Gandcrab

Threat Actor updated 22 days ago (2024-11-29T13:36:24.965Z)
Download STIX
Preview STIX
GandCrab, a threat actor, is known for its malicious activities involving ransomware attacks. Originating from Russian origins and evolving from Team Truniger, a former GandCrab affiliate, the group has been linked to numerous ransomware variants including Bad Rabbit, LockBit 2.0, STOP/DJVU, and REvil, also known as Sodin and Sodinokibi. The group has also been associated with several malware samples such as BankBot, Dreambot, Godzilla, Gozi ISFB, Nymaim, Pony Loader, Privateloader, and SmokeLoader. GandCrab was notorious for being the first Ransomware-as-a-Service (RaaS) variant to demand payments in Dash cryptocurrency and spread primarily through emails, exploit kits, and other malware campaigns. In 2019, the GandCrab gang retired and released a decryption tool that has since helped victims recover their data. This tool can be found on sites like Bitdefender and Bleeping Computer. Over time, the initiative to combat this threat has grown, offering 136 free decryption tools for 165 ransomware variants, including notorious strains like GandCrab, REvil, and Maze. These developments have effectively ended the reign of GandCrab, providing relief to many victims of their ransomware attacks. Circumstantial evidence suggests that the same threat actors could be responsible for both REvil and GandCrab. Both use similar methods to build URLs and share opcodes for FOR-loop within their string decoder functions. On April 17, 2019, REvil was dropped on hosts in conjunction with GandCrab. Moreover, the threat actor's services offer an ever-changing reverse proxy network, which has been associated with the Snatch Team data extortion and ransomware group, the defunct GandCrab ransomware, Smokeloader malware, phishing attacks, and malware distribution. This makes it difficult to block content served due to changing IP addresses, especially in regions including Asia, Africa, and the Middle East.
Description last updated: 2024-05-04T17:20:24.849Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
REvil is a possible alias for Gandcrab. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. Th
7
Dridex is a possible alias for Gandcrab. Dridex is a notorious malware, specifically a banking Trojan, designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software was primarily used by the Russian cybercriminal group, Evil Corp, founded in 2014. The group ta
2
Team Truniger is a possible alias for Gandcrab. Team Truniger, also known as Snatch, is a threat actor group that first emerged in 2018. The group was initially named after the online handle of its founder and organizer, Truniger, who had previously worked as an affiliate of the GandCrab ransomware-as-a-service operation. According to a joint adv
2
Sodinokibi is a possible alias for Gandcrab. Sodinokibi, also known as REvil, is a highly active and impactful threat actor first identified in April 2019. Operating as a ransomware-as-a-service (RaaS), this group has been responsible for a significant proportion of global ransomware incidents. In 2020, Sodinokibi ransomware attacks accounted
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
RaaS
Cybercrime
Exploit
Spam
Windows
Extortion
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Vidar Malware is associated with Gandcrab. Vidar is a malicious software (malware) that primarily targets Windows systems, written in C++ and based on the Arkei stealer. It has historically been favored by threat actors who sell logs through marketplaces like 2easy, alongside other infostealers such as Raccoon, RedLine, and AZORult. The malwUnspecified
2
The Lockbit Malware is associated with Gandcrab. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers orUnspecified
2
The Snatch Malware is associated with Gandcrab. Snatch is a type of malware, specifically a ransomware, that poses significant threats to digital security. This malicious software infiltrates systems typically via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Snatch can cause extensive damage, incUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The GOLD SOUTHFIELD Threat Actor is associated with Gandcrab. Gold Southfield is a threat actor group known for its malicious cyber activities. Secureworks® Counter Threat Unit™ (CTU) researchers have found significant overlaps in the code structure of LV ransomware and REvil, a ransomware operated by Gold Southfield. This suggests that Gold Southfield may havUnspecified
2
Source Document References
Information about the Gandcrab Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
a year ago
MITRE
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
a year ago