SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gandcrab (Back to overview)

Gandcrab

aka: GrandCrab

Actor(s): Pinchy Spider

VTCollection     URLhaus                                

GandCrab was a Ransomware-as-a-Service (RaaS) emerged in January 28, 2018, managed by a criminal organization known to be confident and vocal, while running a rapidly evolving ransomware campaign. Through their aggressive, albeit unusual, marketing strategies and constant recruitment of affiliates, they were able to globally distribute a high volume of their malware.

In a surprising announcement on May 31, 2019, the GandCrab’s operators posted on a dark web forum, announced the end of a little more than a year of ransomware operations, citing staggering profit figures. However, If there’s one thing that sets these threat actors apart from other groups, it is that they are unpredictable; so there is always the possibility that they might re-surface in one form or another.

References
2022-11-08AhnLabASEC
LockBit 3.0 Being Distributed via Amadey Bot
Amadey Gandcrab LockBit
2022-03-17SophosTilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2021-11-16Trend MicroTrend Micro
Global Operations Lead to Arrests of Alleged Members of GandCrab/REvil and Cl0p Cartels
REvil Clop Gandcrab REvil
2021-10-05Trend MicroByron Gelera, Fyodor Yarochkin, Janus Agcaoili, Nikko Tamana
Ransomware as a Service: Enabler of Widespread Attacks
Cerber Conti DarkSide Gandcrab Locky Nefilim REvil Ryuk
2021-08-05KrebsOnSecurityBrian Krebs
Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet
2021-07-16Malwarebytes LabsJérôme Segura
Vidar and GandCrab: stealer and ransomware combo observed in the wild
Gandcrab Vidar
2021-07-06paloalto Networks Unit 42John Martineau
Understanding REvil: The Ransomware Gang Behind the Kaseya Attack
Gandcrab REvil
2021-07-06CrowdStrikeAdam Meyers
The Evolution of PINCHY SPIDER from GandCrab to REvil
Gandcrab REvil
2021-06-02TEAMT5TeamT5
Introducing The Most Profitable Ransomware REvil
Gandcrab REvil
2021-05-18Bleeping ComputerIonut Ilascu
DarkSide ransomware made $90 million in just nine months
DarkSide DarkSide Egregor Gandcrab Mailto Maze REvil Ryuk
2021-03-17Palo Alto Networks Unit 42Unit42
Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker
2021-01-01SecureworksSecureWorks
Threat Profile: GOLD GARDEN
Gandcrab GOLD GARDEN
2020-09-24CrowdStrikeCrowdStrike Intelligence Team
Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer Gandcrab LockBit Maze MedusaLocker RagnarLocker SamSam OUTLAW SPIDER OVERLORD SPIDER
2020-08-21Vimeo (RiskIQ)Josh Burgess, Steve Ginty
The Evolution of Ransomware & Pinchy Spider's Shot at the Title
Gandcrab REvil
2020-08-03BitdefenderFilip Truta
Belarus Authorities Arrest GandCrab Ransomware Operator
Gandcrab
2020-07-31BleepingComputerIonut Ilascu
GandCrab ransomware operator arrested in Belarus
Gandcrab
2020-07-29ESET Researchwelivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-17CERT-FRCERT-FR
The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2020-07-15Advanced IntelligenceSamantha van de Ven, Yelisey Boguslavskiy
Inside REvil Extortionist “Machine”: Predictive Insights
Gandcrab REvil
2020-07-10Advanced IntelligenceAdvanced Intelligence
The Dark Web of Intrigue: How REvil Used the Underground Ecosystem to Form an Extortion Cartel
Gandcrab REvil
2020-06-22CERT-FRCERT-FR
Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-05-21Intel 471Intel 471
A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-31Intel 471Intel 471
REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation
Gandcrab REvil
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA
2020-03-04CrowdStrikeCrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020-02-25RSA ConferenceJoel DeCapua
Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2020-01-29ANSSIANSSI
État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2020-01-20Virus BulletinAhnLab Security Analysis Team
Behind the scenes of GandCrab’s operation
Gandcrab
2020-01-17SecureworksKeita Yamazaki, Tamada Kiyotaka, You Nakatsuru
Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware
2020-01-10CSISCSIS
Threat Matrix H1 2019
Gustuff magecart Emotet Gandcrab Ramnit TrickBot
2020-01-01SecureworksSecureWorks
GOLD GARDEN
Gandcrab
2019-11-01Virus BulletinAlexandre Mundo Alguacil, John Fokker
VB2019 paper: Different ways to cook a crab: GandCrab ransomware-as-a-service (RaaS) analysed in depth
Gandcrab
2019-10-02McAfeeMcAfee Labs
McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us
Gandcrab REvil
2019-07-08KrebsOnSecurityBrian Krebs
Who’s Behind the GandCrab Ransomware?
Gandcrab
2019-06-24FortinetJoie Salvio
GandCrab Threat Actors Retire...Maybe
Gandcrab
2019-06-17BitdefenderBogdan Botezatu
Good riddance, GandCrab! We’re still fixing the mess you left behind
Gandcrab
2019-06-03SC MagazineDoug Olenick
GandCrab ransomware operators put in retirement papers
Gandcrab
2019-06-01Bleeping ComputerLawrence Abrams
GandCrab Ransomware Shutting Down After Claiming to Earn $2 Billion
Gandcrab
2019-05-24SophosLabs UncutAndrew Brandt
Directed attacks against MySQL servers deliver ransomware
Gandcrab
2019-05-08Verizon Communications Inc.Verizon Communications Inc.
2019 Data Breach Investigations Report
BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam
2019-03-13MyOnlineSecurityMyOnlineSecurity
Fake CDC Flu Pandemic Warning delivers Gandcrab 5.2 ransomware
Cold$eal Gandcrab
2019-03-06CrowdStrikeBex Hartley, Brendon Feeley, Sergei Frankoff
PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute GandCrab Ransomware
Gandcrab Phorpiex PINCHY SPIDER ZOMBIE SPIDER
2019-03-05SophosLabs UncutLuca Nagy, Suriya Natarajan, Vikas Singh
GandCrab 101: All about the most widely distributed ransomware of the moment
Gandcrab
2019-02-19BitdefenderBogdan Botezatu
New GandCrab v5.1 Decryptor Available Now
Gandcrab
2019-01-07Bleeping ComputerIonut Ilascu
GandCrab Operators Use Vidar Infostealer as a Forerunner
Gandcrab Vidar
2018-11-08TC Contretcontre
R.E.: Gandcrab Downloader.. 'There's More To This Than Meets The Eye'
Gandcrab
2018-10-25EuropolEuropol
Pay No More: universal GandCrab decryption tool released for free on No More Ransom
Gandcrab
2018-10-25BitdefenderBogdan Botezatu
GandCrab Ransomware decryption tool
Gandcrab
2018-09-18MandiantManish Sardiwal, Muhammad Umair, Zain Gardezi
Fallout Exploit Kit Used in Malvertising Campaign to Deliver GandCrab Ransomware
Gandcrab
2018-07-19Sensors Tech ForumVentsislav Krastev
Killswitch File Now Available for GandCrab v4.1.2 Ransomware
Gandcrab
2018-07-18ASECAhnLab ASEC Analysis Team
GandCrab v4.1.2 Encryption Blocking Method (Kill Switch)
Gandcrab
2018-05-09Cisco TalosChristopher Marczewski, Nick Biasini, Nick Lister
Gandcrab Ransomware Walks its Way onto Compromised Sites
Gandcrab
2018-03-07InfoSec Handlers Diary BlogBrad Duncan
Ransomware news: GlobeImposter gets a facelift, GandCrab is still out there
Gandcrab GlobeImposter
2018-02-08Bleeping ComputerLawrence Abrams
GandCrab Ransomware Being Distributed Via Malspam Disguised as Receipts
Gandcrab
2018-01-30MalwarebytesMalwarebytes Labs
GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated)
Gandcrab
2018-01-29Bleeping ComputerLawrence Abrams
GandCrab Ransomware Distributed by Exploit Kits, Appends GDCB Extension
Gandcrab
Yara Rules
[TLP:WHITE] win_gandcrab_auto (20230808 | Detects win.gandcrab.)
rule win_gandcrab_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.gandcrab."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? ff7728 8bf0 ff15???????? 03c3 8d5e04 }
            // n = 6, score = 2100
            //   ff15????????         |                     
            //   ff7728               | push                dword ptr [edi + 0x28]
            //   8bf0                 | mov                 esi, eax
            //   ff15????????         |                     
            //   03c3                 | add                 eax, ebx
            //   8d5e04               | lea                 ebx, [esi + 4]

        $sequence_1 = { 7403 83c314 837f7400 741b ff777c ff15???????? ff7778 }
            // n = 7, score = 2100
            //   7403                 | je                  5
            //   83c314               | add                 ebx, 0x14
            //   837f7400             | cmp                 dword ptr [edi + 0x74], 0
            //   741b                 | je                  0x1d
            //   ff777c               | push                dword ptr [edi + 0x7c]
            //   ff15????????         |                     
            //   ff7778               | push                dword ptr [edi + 0x78]

        $sequence_2 = { 8d5e04 03d8 837f2400 741b ff772c }
            // n = 5, score = 2100
            //   8d5e04               | lea                 ebx, [esi + 4]
            //   03d8                 | add                 ebx, eax
            //   837f2400             | cmp                 dword ptr [edi + 0x24], 0
            //   741b                 | je                  0x1d
            //   ff772c               | push                dword ptr [edi + 0x2c]

        $sequence_3 = { ff774c 8bf0 ff15???????? 03c3 8d5e04 03d8 }
            // n = 6, score = 2100
            //   ff774c               | push                dword ptr [edi + 0x4c]
            //   8bf0                 | mov                 esi, eax
            //   ff15????????         |                     
            //   03c3                 | add                 eax, ebx
            //   8d5e04               | lea                 ebx, [esi + 4]
            //   03d8                 | add                 ebx, eax

        $sequence_4 = { 03c3 8d5e04 03d8 837f5400 741b }
            // n = 5, score = 2100
            //   03c3                 | add                 eax, ebx
            //   8d5e04               | lea                 ebx, [esi + 4]
            //   03d8                 | add                 ebx, eax
            //   837f5400             | cmp                 dword ptr [edi + 0x54], 0
            //   741b                 | je                  0x1d

        $sequence_5 = { 03c3 8d5e04 03d8 837f3000 741b }
            // n = 5, score = 2100
            //   03c3                 | add                 eax, ebx
            //   8d5e04               | lea                 ebx, [esi + 4]
            //   03d8                 | add                 ebx, eax
            //   837f3000             | cmp                 dword ptr [edi + 0x30], 0
            //   741b                 | je                  0x1d

        $sequence_6 = { ff774c 8bf0 ff15???????? 03c3 8d5e04 }
            // n = 5, score = 2100
            //   ff774c               | push                dword ptr [edi + 0x4c]
            //   8bf0                 | mov                 esi, eax
            //   ff15????????         |                     
            //   03c3                 | add                 eax, ebx
            //   8d5e04               | lea                 ebx, [esi + 4]

        $sequence_7 = { 837f1800 741b ff7720 ff15???????? }
            // n = 4, score = 2100
            //   837f1800             | cmp                 dword ptr [edi + 0x18], 0
            //   741b                 | je                  0x1d
            //   ff7720               | push                dword ptr [edi + 0x20]
            //   ff15????????         |                     

        $sequence_8 = { 03d8 837f6000 7403 83c314 837f7400 741b ff777c }
            // n = 7, score = 2100
            //   03d8                 | add                 ebx, eax
            //   837f6000             | cmp                 dword ptr [edi + 0x60], 0
            //   7403                 | je                  5
            //   83c314               | add                 ebx, 0x14
            //   837f7400             | cmp                 dword ptr [edi + 0x74], 0
            //   741b                 | je                  0x1d
            //   ff777c               | push                dword ptr [edi + 0x7c]

        $sequence_9 = { ff15???????? 03c3 8d5e04 03d8 837f3000 }
            // n = 5, score = 2100
            //   ff15????????         |                     
            //   03c3                 | add                 eax, ebx
            //   8d5e04               | lea                 ebx, [esi + 4]
            //   03d8                 | add                 ebx, eax
            //   837f3000             | cmp                 dword ptr [edi + 0x30], 0

    condition:
        7 of them and filesize < 1024000
}
Download all Yara Rules