Skip to content
Naked Security Naked Security

GandCrab ransomware crooks to shut up shop

GandCrab's creators are giving themselves a "well-deserved retirement" after extorting (they say) $2 billion.

The authors of the GandCrab ransomware strain are shutting their ransomware-as-a-service portal, allegedly walking away with a cool $150m.

The announcement appeared on a hacker forum, and cybersecurity researcher ‘Damian’ tweeted the news on 1 June:

GandCrab, which first appeared in January 2018, operated using a ransomware-as-a-service (RaaS) model – meaning the authors aren’t the only people using it (if they use it at all). Instead, they let others launch their own campaigns with it and take a small cut of the profits.

In a message on the hacking forum, the perpetrators explained that their broader community of customers had made far more money:

For all the good things come to an end. For the year of working with us, people have earned more than $2 billion.

They said that the community earned $2.5m per week on average, adding that they personally earned over $150m per year as part of the cybercrime venture.

We successfully cashed this money and legalized it in various spheres of white business both in real life and on the internet.

GandCrab is a slick operation and its logo, modern web interface, vanity Dark Web URL and unusual choice of the Dash cryptocurrency for payments gives it an innovative and professional veneer.

The ransomware is popular with cybercriminals and widely used, appearing in attacks as diverse as “spray and pray” malicious email campaigns and devastating targeted ransomware attacks.

The crooks behind it even showed a bit of PR savvy when they decided to “help” the beleaguered people of Syria by releasing the decryption keys for systems they’d crippled in that country for free.

They didn’t offer to compensate victims in that country for lost income though, or pay for people to do the decryption, despite their professed riches, and their conscience wasn’t pricked by indiscriminate GandCrab attacks on other targets, including hospitals, in other countries.

Signs of a conscience were also noticeably absent from the valedictory post. The malware authors used their sign off to congratulate themselves on a “well-deserved retirement” and to thumb their noses at both white hats and law enforcement agencies:

We have proven that by doing evil deeds, retribution does not come. We proved that in a year you can earn money for a lifetime.

And just in case you’d forgotten this is just a bunch of gangsters extracting money with menaces, they also had a message for victims, and it wasn’t sorry.

Victims – if you buy, now. Then your data no one will recover. Keys will be deleted.

In other words: cough up immediately.


They are boastful pricks and filthy criminals, but not stupid. Their pathetic economical claims have already been debunked, and them closing up shop has more to do with LEA cracking down on the Dark Web. For all their bravado, our crabby Russians must be feeling the wrath of Europol hot on their tails.

Retribution will come for them as well. Fear not.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!