GandCrab developers call it quits: claim earnings of $2bn

GandCrab developers call it quits: claim earnings of $2bn snapshot

Cybercriminals behind GandCrab ransomware are shutting down all RaaS operations by the end of the month

Pinchy Spider, the cybercriminal group behind GandCrab ransomware, announced about its operation closure on May 31st. According to the forum post that emerged on the underground forums, they plan to stop the distribution of the notorious malware by the end of June and urge all the affiliates to do the same within 20 days of the announcement.

The crooks behind malware claim the “well deserved retirement” comes with $150 million personal profits, while the entire operation managed to earn the group as well as its partners over $2 billion. According to cybercriminals, the obtained money was invested in legal businesses:

We successfully cashed this money and legalized it in various spheres of white business both in real life and on the Internet

The post itself provides many hints that these guys are proud of their accomplishments, as they explained – “We have proved that by doing evil deeds, retribution does not come.”

While catching malware developers is quite difficult, multiple operations were shut down in the past (for example, the notorious Mirai botnet) by FBI and other law enforcement bodies.

Claims of $2 billion profits are a too far fetched

GandCrab developers were extremely observant during their operation period, and were actively communicating and following security researchers. They were often taunting experts and organizations that were involved in GandCrab’s research. For example, dropping a pop-up windows that greeted them by their names, or using official names of cybersecurity firms for their Command & Control servers, including:

  • emsisoft.bit
  • esetnod32.bit
  • bleepingcomputer.bit
  • nomoreransom.bit
  • etc.

These actions are considered quite unique, as most of the malware operators are usually staying away from security researchers for obvious reasons.

Therefore, it would not be surprising that claims of $2 billion are also a bit over the top. While it is true that some victims were willing to pay the ransom, there was no way developers, and the affiliates managed to stack up so much, as only a small fraction of users are willing to risk their money in addition to their files.

The promise to delete decryption keys might also be only a last-minute money grab

In their forum post, GandCrab authors also urged current victims to hurry and pay for the decryptor, as all the keys will be destroyed, making data recovery impossible.

However, security experts believe that the announcement was made with the hopes of making users panic and pay the ransom – something that is seen as a last resort to receive more profits.

Nevertheless, multiple previous ransomware family authors released the keys for free after shutting down their operations for good. Therefore, it might be possible that Pinchy Spider will do the same, seeing how they also released keys for victims in Syria, where war and misery dominate.

The demise of the malware string may also lie in the fact that it was in decline for a while now, fewer infections were spotted in the wild, and barely few news articles emerged in the past couple of months.

While many members of the underground hacking forums claimed they were sad the GandCrab virus is leaving the cybercriminal scene, it is definitely good news not only for security experts but also regular users, as the infections should significantly subside, and eventually disappear altogether.

GandCrab RaaS – one of the most prominent malware families of 2018 and 2019

GandCrab was first released in January 28th,  when first samples emerged in the wild and most major ransomware families were shut down – Spora or TeslaCrypt.

GandCrab operated a Ransomware-as-a-Service (RaaS) scheme, which means that every crook could pay for the access to malware’s code and then distribute it to victims by using exploit kits, spam emails, web injects, brute-forcing and other methods. Once profits from Bitcoin payments emerged, the Pinchy Spider obtained some portion of the money, while the rest went to the distributor.

Throughout its livelihood, the threat actors released five major versions, with multiple sub-variants (especially when it came to GandCrab 5). The malware employed Fallout, Rig, and Grandsoft exploit kits, as well as made use of malvertising campaigns.

Initially, GandCrab targeted any type of users, and it did not matter if it was a company’s or a personal computer. Later on, Pinchy Spider announced that they are looking for people who are experienced in Remote Desktop and corporate network hacking – they went “Big Game Hunting,” targeting large organizations worldwide and asking for larger ransoms.

Despite all the innovations, cybersecurity researchers were battling the malware from its release throughout its existence. Bitdefender released three decryptors that allowed users to recover their data for free, and today, only versions 5.2 and 5.3 are not decryptable.