Gandcrab

Threat Actor updated 7 months ago (2024-05-04T18:18:37.255Z)

Download STIX

Preview STIX

GandCrab, a threat actor, is known for its malicious activities involving ransomware attacks. Originating from Russian origins and evolving from Team Truniger, a former GandCrab affiliate, the group has been linked to numerous ransomware variants including Bad Rabbit, LockBit 2.0, STOP/DJVU, and REvil, also known as Sodin and Sodinokibi. The group has also been associated with several malware samples such as BankBot, Dreambot, Godzilla, Gozi ISFB, Nymaim, Pony Loader, Privateloader, and SmokeLoader. GandCrab was notorious for being the first Ransomware-as-a-Service (RaaS) variant to demand payments in Dash cryptocurrency and spread primarily through emails, exploit kits, and other malware campaigns. In 2019, the GandCrab gang retired and released a decryption tool that has since helped victims recover their data. This tool can be found on sites like Bitdefender and Bleeping Computer. Over time, the initiative to combat this threat has grown, offering 136 free decryption tools for 165 ransomware variants, including notorious strains like GandCrab, REvil, and Maze. These developments have effectively ended the reign of GandCrab, providing relief to many victims of their ransomware attacks. Circumstantial evidence suggests that the same threat actors could be responsible for both REvil and GandCrab. Both use similar methods to build URLs and share opcodes for FOR-loop within their string decoder functions. On April 17, 2019, REvil was dropped on hosts in conjunction with GandCrab. Moreover, the threat actor's services offer an ever-changing reverse proxy network, which has been associated with the Snatch Team data extortion and ransomware group, the defunct GandCrab ransomware, Smokeloader malware, phishing attacks, and malware distribution. This makes it difficult to block content served due to changing IP addresses, especially in regions including Asia, Africa, and the Middle East.

Description last updated: 2024-05-04T17:20:24.849Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
REvil is a possible alias for Gandcrab. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. Th	7
Dridex is a possible alias for Gandcrab. Dridex is a notorious malware, specifically a banking Trojan, designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software was primarily used by the Russian cybercriminal group, Evil Corp, founded in 2014. The group ta	2
Team Truniger is a possible alias for Gandcrab. Team Truniger, also known as Snatch, is a threat actor group that first emerged in 2018. The group was initially named after the online handle of its founder and organizer, Truniger, who had previously worked as an affiliate of the GandCrab ransomware-as-a-service operation. According to a joint adv	2
Sodinokibi is a possible alias for Gandcrab. Sodinokibi, also known as REvil, is a highly active and impactful threat actor first identified in April 2019. Operating as a ransomware-as-a-service (RaaS), this group has been responsible for a significant proportion of global ransomware incidents. In 2020, Sodinokibi ransomware attacks accounted	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Malware

RaaS

Cybercrime

Exploit

Spam

Windows

Extortion

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Vidar Malware is associated with Gandcrab. Vidar is a malicious software (malware) that primarily targets Windows systems, written in C++ and based on the Arkei stealer. It has historically been favored by threat actors who sell logs through marketplaces like 2easy, alongside other infostealers such as Raccoon, RedLine, and AZORult. The malw	Unspecified	2
The Lockbit Malware is associated with Gandcrab. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit	Unspecified	2
The Snatch Malware is associated with Gandcrab. Snatch is a type of malware, specifically a ransomware, that poses significant threats to digital security. This malicious software infiltrates systems typically via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Snatch can cause extensive damage, inc	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The GOLD SOUTHFIELD Threat Actor is associated with Gandcrab. Gold Southfield is a threat actor group known for its malicious cyber activities. Secureworks® Counter Threat Unit™ (CTU) researchers have found significant overlaps in the code structure of LV ransomware and REvil, a ransomware operated by Gold Southfield. This suggests that Gold Southfield may hav	Unspecified	2

Source Document References

Information about the Gandcrab Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	10 months ago	Why Bulletproof Hosting is Key to Cybercrime-as-a-Service
CERT-EU	10 months ago	Banco Promerica Data Breach: Facing Dual Ransomware Threats \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	10 months ago	Examples of Past and Current Attacks \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	10 months ago	HHS Issues First Settlement for HIPAA Violations Related to a Ransomware Attack \| Hall Benefits Law \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	2 years ago	Triple Extortion and Erased Data are the New Ransomware Norm \| #ransomware \| #cybercrime – National Cyber Security Consulting
CERT-EU	2 years ago	Unmasking Cybercrime-as-a-Service: The Dark Side of Digital Convenience
CERT-EU	a year ago	Healthcare Industry Cybersecurity at the Close of 2023
MITRE	a year ago	The Evolution of PINCHY SPIDER from GandCrab to REvil \| CrowdStrike
CERT-EU	a year ago	New Phobos ransomware variant implicates VX-Underground
CERT-EU	a year ago	LockBit ransomware exploits Citrix Bleed in attacks, 10K servers exposed
CERT-EU	a year ago	BA Depicted by OCR as Example of Ransomware Dangers Recovered Quickly, Didn’t Expect Fine
CERT-EU	a year ago	HHS Settles with Doctors’ Management Services Over Ransomware Attack
CERT-EU	a year ago	Medical firm reaches $100,000 settlement with HHS over 2017 ransomware attack
CERT-EU	a year ago	Telehealth & Telecare Aware
BankInfoSecurity	a year ago	Feds Levy First-Ever HIPAA Fine for Ransomware Data Breach
CERT-EU	a year ago	#StopRansomware: Snatch Ransomware \| CISA
CERT-EU	a year ago	200+ Free Ransomware Decryption Tools You Need [2022 List]
CERT-EU	2 years ago	How the US Government is Fighting Back Against Ransomware \| #ransomware \| #cybercrime – National Cyber Security Consulting
CERT-EU	2 years ago	6 Best Ransomware Recovery Services for 2023 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware - National Cyber Security Consulting
CERT-EU	a year ago	8Base Ransomware Group Emerges as Major Threat