Skip to main content

Operator dossier

gandcrab is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 1 public victims claimed by this operator between September 9, 2018. GandCrab was a prolific ransomware-as-a-service (RaaS) operation that emerged in January 2018 and became one of the most widespread ransomware families before its operators announced retirement in May 2019, claiming to have earned over $2 billion in ransom payments. The group operated primarily for financial gain, recruiting affiliates through underground forums to distribute their ransomware in exchange for a percentage of ransom payments. GandCrab was believed to be operated by Russian-speaking cybercriminals, with the group explicitly avoiding targeting systems in Russia and former Soviet states, and operated as a sophisticated RaaS model providing affiliates with customized ransomware builds, payment portals, and technical support. The ransomware typically gained initial access through exploit kits, phishing campaigns, and remote desktop protocol attacks, employed strong encryption algorithms, and evolved to include data exfiltration capabilities in later versions, threatening to publish stolen data if ransom demands were not met. During its active period, GandCrab infected hundreds of thousands of systems worldwide across multiple sectors including healthcare, government, and education, with notable campaigns targeting managed service providers to achieve widespread lateral movement, though the group faced multiple law enforcement disruptions including a collaboration between Romanian police, Europol, and security researchers that resulted in the release of decryption tools for earlier variants. The GandCrab operators officially announced their retirement in May 2019, claiming financial success, though security researchers have identified potential connections between former GandCrab affiliates and subsequent ransomware operations including REvil/Sodinokibi.

Most-targeted sectors

Most-affected countries

Recent disclosures by gandcrab

All 1 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for gandcrab

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

gandcrab

1 victims indexed · first seen 8 years ago · last activity 8 years ago

1
Victims indexed
#318 of 364 tracked operators
<1m
Active period
Sep 2018 → Sep 2018
1
Countries hit
top US · 1

At a glance

Status
inactive
First seen
8 years ago
Last activity
8 years ago
Primary sector
Education Facilities · 1 hits

About

GandCrab was a prolific ransomware-as-a-service (RaaS) operation that emerged in January 2018 and became one of the most widespread ransomware families before its operators announced retirement in May 2019, claiming to have earned over $2 billion in ransom payments. The group operated primarily for financial gain, recruiting affiliates through underground forums to distribute their ransomware in exchange for a percentage of ransom payments. GandCrab was believed to be operated by Russian-speaking cybercriminals, with the group explicitly avoiding targeting systems in Russia and former Soviet states, and operated as a sophisticated RaaS model providing affiliates with customized ransomware builds, payment portals, and technical support. The ransomware typically gained initial access through exploit kits, phishing campaigns, and remote desktop protocol attacks, employed strong encryption algorithms, and evolved to include data exfiltration capabilities in later versions, threatening to publish stolen data if ransom demands were not met. During its active period, GandCrab infected hundreds of thousands of systems worldwide across multiple sectors including healthcare, government, and education, with notable campaigns targeting managed service providers to achieve widespread lateral movement, though the group faced multiple law enforcement disruptions including a collaboration between Romanian police, Europol, and security researchers that resulted in the release of decryption tools for earlier variants. The GandCrab operators officially announced their retirement in May 2019, claiming financial success, though security researchers have identified potential connections between former GandCrab affiliates and subsequent ransomware operations including REvil/Sodinokibi.

References

12 links

External sources curated by the MISP threat-intel community.

Timeline

1 months
2018-09-01T00:00:00+00:00 · 1
2018-09-01T00:00:00+00:002018-09-01T00:00:00+00:00

Top countries

🇺🇸 United States
1

Top sectors

Education Facilities
1

MITRE ATT&CK

4 techniques · 4 tactics

Tactics

Initial AccessExecutionDefense EvasionImpact

Techniques

Recent victims

Loading…

Source

Updated 8 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time gandcrab posts a victim.

Add gandcrab to your watchlist — Pro pings you within 5 minutes of any new gandcrab leak-site post, Telegram callout, or affiliate-rebrand inference.