GandCrab ransomware hacker arrested in Belarus

Law enforcement in Belarus has announced the arrest of a 31-year-old man who is alleged to have extorted more than 1000 victims with the infamous GandCrab ransomware in 2017 and 2018.

He apparently demanded payments ranging from $400 to $1500 in Bitcoin.

Unlike more targeted attacks where crooks break into networks first and directly infect them with ransomware later, the unnamed suspect is said to have gone after victims by the more traditional route of spamming out booby-trapped emails across the globe.

The Belarus Ministry of Interal Affairs claims that computers that the suspect managed to infect were in more than 100 different countries, notably India, US, Ukraine, UK, Germany, France, Italy and Russia.

The authorities have painted a picture of the suspect as what you might call a “career” cybercriminal – allegedly he did not have a regular job but instead:

  • Used GandCrab malware variants to conduct ransomware attacks.
  • Created and sold malware for buyers on underground forums.
  • Made money out of illicit cryptomining.

GandCrab was what is commonly referred to as RaaS, short for Ransomware as a Service.

The term RaaS is a cynical reference to legitimate abbreviations such as Saas (software as a service), which refers to software that you access via the cloud rather than installing and managing yourself.

In other words, the suspect arrested in Belarus – assuming that he did commit this crime, of course – wouldn’t have created the GandCrab malware himself, or even collected the cryptocurrency payments from his victims.

Instead, he’d have signed into a cloud based service on the dark web that would not only generate a unique sample of the malware for him to download but also “process payments” from victims whose files were scrambled by it.

The suspect would therefore essentially have been acting as an intermediary who took the risk of distributing the malware in return for a cut of the takings.

“Fees” or “commissions” charged by RaaS operators have typically been set at 30%, with the crooks brazenly copying the 70/30 split introduced by companies such as Apple and Google in their App Store and Play Store marketplaces

The operators of the GandCrab online service shut down in 2019 after bragging that their “affiliates” had raked in a mammoth $2 billion via the “service”, meaning hundreds of millions for the master crooks themselves:

For the year of working with us, people have earned more than $2 billion. […] But […] all good things come to an end. We are leaving for a well-deserved retirement. We have proved that by doing evil deeds, retribution does not come.

The smart money, however, was that they folded the GandCrab service simply to start up again in new clothes, because the same crooks are alleged to be behind the Revil (aka Sodinokibi) ransomware that you will have heard about many times in Series 2 of the Naked Security Podcast.

The arrest of an alleged GandCrab ransomware disseminator is therefore not quite as dramatic as the arrest of the crooks who are supposed to have run the cloud service at the heart of it all…

…but it’s a start.

What to do?

Back in 2017, we went on the dark web and “signed up” for a Ransomware as a Service (RaaS) cloud system called Satan and wrote a report on what we found. To see how RaaS works, read this fascinating article now:

For insight into the ransomware situation and advice on how to prevent ransomware attacks in your organisation, please take a look at our State of Ransomware 2020 report: