Cybercrime , Fraud Management & Cybercrime , Malware as-a-Service

Alleged GandCrab Distributor Arrested in Belarus

Authorities Allege He Also Distributed Cryptocurrency Mining Malware
Alleged GandCrab Distributor Arrested in Belarus
Cybercriminals could rent GandCrab V5 ransomware.

A 31-year-old man who allegedly distributed versions of the GandCrab ransomware has been arrested in Belarus for possession and distribution of malware, according to the country's Ministry of Internal Affairs.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

On July 30, government officials in Belarus announced that the unnamed suspect, who lives in the city of Gomel, was arrested by police in cooperation with the authorities from the U.K. and Romania. GandCrab ransomware was pulled from distribution by its creators in 2019 (see: Did GandCrab Gang Fake Its Ransomware Retirement?).

Officials in Belarus note that the suspect also appears to have also been distributing cryptominers and programming malicious codes for illegal forums. The suspect apparently obtained a strain of the Gancrab ransomware by joining a darknet forum and then learned how to operate as a GandCrab affiliate, according to the Ministry of Internal Affairs. The creator of the GandCrab malware offered it to others using a ransomware-as-a-service model.

Once the suspect obtained the malware, he sent malicious PDF files through spam emails to victims to infect their system, authorities allege. The suspect charged a fee of about $1,200 in cryptocurrency to decrypt each of the infected systems, the ministry says. The suspect leased servers to conduct his operation and used the ransomware profits to pay for the facilities, it alleges.

The hacker allegedly targeted victims in more than 100 countries, including the U.S., U.K. India, Germany, France, Italy and Russia, says Vladimir Zaitsev, the deputy head of the high-tech crimes department of the Ministry of Internal Affairs.

GandCrab RaaS

GandCrab, which was discovered in January 2018, opened up a new avenue for criminals interested in launching ransomware attacks. The ransomware-as-a-service offering made it easier for those who lack the skills or resources of more experienced hackers to obtain and use malware (see: Ransomware School: The Rise of GandCrab Disciples).

GandCrab had been one of the most notorious RaaS offerings since it was first spotted targeting South Korean companies. Security experts say the ransomware's affiliates could sign up to use GandCrab under terms and conditions that included the GandCrab gang getting a 40% cut of all ransoms paid by victims, according to previous reports.

GandCrab also served as a launching pad for other ransomware attacks. The ransomware collectives "jsworm" and affiliate "PenLat" later launched the JSworm and Nemty ransomware strains, the New York-based cyber intelligence firm Advanced Intelligence told Information Security Media Group.

The hacking collective known as "truniger" - aka "TeamSnatch" - appeared to learn the RaaS ropes with GandCrab before moving on to take down bigger prey, according to security researchers.

The operators behind GandCrab made an unexpected public announcement in May 2019, saying they would "retire" and claiming that their affiliates had earned more than $2 billion in illegal gains over that two-year span. Once GandCrab left the scene, Sodinokibi became the dominant RaaS player (see: Ransomware: As GandCrab Retires, Sodinokibi Rises).


About the Author

Chinmay Rautmare

Chinmay Rautmare

Senior Correspondent

Rautmare is senior correspondent on Information Security Media Group's Global News Desk. He previously worked with Reuters News, as a correspondent for the North America Headline News operations and reported on companies in the technology, media and telecom sectors. Before Reuters he put in a stint in broadcast journalism with a business channel, where he helped produced multimedia content and daily market shows. Rautmare is a keen follower of geo-political news and defense technology in his free time.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.