GandCrab “Ransomware-as-a-Service” shutting down after a year of operation. This black market service was able to produce $2 billion worth of ransom payments for their customers who purchased the service, infecting the target victims with a customer-customized GandCrab. The Ransomware-as-a-Service is a new profit-model, where the original ransomware author does not infect victims directly but instead provides a customized malware, including all the necessary infrastructure to the customer, the latter in turn will be the one responsible for the propagation of the malware. The customer has full control of how the ransomware will be presented to the victims, including the naming, the logo and identification marks of the ransomware.

GandCrab formally confirms that the plan for the shutdown will proceed as initially announced way back April 2019 by two security researchers David and Damian Montenegro. The operation of creating the world’s first ransomware for hire started January of 2018, with the black market criminals patronizing the service in droves. “We are leaving for a well-deserved retirement. We have proven that by doing evil deeds, retribution does not come. We proved in a year you can earn money for a lifetime. We have proved that it is possible to become number one not in our own words, but in recognition of other people,” explained the unnamed GandCrab authors.

As a software-as-a-service business model, GandCrab for more than a year was able to build a huge team of affiliates who “resell” ransomware, and an effective distribution channel anchored using the hacking black market forum Exploit.in. The service all in all were able to generate $2.5 million weekly income from ransom payments, netting the GandCrab authors a personal revenue of $150 million which they claim will be their “retirement fund” for the lifetime. They hinted that the money they earned will be used for legitimate businesses that they plan to initiate immediately after they are able to shut down the service. The team indicated that they were successful with their money laundering efforts to make the money appear to come from a legitimate lawful source.

“We have become a nominal name in the field of the underground in the direction of crypto-fiber. Earnings with us per week averaged $2,500,000. We successfully cashed this money and legalize it in various spheres of white business both in real life and on the Internet. We were glad to work with you. But, as it is written above, all good things come to an end,” added the unnamed authors.

The authors have laid-out their entire steps of shutting down GandCrab, as directly quoted from their farewell message:

  1. Stop the set of adverts.
  2. We ask the adverts to suspend the flows.
  3. Within 20 days from the date, we ask adverts to monetize their bots by any means.
  4. Victims – if you buy now. Then your data can no longer recovered. Keys will be deleted.

During the investigation of the Montenegros, they discovered the operation of the following domain names which the GandCrab authors used as their command and control servers:

  • bleepingcomputer.bit
  • nomoreransom.bit
  • esetnod32.bit
  • emsisoft.bit
  • gandcrab.bit

Related Resources:

Ransomware In The Nutshell: What is Ransomware?

Ransomware Prevention Tips for the Healthcare Industry

Post a comment