In a press release last week, the Minister of Internal Affairs of Belarus announced the arrest of a 31-year-old man on charges of distributing the GandCrab ransomware.
The man, whose name was not released, was arrested in Gomel, a small city in southeastern Belarus, at the intersection with the Russian and Ukraine border.
Authorities said the man had no previous convictions prior to his arrest but had signed up on a hacking forum to become an affiliate for the GandCrab ransomware operation.
He allegedly rented access to a web panel where he tweaked settings to obtain a custom version of the GandCrab ransomware, which he would later send out as boobytrapped files to other internet users using email spam.
Victims who opened the files would get infected and have their files encrypted, needing to pay a ransom fee to obtain a decryption app and recover their files.
Suspect made more than 1,000 victims
Belarussian officials said the suspect infected more than 1,000 computers while a GandCrab affiliate (also known as a “distributor”). From each victim, the suspect demanded around $1,200 paid in Bitcoin., although officials didn’t say how many paid.
Vladimir Zaitsev, Deputy Head of the High-Tech Crime Department of the Ministry of Internal Affairs, said the suspect infected victims in more than 100 countries, with the most located in India, the US, Ukraine, the UK, Germany, France, Italy, and Russia.
Officials said they received help from law enforcement from the UK and Romania in tracking down and identifying the hacker.
Authorities also said the suspect was unemployed and distributed cryptominers and wrote code for other users on hacking forums.
GandCrab author still at large
The GandCrab ransomware is now defunct. The operation — known as a RaaS (Ransomware-as-a-Service) — launched in early 2018, had tens of affiliates and shut down in June 2019.
In a post on a hacking forum, the GandCrab team bragged about earning more than $2 billion from their scheme — a claim researchers deemed an exaggeration as they could never prove to be true.
Under the hood, the ransomware wasn’t that well put together and allowed security researchers to release free decryption utilities on multiple occasions [1, 2, 3, 4]. Towards June 2019, the service was losing affiliates as distributors moved to other RaaS offers that had a stronger offering and took a smaller cut of their profits.
During its final days, GandCrab affiliates experimented with targeting managed service providers or MySQL servers for more focused intrusions. Nowadays, many security researchers believe the GandCrab authors moved on to create the new Sodinokibi (REvil) ransomware/
Belarusian authorities said GandCrab made more than 54,000 victims across the world, including 156 in their country.
The authors of the GandCrab ransomware are still unidentified in the public eye and at large.