’) in the user’s Common AppData directory.\r\nBased on the information shared by Fortinet, we were able to confirm that the new method was valid for the latest\r\nversion of the malware, v4.1.1, as well. On 13 July we released an executable file tool to the public [5].\r\nThe GandCrab creator retaliated immediately. A sarcastic text directed at both Fortinet and AhnLab was included\r\nwithin the kill switch of v4.1.2, saying that the ‘.lock’ file wasn’t the only blocking method, following which the\r\nfile generation logic for the ‘.lock’ file was changed. However, we figured out the logic of v4.1.2 as well as v4.1.3\r\nand updated the tool accordingly.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/\r\nPage 2 of 11\n\nFigure 2: Mention of AhnLab and Fortinet in the kill switch.\r\nWhile the kill switch in v4.1.2 mentioned both AhnLab and Fortinet, a slightly modified internal version of v4.1.2\r\nonly included an ‘ahnlab’ string (see Figure 3). It also included a specific URL which led to a page containing a\r\nprofanity directed at AhnLab in Russian (see Figure 4).\r\nhttps://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/\r\nPage 3 of 11\n\nFigure 3: AhnLab string and URL included in a modified version of v4.1.2. \r\nFigure 4:\r\nProfanity directed at AhnLab in Russian.\r\nScene #03: GandCrab strikes back\r\nhttps://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/\r\nPage 4 of 11\n\nIn August 2018, the creator of GandCrab officially began to strike back. The creator contacted tech site Bleeping\r\nComputer [6] and declared that the upcoming version of the GandCrab ransomware would contain a zero-day for\r\nAhnLab V3 Lite, also sharing a link to the exploit code. The creator claimed that this was in retaliation for the kill\r\nswitch having been released by AhnLab and went on to explain that the kill switch would no longer be effective in\r\nfuture versions of GandCrab.\r\nFigure 5: GandCrab creator announces alleged exploit attack of V3 Lite via Bleeping Computer [6].\r\nThen, the internal version of v4.2.1 revealed the attack pattern code for V3 Lite products, stating that it was a 1:1\r\nscore between AhnLab and GandCrab.\r\nFigure 6: GandGrab’s message to AhnLab hidden in GandCrab v4.2.1.\r\nThe alleged attack code that was revealed could trigger a BSOD if V3 Lite was installed in the system, and was\r\nexecuted after encryption. AhnLab released an emergency patch immediately following the exploit.\r\nScene #04: GandCrab’s full-on attack\r\nFrom then, the creator of GandCrab made continuous efforts to uninstall the V3 program through its scripts, with\r\nthe attempts becoming more sophisticated as time went on.\r\nThe first method used by GandCrab to uninstall V3 was by encouraging the user to click. As shown in Figure 7, a\r\npiece of code was included within the distributed script specifically to drop and run a JS file which deletes the V3\r\nhttps://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/\r\nPage 5 of 11\n\nservice upon detection.\r\nFigure 7: GandCrab’s distributed script without obfuscation.\r\nThe dropped JS file finds the path to the V3 deletion program and runs the corresponding uninstaller according to\r\nthe user’s Windows version, as shown in Figure 8. Afterwards, it checks for up to 60 seconds whether V3 has been\r\nremoved.\r\nFigure 8: JavaScript that induces deletion of V3.\r\nIf, within that 60-second period, the user clicks the ‘remove’ button (which is shown by the uninstaller), V3 is\r\ndeleted and the system runs the GandCrab ransomware. This method requires user interaction, meaning that the\r\ndeletion of the program cannot be done in the background without the user’s knowledge.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/\r\nPage 6 of 11\n\nThis limitation led the creator of GandCrab to update its code in September 2018, to enable the deletion of the V3\r\nprogram without the user’s knowledge, as shown in Figure 9. The upgraded method allowed the V3 uninstallation\r\nscreen to be hidden from the user’s view while also automating the button-click process to run the GandCrab\r\nransomware.\r\nFigure 9: Main function of the decoded PowerShell.\r\nIn GandCrab v5.0 a new executable, cmd.exe, was added in addition to the original process, Uninst.exe under\r\nPowershell.exe. However, it did not stop here. The structure of the process tree was altered continuously in order\r\nto evade V3’s behaviour-based detection. After 26 September, WMIC.exe was used instead of cmd.exe to uninstall\r\nthe V3 program.\r\nAs AhnLab made continuous updates to its anti-malware program so GandCrab also introduced updates.\r\nGandCrab v5.0.2 was distributed, which incorporated uninstallation using the existing Uninst.exe -Uninstall in\r\naddition to the AhnUn000.tmp -UC method. As shown in Figure 10, this version copied the Uninst.exe file to\r\n%temp%\\AhnUn000.tmp, used WMIC.exe to run the file as the -UC switch, and changed the V3 product deletion\r\nprocessor to runas.exe.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/\r\nPage 7 of 11\n\nFigure 10: Process structure of uninstalling.\r\nGandCrab v5.0.3 only used AhnUn000.tmp -UC to execute the deletion of the program instead of using\r\nUninst.exe, and in v5.0.4, the main agent for the program deletion had changed to cscript.exe.\r\nAhnLab continued to update its product in response to GandCrab’s weekly script update. On 6 November, for\r\ninstance, a CAPTCHA was added to the V3 Lite uninstall program to prevent automated deletion by malware. As a\r\nresult, GandCrab was unable to delete V3, and removed the uninstall function from its distributed script.\r\nScene #05: Endgame, the last battle\r\nWhile the versions of GandCrab distributed before December 2018 attempted to delete V3 in various ways,\r\nGandCrab v5.0.4, discovered in January 2019, focused on terminating V3’s operation instead of uninstalling it.\r\nThe process to disable the V3 service is shown in Figure 11.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/\r\nPage 8 of 11\n\nFigure 11: Process to disable V3 service.\r\nBefore moving onto the next step, GandCrab checks whether the V3 service is running and uses the sleep function\r\nto wait 15 minutes if it is running. In the first step, an execution file (help22.exe) is dropped to stop the service.\r\nThe dropped file locates V3 Lite and then duplicates Uninst.exe, the V3 uninstall program, to\r\n%UserProfile%help.exe. The duplicated file then executes ASDCli.exe and uses the stop command to stop V3\r\nLite.\r\nAhnLab responded immediately with critical security patches, deleting ASDCli.exe and preventing the stop\r\ncommand from being executed. In addition, the product was upgraded, requiring an additional string (other than\r\n/Uninstall) to remove the product. The long tussle between GandCrab and AhnLab seemed to have settled down.\r\nHowever, the battle was not yet over. GandCrab’s creator continued to taunt AhnLab by adding an insulting text in\r\nGandCrab v5.2. Distributed in February 2019, GandCrab v5.2 incorporated a time-delay technique to disturb\r\ndynamic analysis. This version included the text string ‘AnaLab_sucks’ within the Windows procedure class name\r\nthat enables the SetTimer function. ‘AnaLab’ can be assumed to be a typo. Furthermore, the creator of GandCrab\r\nconsistently mentioned ‘V3 Lite’ and ‘AhnLab’ directly within the distributed strings.\r\nFigure 12: AhnLab text string that was used as a class name.\r\nA modified version of GandCrab v5.2, distributed in March 2019, no longer contained the above-mentioned text.\r\nInstead, a text insulting Bitdefender was used as the mutex. However, it was too soon to assume that the battle\r\nhttps://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/\r\nPage 9 of 11\n\nbetween AhnLab and GandCrab had ended.\r\nIn April 2019 GandCrab v5.2 added an evasive function to bypass detection by V3 Lite. Unlike the previous\r\nattempts to disable V3 Lite, the new feature injected the malware into AhnLab’s anti-malware update program in\r\norder to perform malicious activities.\r\nThe evasive process used by GandCrab to bypass V3 Lite is shown in Figure 13.\r\nFigure 13: Evasive process used by GandCrab to bypass V3 Lite.\r\nLike the V3 disabling process, the malware first checks if ‘V3 Service’ is running. If the service is running, it uses\r\nthe sleep function to wait for 20 minutes before moving onto the next step. After 20 minutes, it scans for the\r\nAhnLab anti-malware update program, Autoup.exe, then injects the ransomware execution data into the program.\r\nThe injected code is executed, starting the encryption process. AhnLab quickly released a security patch to address\r\nthis process.\r\nAs if to prove the famous quote ‘nothing lasts forever, everything has an end’, what seemed like a never-ending\r\nbattle between GandCrab and AhnLab came to an abrupt end when GandCrab’s creator announced the end of its\r\noperation on 31 May 2019.\r\nGandCrab’s creator has claimed to have earned more than enough through the ransomware operation, as seen in\r\nthe statement shown in Figure 14. No new variants have been found since May 2019, and v5.3 remains\r\nGandCrab’s last released version.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/\r\nPage 10 of 11\n\nFigure 14: Announcement of GandCrab shutdown.\r\nConclusion\r\nThe battle between the GandCrab threat group and AhnLab lasted for 478 days and highlights the importance of\r\ncollaboration between security vendors and organizations in the fight against advanced threats such as this. It is\r\nalso vital for security vendors to continuously monitor threats and be resilient. It may seem as though the\r\nadversaries always have a head start, but advanced attacks cannot prevail if vulnerabilities are promptly addressed\r\nand appropriate updates are made.\r\nAhnLab will continue to monitor security threats in real time via its threat analysis and anti-malware program. In\r\ncontinuous efforts to build a strong alliance with other vendors and organizations, it will provide threat\r\nintelligence through various channels. GandCrab’s operation may have ended, but the cyber battle will never end.\r\nReferences\r\n[1] GandCrab Ransomware Disseminated in Korea (in Korean). AhnLab blog. https://asec.ahnlab.com/1091.\r\n[2] GandCrab v2.1 spread in Fileless mode (in Korean). AhnLab blog. https://asec.ahnlab.com/1130.\r\n[3] GandCrab V2.1 Ransomware (internal version “version = 3.0.0”) (in Korean). AhnLab blog.\r\nhttps://asec.ahnlab.com/1133.\r\n[4] Salvio, J. GandCrab V4.0 Analysis: New Shell, Same Old Menace. Fortinet blog.\r\nhttps://www.fortinet.com/blog/threat-research/gandcrab-v4-0-analysis--new-shell--same-old-menace.html.\r\n[5] GandCrab v4.x encryption blocking method (Kill-Switch) (in Korean). AhnLab blog.\r\nhttps://asec.ahnlab.com/1144.\r\n[6] Cimpanu, C. GandCrab Ransomware Author Bitter After Security Vendor Releases Vaccine App. Bleeping\r\nComputer. https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-author-bitter-after-security-vendor-releases-vaccine-app/.\r\nSource: https://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/\r\nhttps://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/\r\nPage 11 of 11\n\nAnalysis Scene #01: by timeline The prelude to war (GandCrab v2.x)    \nOn 8 February 2018 AhnLab reported in a blog post [1] the active distribution of GandCrab ransomware in South\nKorea. Shortly afterwards, on 17 April, we released a kill switch to the public [2] after having analysed how the\n    Page 1 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/"
	],
	"report_names": [
		"behind-scenes-gandcrabs-operation"
	],
	"threat_actors": [
		{
			"id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b",
			"created_at": "2022-10-27T08:27:13.133291Z",
			"updated_at": "2026-04-10T02:00:05.315213Z",
			"deleted_at": null,
			"main_name": "BITTER",
			"aliases": [
				"T-APT-17"
			],
			"source_name": "MITRE:BITTER",
			"tools": [
				"ZxxZ"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "bf6cb670-bb69-473f-a220-97ac713fd081",
			"created_at": "2022-10-25T16:07:23.395205Z",
			"updated_at": "2026-04-10T02:00:04.578924Z",
			"deleted_at": null,
			"main_name": "Bitter",
			"aliases": [
				"G1002",
				"T-APT-17",
				"TA397"
			],
			"source_name": "ETDA:Bitter",
			"tools": [
				"Artra Downloader",
				"ArtraDownloader",
				"Bitter RAT",
				"BitterRAT",
				"Dracarys"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434368,
	"ts_updated_at": 1775792036,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f5c522bd454b267a9ddbd5bb6ef3bb393453a9fb.pdf",
		"text": "https://archive.orkl.eu/f5c522bd454b267a9ddbd5bb6ef3bb393453a9fb.txt",
		"img": "https://archive.orkl.eu/f5c522bd454b267a9ddbd5bb6ef3bb393453a9fb.jpg"
	}
}