Gandcrab

Threat Actor Profile Updated 13 days ago
Download STIX
Preview STIX
GandCrab, a threat actor, is known for its malicious activities involving ransomware attacks. Originating from Russian origins and evolving from Team Truniger, a former GandCrab affiliate, the group has been linked to numerous ransomware variants including Bad Rabbit, LockBit 2.0, STOP/DJVU, and REvil, also known as Sodin and Sodinokibi. The group has also been associated with several malware samples such as BankBot, Dreambot, Godzilla, Gozi ISFB, Nymaim, Pony Loader, Privateloader, and SmokeLoader. GandCrab was notorious for being the first Ransomware-as-a-Service (RaaS) variant to demand payments in Dash cryptocurrency and spread primarily through emails, exploit kits, and other malware campaigns. In 2019, the GandCrab gang retired and released a decryption tool that has since helped victims recover their data. This tool can be found on sites like Bitdefender and Bleeping Computer. Over time, the initiative to combat this threat has grown, offering 136 free decryption tools for 165 ransomware variants, including notorious strains like GandCrab, REvil, and Maze. These developments have effectively ended the reign of GandCrab, providing relief to many victims of their ransomware attacks. Circumstantial evidence suggests that the same threat actors could be responsible for both REvil and GandCrab. Both use similar methods to build URLs and share opcodes for FOR-loop within their string decoder functions. On April 17, 2019, REvil was dropped on hosts in conjunction with GandCrab. Moreover, the threat actor's services offer an ever-changing reverse proxy network, which has been associated with the Snatch Team data extortion and ransomware group, the defunct GandCrab ransomware, Smokeloader malware, phishing attacks, and malware distribution. This makes it difficult to block content served due to changing IP addresses, especially in regions including Asia, Africa, and the Middle East.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
REvil
7
REvil, a Russia-based group, was a prominent player in the Ransomware as a Service (RaaS) model that gained traction through 2020. The group was notorious for its high-profile attacks on critical infrastructure entities in the US between 2019 and 2021. REvil's modus operandi involved hacking into vi
Dridex
2
Dridex is a well-known malware, specifically a banking Trojan, that has been utilized by cybercriminals to exploit and damage computer systems. The malware infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt o
Team Truniger
2
Team Truniger, also known as Snatch, is a threat actor group that first emerged in 2018. The group was initially named after the online handle of its founder and organizer, Truniger, who had previously worked as an affiliate of the GandCrab ransomware-as-a-service operation. According to a joint adv
Sodinokibi
2
Sodinokibi, also known as REvil, is a prominent threat actor that has been associated with numerous high-profile ransomware attacks. First identified on April 17, 2019, this group operates as a Ransomware-as-a-Service (RaaS), providing malicious software for others to deploy. The group gained signif
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
RaaS
Cybercrime
Exploit
Spam
Windows
Extortion
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
VidarUnspecified
2
Vidar is a malware variant that first emerged in 2018 as a derivative of the Arkei malware. It is a Windows-based infostealer written in C++, and it has been used extensively by cybercriminals to steal sensitive information from compromised systems. Vidar, like other infostealers such as LummaC2, is
LockbitUnspecified
2
LockBit is a malicious software (malware) that has been implicated in several high-profile cyber attacks. It infiltrates systems through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or hold data hostage for ransom. Recently, the L
SnatchUnspecified
2
Snatch is a type of malware, specifically ransomware, known for its malicious intent to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
GOLD SOUTHFIELDUnspecified
2
Gold Southfield is a threat actor group known for its malicious cyber activities. Secureworks® Counter Threat Unit™ (CTU) researchers have found significant overlaps in the code structure of LV ransomware and REvil, a ransomware operated by Gold Southfield. This suggests that Gold Southfield may hav
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Gandcrab Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
REvil Ransomware: The GandCrab Connection
MITRE
a year ago
REvil/Sodinokibi Ransomware
MITRE
a year ago
McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service - What The Code Tells Us | McAfee Blog
MITRE
5 months ago
The Evolution of PINCHY SPIDER from GandCrab to REvil | CrowdStrike
Secureworks
a year ago
Ransomware Evolution
CERT-EU
4 months ago
Examples of Past and Current Attacks | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
6 months ago
Medical firm reaches $100,000 settlement with HHS over 2017 ransomware attack
InfoSecurity-magazine
a year ago
Russia’s Invasion Sparks Global Wiper Malware Surge
CERT-EU
a year ago
Indigo admits cyber attack was ransomware, employee data accessed | IT World Canada News
MITRE
a year ago
REvil Ransomware-as-a-Service: An analysis of a ransomware affiliate…
Secureworks
a year ago
The Growing Threat from Infostealers
CERT-EU
a year ago
Threat Round up for February 10 to February 17
Krebs on Security
8 months ago
A Closer Look at the Snatch Data Ransom Group
BankInfoSecurity
8 months ago
Feds Warn About Snatch Ransomware
CERT-EU
9 months ago
200+ Free Ransomware Decryption Tools You Need [2022 List]
CERT-EU
8 months ago
A Closer Look at the Snatch Data Ransom Group – GIXtools
CERT-EU
a year ago
Five Most Common Ransomware Strains
CERT-EU
5 months ago
Healthcare Industry Cybersecurity at the Close of 2023
CERT-EU
9 months ago
CISA publishes plan for remote monitoring tools after nation-state, ransomware exploitation
InfoSecurity-magazine
4 months ago
Why Bulletproof Hosting is Key to Cybercrime-as-a-Service