Skip to content
Naked Security Naked Security

GandCrab ransomware hacker arrested in Belarus

Suspect is alleged to have extorted more than 1000 people, mostly in India, US, Ukraine, UK, Germany, France, Italy and Russia.

Law enforcement in Belarus has announced the arrest of a 31-year-old man who is alleged to have extorted more than 1000 victims with the infamous GandCrab ransomware in 2017 and 2018.
He apparently demanded payments ranging from $400 to $1500 in Bitcoin.
Unlike more targeted attacks where crooks break into networks first and directly infect them with ransomware later, the unnamed suspect is said to have gone after victims by the more traditional route of spamming out booby-trapped emails across the globe.
The Belarus Ministry of Interal Affairs claims that computers that the suspect managed to infect were in more than 100 different countries, notably India, US, Ukraine, UK, Germany, France, Italy and Russia.
The authorities have painted a picture of the suspect as what you might call a “career” cybercriminal – allegedly he did not have a regular job but instead:

  • Used GandCrab malware variants to conduct ransomware attacks.
  • Created and sold malware for buyers on underground forums.
  • Made money out of illicit cryptomining.


GandCrab was what is commonly referred to as RaaS, short for Ransomware as a Service.
The term RaaS is a cynical reference to legitimate abbreviations such as Saas (software as a service), which refers to software that you access via the cloud rather than installing and managing yourself.
In other words, the suspect arrested in Belarus – assuming that he did commit this crime, of course – wouldn’t have created the GandCrab malware himself, or even collected the cryptocurrency payments from his victims.
Instead, he’d have signed into a cloud based service on the dark web that would not only generate a unique sample of the malware for him to download but also “process payments” from victims whose files were scrambled by it.
The suspect would therefore essentially have been acting as an intermediary who took the risk of distributing the malware in return for a cut of the takings.
“Fees” or “commissions” charged by RaaS operators have typically been set at 30%, with the crooks brazenly copying the 70/30 split introduced by companies such as Apple and Google in their App Store and Play Store marketplaces
The operators of the GandCrab online service shut down in 2019 after bragging that their “affiliates” had raked in a mammoth $2 billion via the “service”, meaning hundreds of millions for the master crooks themselves:

For the year of working with us, people have earned more than $2 billion. […] But […] all good things come to an end. We are leaving for a well-deserved retirement. We have proved that by doing evil deeds, retribution does not come.

The smart money, however, was that they folded the GandCrab service simply to start up again in new clothes, because the same crooks are alleged to be behind the Revil (aka Sodinokibi) ransomware that you will have heard about many times in Series 2 of the Naked Security Podcast.
The arrest of an alleged GandCrab ransomware disseminator is therefore not quite as dramatic as the arrest of the crooks who are supposed to have run the cloud service at the heart of it all…
…but it’s a start.

What to do?

Back in 2017, we went on the dark web and “signed up” for a Ransomware as a Service (RaaS) cloud system called Satan and wrote a report on what we found. To see how RaaS works, read this fascinating article now:

For insight into the ransomware situation and advice on how to prevent ransomware attacks in your organisation, please take a look at our State of Ransomware 2020 report:


14 Comments

Belgium? Or Belarus.

Wow! I corrected a typo with the WordPress app (see above – coping -> copying) and it looks as though the app autocorrected it! (You can see from the URL and our earlier tweet that the title was previously correct.) Think I’ll have a word with WordPress about that :-)
Fixed now, thanks for the heads up!

A useful article, Paul. Thank you.
We got a GandCrab attack a few years ago from a bad torrent. Fortunately, we had just bought a new system a week or so previously, and had everything freshly backed up. So, we denied the GandCrab instigator his bounty and simply did a Windows reset. We lost nothing but a few hours, but gained a valuable wake-up call about ransomware, how to deal with it, and importantly, being extra aware of bad dates in the torrent basket!

There are *good* torrents?!!??! (Only kidding!)

Posting for posterity, since Duck likely knows this bit…
I’ve not messed with torrents in a long time (guessing a decade), but some software packages are distributed via BitTorrent (LibreOffice comes to mind), and IIRC there are musicians who encourage the sharing of their material via BT.
Back in the Before Times, Dave Matthews encouraged recording his shows. I saw one in (1999?) where a guy had a recording rig with a telescoping mast, hoisting twin microphones about 15 feet* into the air–presumably after having purchased two seats, because they sat on the one next to him.
I don’t think that’s the case anymore and couldn’t tell you why his outlook has changed. I wouldn’t doubt the record company put their collective corporate foot down.

* Ellen DeGeneres had a stand-up special, saying something to the effect of

Everyone thinks we Americans are too stubborn to use the metric system.
We tried, we’re too stupid, we can’t!

A useful article, Paul. Thank you.
We got a GandCrab attack a few years ago from a bad torrent. Fortunately, we had just bought a new system a week or so previously, and had everything freshly backed up. So, we denied the GandCrab instigator his bounty and simply did a Windows reset. We lost nothing but a few hours, but gained a valuable wake-up call about ransomware, how to deal with it, and importantly, being extra aware of bad dates in the torrent basket!

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?