# GandCrab ransomware operator arrested in Belarus **[bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/](https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/)** Ionut Ilascu By [Ionut Ilascu](https://www.bleepingcomputer.com/author/ionut-ilascu/) July 31, 2020 06:13 PM 2 An affiliate of the GandCrab ransomware-as-a-business (RaaS) has been arrested, according to an official release. Authorities were able to identify the individual in cooperation with law enforcement in Romania and the U.K. The cybercriminal’s identity has not been published but Office “K” of the Ministry of Internal Affairs in Belarus says that he is a 31-years old living in Gomel, a city in southeastern Belarus. ## Encrypted computers in nearly 100 countries The arrested GandCrab member was an affiliate, or 'Advert', for the organization and was responsible for distributing the ransomware to victims. "It was established that a 31-year-old resident of Gomel who had no previous convictions infected more than a thousand computers. For decrypting each of them, he demanded an amount equivalent to 1.2 thousand US dollars. Access to the admin panel for managing the ----- ransomware botnet was carried out via the darknet, which allowed the attacker to remain anonymous for a long time," said Vladimir Zaitsev, Deputy Head of the High-Tech Crimes Department of the Ministry of Internal Affairs. "Part of the profit was transferred to the administrators (operators) of the server he leased. The victims of the hacker were users from almost a hundred countries, and the largest number of victims were in India, the USA, Ukraine, Great Britain, Germany, France, Italy [and Russia," Zaitsev added.](https://mvd.gov.by/ru/news/7309) It is unclear how much money the criminal made from this operation but he shared part of the paid ransoms with GandCrab administrator(s) who kept a server hidden in the darknet, allowing affiliates to remain hidden. As part of their role of infecting victims, GandCrab affiliates would earn 60% for the first three ransom payments they are responsible for. After the third payment, their revenue share would jump to 70%. This means if the arrested affiliate was demanding $1,200 as a ransom payment, they would earn $840 per victim and the GandCrab developers would earn $360. Larger affiliates who demanded millions of dollars would stand to make far greater amounts of payments. [GandCrab shut down their operation on June 1st, 2019, after claiming to have generated](https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-2-billion/) more than $2 billion in ransom payments and personally earning $150 million. [After GandCrab was shutdown, the FBI released the master decryption keys for the](https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-affiliates-continue-to-push-decryptable-versions/) [ransomware and BitDefender released a decryptor that allowed victims to recover their files](https://www.bleepingcomputer.com/news/security/release-of-gandcrab-52-decryptor-ends-a-bad-ransomware-story/) for free. ----- It is not known how law enforcement obtained these keys, but it could have been through a seizure of one of the Tor payment servers. After GrandCrab shut down, another ransomware variant called REvil, or Sodinokibi, was created to fill the void left behind. [It has been reported that there are code similarities and](https://www.bleepingcomputer.com/news/security/shared-code-links-sodinokibi-to-gandcrab-minus-the-fun-and-games/) [ties between the operators/affiliates](https://www.bleepingcomputer.com/news/security/gandcrab-raas-was-a-training-ground-for-malware-distributors/) of REvil ransomware and GandCrab. ## Related Articles: [BlackCat/ALPHV ransomware asks $5 million to unlock Austrian state](https://www.bleepingcomputer.com/news/security/blackcat-alphv-ransomware-asks-5-million-to-unlock-austrian-state/) [Windows 11 KB5014019 breaks Trend Micro ransomware protection](https://www.bleepingcomputer.com/news/security/windows-11-kb5014019-breaks-trend-micro-ransomware-protection/) [Industrial Spy data extortion market gets into the ransomware game](https://www.bleepingcomputer.com/news/security/industrial-spy-data-extortion-market-gets-into-the-ransomware-game/) [New ‘Cheers’ Linux ransomware targets VMware ESXi servers](https://www.bleepingcomputer.com/news/security/new-cheers-linux-ransomware-targets-vmware-esxi-servers/) [SpiceJet airline passengers stranded after ransomware attack](https://www.bleepingcomputer.com/news/security/spicejet-airline-passengers-stranded-after-ransomware-attack/) [Arrest](https://www.bleepingcomputer.com/tag/arrest/) [GandCrab](https://www.bleepingcomputer.com/tag/gandcrab/) [Law Enforcement](https://www.bleepingcomputer.com/tag/law-enforcement/) [RaaS](https://www.bleepingcomputer.com/tag/raas/) [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [Ransomware-as-a-Service](https://www.bleepingcomputer.com/tag/ransomware-as-a-service/) [Ionut Ilascu](https://www.bleepingcomputer.com/author/ionut-ilascu/) Ionut Ilascu is a technology writer with a focus on all things cybersecurity. The topics he writes about include malware, vulnerabilities, exploits and security defenses, as well as research and innovation in information security. His work has been published by Bitdefender, Netgear, The Security Ledger and Softpedia. [Previous Article](https://www.bleepingcomputer.com/news/microsoft/microsoft-powertoys-update-fixes-launcher-adds-color-picker/) [Next Article](https://www.bleepingcomputer.com/news/security/three-suspects-charged-for-roles-in-twitter-hack-bitcoin-scam/) ## Comments ----- [Amigo-A - 1 year ago](https://www.bleepingcomputer.com/forums/u/998576/amigo-a/) This is just a drop in the bucket. According to my data, here is a small ranking of countries whose citizens and migrants pose as Russian hackers: 1st place: Ukraine, almost the entire center of the country, including, to a lesser extent, Donetsk. 2nd place: Romania, where the work of extortion firms is put on the conveyor belt. Romanian firms that earn money from extortion are expanding at the expense of Moldovan citizens who speak Russian. 3rd place: Israel, Turkey, Iran, Azerbaijan, Poland, Hungary, Bulgaria, China, Korea, Thailand. 4th place: USA, Canada, UK, Netherlands and neighboring countries. 5th place: Greece, Italy, Kazakhstan, Belarus, the Baltic countries, Finland, Sweden. As you can see, Belarus is only on the 5th place in this list. [R-K - 1 year ago](https://www.bleepingcomputer.com/forums/u/1137491/r-k/) operators should be interrogated more about where are the ransomware creators. Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ----- ## You may also like: -----