Gandcrab

Threat Actor updated 4 months ago (2024-05-04T18:18:37.255Z)
Download STIX
Preview STIX
GandCrab, a threat actor, is known for its malicious activities involving ransomware attacks. Originating from Russian origins and evolving from Team Truniger, a former GandCrab affiliate, the group has been linked to numerous ransomware variants including Bad Rabbit, LockBit 2.0, STOP/DJVU, and REvil, also known as Sodin and Sodinokibi. The group has also been associated with several malware samples such as BankBot, Dreambot, Godzilla, Gozi ISFB, Nymaim, Pony Loader, Privateloader, and SmokeLoader. GandCrab was notorious for being the first Ransomware-as-a-Service (RaaS) variant to demand payments in Dash cryptocurrency and spread primarily through emails, exploit kits, and other malware campaigns. In 2019, the GandCrab gang retired and released a decryption tool that has since helped victims recover their data. This tool can be found on sites like Bitdefender and Bleeping Computer. Over time, the initiative to combat this threat has grown, offering 136 free decryption tools for 165 ransomware variants, including notorious strains like GandCrab, REvil, and Maze. These developments have effectively ended the reign of GandCrab, providing relief to many victims of their ransomware attacks. Circumstantial evidence suggests that the same threat actors could be responsible for both REvil and GandCrab. Both use similar methods to build URLs and share opcodes for FOR-loop within their string decoder functions. On April 17, 2019, REvil was dropped on hosts in conjunction with GandCrab. Moreover, the threat actor's services offer an ever-changing reverse proxy network, which has been associated with the Snatch Team data extortion and ransomware group, the defunct GandCrab ransomware, Smokeloader malware, phishing attacks, and malware distribution. This makes it difficult to block content served due to changing IP addresses, especially in regions including Asia, Africa, and the Middle East.
Description last updated: 2024-05-04T17:20:24.849Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
REvil
7
REvil is a type of malware, specifically ransomware, that has been linked to significant cyber attacks. It emerged as part of the Ransomware as a Service (RaaS) model that gained popularity in 2020. This model established relationships between first-stage malware and subsequent ransomware attacks, s
Dridex
2
Dridex is a well-known malware, specifically a banking Trojan, that has been utilized by cybercriminals to exploit and damage computer systems. The malware infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt o
Team Truniger
2
Team Truniger, also known as Snatch, is a threat actor group that first emerged in 2018. The group was initially named after the online handle of its founder and organizer, Truniger, who had previously worked as an affiliate of the GandCrab ransomware-as-a-service operation. According to a joint adv
Sodinokibi
2
Sodinokibi, also known as REvil, is a significant threat actor first identified in April 2019. This ransomware family operates as a Ransomware-as-a-Service (RaaS) and has been responsible for one in three ransomware incidents responded to by IBM Security X-Force in 2020. The Sodinokibi ransomware st
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
RaaS
Cybercrime
Exploit
Spam
Windows
Extortion
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
VidarUnspecified
2
Vidar is a type of malware specifically designed to infiltrate and exploit Windows-based systems. It's written in C++ and is based on the Arkei stealer, which means it has the capability to steal personal information from infected devices. Vidar has been found impersonating legitimate software appli
LockbitUnspecified
2
LockBit is a prominent malware that has been causing havoc in the cyber world. It is a ransomware, a type of malicious software designed to exploit and damage systems, often infiltrating through suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operat
SnatchUnspecified
2
Snatch is a type of malware, specifically a ransomware, that poses significant threats to digital security. This malicious software infiltrates systems typically via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Snatch can cause extensive damage, inc
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
GOLD SOUTHFIELDUnspecified
2
Gold Southfield is a threat actor group known for its malicious cyber activities. Secureworks® Counter Threat Unit™ (CTU) researchers have found significant overlaps in the code structure of LV ransomware and REvil, a ransomware operated by Gold Southfield. This suggests that Gold Southfield may hav
Source Document References
Information about the Gandcrab Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
InfoSecurity-magazine
8 months ago
Why Bulletproof Hosting is Key to Cybercrime-as-a-Service
CERT-EU
8 months ago
Banco Promerica Data Breach: Facing Dual Ransomware Threats | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
8 months ago
Examples of Past and Current Attacks | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
8 months ago
HHS Issues First Settlement for HIPAA Violations Related to a Ransomware Attack | Hall Benefits Law | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
a year ago
Triple Extortion and Erased Data are the New Ransomware Norm | #ransomware | #cybercrime – National Cyber Security Consulting
CERT-EU
a year ago
Unmasking Cybercrime-as-a-Service: The Dark Side of Digital Convenience
CERT-EU
9 months ago
Healthcare Industry Cybersecurity at the Close of 2023
MITRE
9 months ago
The Evolution of PINCHY SPIDER from GandCrab to REvil | CrowdStrike
CERT-EU
10 months ago
New Phobos ransomware variant implicates VX-Underground
CERT-EU
10 months ago
LockBit ransomware exploits Citrix Bleed in attacks, 10K servers exposed
CERT-EU
10 months ago
BA Depicted by OCR as Example of Ransomware Dangers Recovered Quickly, Didn’t Expect Fine
CERT-EU
10 months ago
HHS Settles with Doctors’ Management Services Over Ransomware Attack
CERT-EU
10 months ago
Medical firm reaches $100,000 settlement with HHS over 2017 ransomware attack
CERT-EU
10 months ago
Telehealth & Telecare Aware
BankInfoSecurity
10 months ago
Feds Levy First-Ever HIPAA Fine for Ransomware Data Breach
CERT-EU
a year ago
#StopRansomware: Snatch Ransomware | CISA
CERT-EU
a year ago
200+ Free Ransomware Decryption Tools You Need [2022 List]
CERT-EU
a year ago
How the US Government is Fighting Back Against Ransomware | #ransomware | #cybercrime – National Cyber Security Consulting
CERT-EU
2 years ago
6 Best Ransomware Recovery Services for 2023 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware - National Cyber Security Consulting
CERT-EU
a year ago
8Base Ransomware Group Emerges as Major Threat