Threat Watch

GandCrab Operator Arrested in Belarus

An affiliate operator of the GandCrab ransomware, known for its Ransomware-as-a-Service (RaaS) model, has been arrested in Belarus. Working with law enforcement in Romania and the UK, authorities in Belarus were able to identify and arrest a 31-year-old man whose name has not been released. The suspect was responsible for infecting over a thousand computers in almost one hundred countries and holding each one for ransom. The extortion demand was approximately $1,200 USD per victim. The total amount of profit made by this one distributor is not known. The operator used a hacking forum to find ways to acquire the GandCrab ransomware and from there made his tweaks to it before sending it out to victims via email. GandCrab ransomware affiliates such as the arrested party who distributed the GandCrab ransomware would receive 60% of the profit on their first three infections and then 70% from the rest. GandCrab shut down their operations on June 1st, 2019 and the author of the ransomware has not been identified by law enforcement.

ANALYST NOTES

Like any ransomware, the main goal of the operators was to make money. Defenders should follow best practices such as having Endpoint Detection and Response (EDR) in place with constant monitoring by security analysts to defend against ransomware and other attacks. New forms of ransomware are constantly being created—when one ceases operation, others are created to fill the void. Ransomware is such a lucrative criminal scheme that threat actors will not stop unless they face serious consequences such as prosecution and incarceration. In almost every ransomware case, international cooperation is necessary to identify and prosecute the people responsible. The FBI has released master decryption keys for the GandCrab ransomware, allowing victims to decrypt data without paying the criminals. In this case, GandCrab was replaced almost immediately by REvil (Sodinokibi), which has reported ties between operators and code similarities to GandCrab, yet nothing has been confirmed.

More information can be read here: https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/