Why GandCrab Ransomware Still Matters

Although its developers shut it down in 2019, GandCrab ransomware continues to make its mark in cybersecurity conversations. Its lasting influence comes from the ransomware model it helped popularize, the techniques it used, and the ongoing risks posed by similar malware that followed in its footsteps. For security teams looking to strengthen their defenses, understanding how GandCrab worked—and why it was so effective—is still highly relevant.

GandCrab Redefined the Ransomware-as-a-Service Model

To fully grasp GandCrab’s impact, it helps to view it in the broader context of ransomware threats. At its core, ransomware encrypts victims’ files and demands payment—usually in cryptocurrency—for a decryption key. GandCrab stood out as one of the first widespread examples of Ransomware-as-a-Service (RaaS). Rather than distributing the ransomware themselves, GandCrab’s core developers created the malware and allowed affiliates to spread it in exchange for a percentage of the ransom payments.

First detected in early 2018, GandCrab evolved rapidly through several versions—from v1.0 to v5.x. Each new release improved on the last, adding features that helped it bypass detection tools and avoid forensic analysis. These included regular code updates, encrypted payloads, obfuscation techniques, and anti-debugging features designed to stall reverse engineering efforts.

Its ability to scale made it especially dangerous. At its height, GandCrab was responsible for nearly half of all ransomware infections worldwide. Early versions demanded payment in DASH—an alternative cryptocurrency that’s harder to trace than Bitcoin—creating added challenges for investigators and incident response teams.

GandCrab Ransomware’s Influence is Still Visible

While the developers behind GandCrab claimed to retire in 2019—allegedly walking away with $2 billion—the ransomware’s methods and source code continue to shape today’s malware landscape. One of the most notable examples is REvil (also known as Sodinokibi), a follow-up strain that uses elements borrowed from GandCrab’s design.

Security professionals continue to study GandCrab for several reasons:

– It introduced an effective affiliate-based distribution strategy that’s now used by threat groups behind ransomware like Conti and LockBit.
– The attack vectors it exploited—malicious email attachments, exploit kits, and RDP vulnerabilities—are still among the most common ways ransomware gains a foothold in networks.
– Delivery and encryption methods created for GandCrab are being repurposed in new ransomware strains, making GandCrab analysis useful for today’s threat detection tools.
– Lessons from decryption efforts against early versions of GandCrab serve as case studies in how government agencies and private cybersecurity companies can collaborate effectively.

Many organizations use GandCrab case studies and attack simulations to identify security gaps like weak segmentation, insufficient endpoint monitoring, or outdated access controls.

GandCrab Ransomware’s Lasting Impact on Enterprise Security

From 2018 to 2019, GandCrab reshaped how ransomware targeted high-value victims—including municipal governments, healthcare systems, and large enterprises. It repeatedly slipped past standard antivirus software, used adaptive delivery methods, and incorporated features like randomized file extensions and data exfiltration capabilities.

Despite successful efforts to release decryption tools for some early versions—with contributions from Bitdefender, Europol, and other law enforcement partners—GandCrab was never fully eradicated. Later versions of the ransomware were more advanced and remain uncrackable using publicly available tools.

The GandCrab story isn’t just relevant for historical context—it plays a foundational role in how security teams approach ransomware defense today. Reverse engineering past versions of GandCrab helps identify recurring weaknesses in network architecture and endpoint protections.

As newer threat groups continue to reuse and modify GandCrab’s techniques, StoneFly recommends several protective measures: deploying immutable storage, leveraging built-in ransomware prevention tools, and implementing air-gapped backup solutions. These steps not only help mitigate attacks inspired by GandCrab, but also strengthen overall resilience against evolving ransomware threats.

Studying high-impact malware like GandCrab remains essential for building strong cyber defenses. IT leaders, security engineers, and cybersecurity teams benefit from a deeper understanding of how GandCrab worked—and why its influence is still felt years later.

What is GandCrab Ransomware and Why Should Enterprises Care

GandCrab ransomware emerged as one of the most disruptive and fast-evolving examples of ransomware-as-a-service (RaaS). First detected in January 2018, it marked a significant shift in how ransomware was created, marketed, and deployed. For enterprise IT teams, understanding how GandCrab operated offers valuable perspective when defending against similar and more sophisticated threats that continue to surface.

Operating under a RaaS model, GandCrab’s developers didn’t carry out the attacks themselves. Instead, they built the malware and provided it to affiliates—cybercriminals responsible for distributing it. These affiliates earned a portion of the ransom payments—typically between 60% and 70%—with the remainder going to the developers. This approach enabled the creators to concentrate on improving the malware while reducing their exposure to direct law enforcement action.

GandCrab stood out due to its advanced evasion techniques, regular updates, and modular design. It used RSA-2048 encryption paired with Salsa20, making it nearly impossible to recover files without a unique decryption key controlled by its command-and-control (C2) servers. Victims were directed to dark web-hosted portals where ransom payments were requested in Dash cryptocurrency, chosen for its transaction anonymity.

Within just a few weeks of its discovery, GandCrab had infected over 50,000 systems worldwide. Organizations in healthcare, finance, manufacturing, and education were frequent targets. It spread through malicious email attachments, exploit kits, compromised websites, and brute-force attacks on remote desktop protocol (RDP) services.

GandCrab’s Development Changed the Playbook for Ransomware Operators

Unlike many static ransomware samples, GandCrab evolved continuously, with its developers releasing at least five major versions between 2018 and 2019. Each update introduced more complex encryption methods, improved ways to avoid detection, and new delivery systems. The ability to adapt to different IT environments helped GandCrab penetrate corporate networks, bypass endpoint protections, and spread laterally.

Later versions, including v3 and beyond, exploited known vulnerabilities in Windows operating systems to establish persistence and disable recovery tools. The ransomware not only encrypted primary files but also backups, system restore options, and network shares—amplifying its impact across enterprise systems. It also included logic to detect system language settings and avoid encrypting devices located in countries within the Commonwealth of Independent States (CIS), suggesting a deliberate effort to evade authorities in those regions.

GandCrab attacks were recorded across multiple continents, including North America, Europe, and Asia. Victims included law firms, logistics providers, local governments, and other organizations that routinely manage sensitive data and cannot afford extended downtime.

Though Discontinued, GandCrab Ransomware’s Influence Still Lingers

In 2019, the people behind GandCrab declared the ransomware operation shut down, reportedly after collecting more than $2 billion through ransom payments. While the original campaign was retired, many of its affiliates transitioned to distributing new ransomware variants such as REvil (Sodinokibi), which carried forward many of GandCrab’s tactics.

Even today, remnants of GandCrab remain on previously infected systems. Some organizations are still locked out of encrypted files from earlier infections, especially in cases where no viable backups were available. In such instances, decryption tools released by cybersecurity firms in collaboration with Europol and Bitdefender have played a critical role. However, these tools are version-specific and only work if the corresponding decryption keys have been publicly released.

Rather than viewing the GandCrab episodes from 2018 and 2019 as a closed case, enterprises should consider them a reference point. Many of today’s ransomware threats draw directly from GandCrab’s model. As ransomware-as-a-service becomes more accessible to attackers, the methods first refined by GandCrab remain just as relevant—and dangerous—today.

How a Typical GandCrab Ransomware Attack Operates Within a Corporate Environment

GandCrab ransomware was one of the most active and rapidly changing ransomware families from January 2018 to mid-2019. Although its creators announced their retirement in 2019, the techniques and behaviors used by GandCrab are still studied closely by cybersecurity professionals. Gaining a clear understanding of how GandCrab spreads, takes hold, and executes inside enterprise environments is vital for IT teams, security leaders, and SOC personnel tasked with protecting business systems.

Common Entry Points Used in GandCrab Ransomware Attacks

The initial stage of a GandCrab infection typically begins with attackers finding a way into the network. Campaigns involving GandCrab often relied on methods that exploited human mistakes, misconfigured systems, or missing security patches.

Email-based attacks were frequently used, with phishing messages containing malicious ZIP or RAR file attachments. These compressed files usually housed heavily obfuscated JavaScript or VBScript code. When executed, the code launched a PowerShell script that connected to a remote, attacker-controlled server to download the ransomware payload.

Exploit kits were another widely used infection method. Kits like RIG, GrandSoft, and Fallout would exploit vulnerabilities found in browsers or outdated plugins—particularly Internet Explorer and Flash Player. Victims were often led to these kits through malicious advertising (malvertising), sometimes served from legitimate websites. Once clicked, the victim was silently redirected to an exploit landing page, where GandCrab was downloaded onto the system.

Additionally, remote access points represented another weakness. Many GandCrab campaigns included brute-force attacks on Remote Desktop Protocol (RDP) services. Attackers scanned for publicly exposed RDP ports, usually TCP 3389, then launched automated tools to guess passwords using credential dumps or brute-force tactics. When the attackers successfully logged in, they would manually install and activate the ransomware.

Targeting Critical Systems Through Network Reconnaissance

Once GandCrab made its way into the network, it would begin scanning the environment for valuable targets. This reconnaissance phase involved collecting information such as system details, domain credentials, running processes, and access to shared drives.

The malware used built-in Windows commands and APIs to gather intelligence. Tools such as `ipconfig`, `wmic`, `net view`, and `netstat` were used to map out the network and identify opportunities for lateral movement. If attackers obtained remote access, such as through compromised RDP credentials, they could move from one machine to another and elevate their privileges using tools like Mimikatz to grab cached credentials.

GandCrab was also designed to avoid detection in test environments. It would look for signs that it was running inside a virtual machine, check registry entries, and look for debugging tools. If it detected a sandbox or analysis system, it either delayed its actions or shut down entirely to avoid leaving any traces.

File Encryption and Ransom Note Delivery

After scanning the environment and identifying valuable assets—especially systems like domain controllers—GandCrab would begin the encryption process. The ransomware was known for its speed and efficiency, often using multithreaded processing to encrypt files rapidly and spread to connected drives and network shares.

Encryption was performed using RSA-2048 and Salsa20 algorithms. File extensions were changed depending on the variant—earlier versions used `.GDCB`, while later ones used extensions like `.CRAB`, `.KRAB`, or randomly generated five-letter suffixes. The encrypted files could not be recovered without the private key held by the attacker.

Alongside the encrypted files, GandCrab would generate a ransom note in each affected directory. The note typically followed a naming format such as `GDCB-DECRYPT.txt` or `CRAB-DECRYPT.txt`. It included instructions for the victim to visit a Tor-based payment site, their unique victim ID, and directions on how to buy decryption software using Bitcoin or Dash.

Some GandCrab variants were programmed to avoid encrypting files on systems located in specific countries, primarily those in the Commonwealth of Independent States (CIS). This was typically done by checking the system’s keyboard layout or regional settings, suggesting the malware’s origin lay in Eastern Europe.

Early Adoption of the Ransomware-as-a-Service Model

GandCrab was one of the first ransomware families to fully embrace the ransomware-as-a-service (RaaS) model. Its developers took care of building the malware, hosting infrastructure, and collecting payments, while allowing affiliates to operate their own attacks using the platform.

Affiliates could tailor key elements of the ransomware—such as file extensions, ransom note language, and payment demands—to fit their own campaigns. This led to broad variation in how GandCrab appeared across targets, but the core functionality stayed the same. Reports from the time showed that some affiliates earned significant sums in short periods, with many campaigns generating hundreds of thousands of dollars within weeks.

While the original creators of GandCrab claimed to retire in 2019 and released decryption keys for earlier versions, the malware’s code and techniques continued to influence later ransomware strains. Families like REvil (also known as Sodinokibi) are believed to share substantial parts of GandCrab’s foundation and possibly even its development team.

Payload Architecture and Encryption Process in GandCrab Ransomware

The architecture behind GandCrab ransomware is modular and efficient, designed to prioritize speed, stealth, and profit. While file encryption is a core component, it’s just one element of a broader system engineered for rapid impact across enterprise environments.

Hybrid Encryption Scheme: AES-256 and RSA-2048 Combined

GandCrab employs a hybrid encryption model to effectively compromise enterprise data. At the initial stage, the ransomware generates a unique AES-256 key for each infected machine. This symmetric encryption enables fast processing of large volumes of files.

After files are encrypted with AES, GandCrab encrypts the keys themselves using an embedded RSA-2048 public key. This layered approach prevents recovery of AES keys—even if adversaries gain low-level memory access—since the private RSA component remains in the attackers’ control. In network-wide attacks, each host receives a unique AES key, but all are encrypted using the same RSA key.

The process is designed to run concurrently across multiple threads. Each drive is scanned, and a separate thread is assigned per volume, enabling rapid encryption of large-scale file shares and storage systems.

Key Generation and Metadata Embedding

Keys are generated locally using the Windows CryptoAPI to ensure secure entropy leveraged by the operating system. Once encryption is complete, GandCrab adds a unique file extension—often version-specific such as .GDCB or .CRAB—and embeds metadata in the file footer. This footer includes the RSA-encrypted AES key and helps link the file back to a centralized decryption system managed through a Tor-based command-and-control backend.

Hiding the encryption metadata in less obvious parts of the file structure adds another layer of obscurity, making detection and forensic recovery more difficult for defenders.

Engineered Persistence and Evasion Mechanisms

Beyond file encryption, GandCrab is built to remain under the radar while maintaining persistence. These features enable the malware to delay discovery, making recovery efforts more challenging for security operations teams.

Avoidance of Analysis Environments

GandCrab begins its execution by scanning the environment for signs of virtualization or analysis setups. Indicators such as VMware, VirtualBox, and sandbox frameworks like Cuckoo or Joe Sandbox trigger the malware to halt, avoiding automated detection tools.

To outsmart sandbox timers, the malware can initiate execution delays and logic-based triggers that disrupt the analysis process. It also employs process injection techniques, targeting trusted Windows processes like explorer.exe to cloak its activity from endpoint detection tools.

Command and Control via DNS Tunneling

To avoid direct detection by traditional firewalls and network monitoring systems, GandCrab uses encoded DNS queries for C2 communication. These DNS lookups transmit telemetry data and fetch ransomware configurations without raising immediate suspicion, as DNS traffic typically moves unfiltered in many enterprise environments.

Once this stage is successful, GandCrab reaches its backend infrastructure through prebuilt Tor gateways, receiving instructions and ransom details. This hidden communication method gives the attackers ongoing control during a highly sensitive phase in the timeline of an incident.

Ensures Execution at Every Reboot

Persistence is maintained through executable artifacts placed in directories such as %APPDATA% or %LOCALAPPDATA%, often masquerading as legitimate files with realistic naming conventions. GandCrab modifies registry values under:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

This ensures the ransomware launches on system startup.

In some instances, the malware forces a system reboot after installation, allowing it to cleanly load its persistence routines and encrypt files that were previously inaccessible. This reboot tactic can often be an early warning sign for administrators monitoring abnormal device behavior.

Data Exfiltration with Vidar Infostealer Before Encryption

Starting in late 2018, GandCrab campaigns were increasingly coupled with Vidar, a powerful infostealer. This addition provided attackers with another revenue opportunity—stealing sensitive data before launching the encryption stage.

Collecting Valuable Enterprise Data

Vidar typically launches before GandCrab begins file encryption, collecting information such as browser-saved credentials, VPN configurations, remote desktop protocol (RDP) session details, and financial data like cryptocurrency wallets. This data is uploaded silently to attacker-controlled servers.

By harvesting data early, attackers gain access to high-value information even if the victim recovers encrypted files using backups or tools. In some incidents, stolen data was used to adjust ransom amounts based on the perceived value or sensitivity of the information—suggesting a more tailored extortion strategy targeting industries at higher risk of regulatory fines or reputational loss.

Mapping Indicators of Compromise (IOCs) to Strengthen Detection

For defenders, recognizing activity early is critical. Monitoring indicators across file systems, memory, registry, and network traffic helps identify an attack before encryption completes.

Traces Left by GandCrab Activity

Despite frequent updates, GandCrab variants consistently leave behind telltale signs. Registry entries enabling startup reboot execution, file artifacts in paths like %APPDATA%\[random]\, and unusual filenames (e.g., randomstring.exe) are common.

Encrypted files are marked with version-specific extensions such as .KRAB, .RANDAL, or .CRAB. On the network side, suspicious DNS queries to domains using the .bit top-level domain—which GandCrab utilizes via EmerDNS—are strong indicators. Other signs include connections to Tor2web proxies, which funnel traffic between standard networks and Onion services.

Organizations should also look out for a surge in DNS activity or unresolved queries, particularly those aimed at obscure or anonymous domains.

A strong response strategy involves tying these IOCs to host-based detection rules. For instance, widespread file modification outside regular working hours, unusual changes to startup entries, or unexplained process creation should trigger alerts. By correlating endpoint and network logs, security teams gain a clearer view of infection timelines, helping them isolate threats before encryption or data leaks occur.

GandCrab Ransomware Cases: Lessons for Enterprise Security

GandCrab ransomware first appeared in early 2018 and quickly became one of the most widespread ransomware-as-a-service (RaaS) threats targeting public institutions and private businesses. Unlike earlier ransomware variants, GandCrab’s developers and affiliates took a more aggressive and profit-driven approach, expanding their operations rapidly before going dark in mid-2019.

High-Profile GandCrab Ransomware Attacks Revealed Gaps in Enterprise Defenses

GandCrab targeted a wide range of victims—including small businesses, large corporations, healthcare facilities, and government organizations. One incident involved the Monroe County School District in Florida, which paid a ransom after critical systems were encrypted, disrupting day-to-day operations. In another case, Carleton University in Ottawa suffered a significant breach, resulting in the encryption of academic and financial data.

The methods used to spread GandCrab were fairly consistent. Attackers primarily relied on malicious email attachments, compromised websites equipped with exploit kits, and brute-force attacks on systems using Remote Desktop Protocol (RDP). Affiliates behind the ransomware used social engineering techniques and hosted the payloads on compromised infrastructure to maximize infection rates.

In sectors like healthcare, where system availability is crucial, the impact was especially serious. In one instance, a regional hospital saw its imaging systems knocked offline, delaying patient care for several days. GandCrab campaigns weren’t simply random attacks; operators often took time to move laterally within networks, identify critical systems, and increase their demands based on the value of the target.

Many organizations lacked proper network segmentation and did not have secure, offsite, or immutable backups. Without these, recovery was extremely difficult without paying the ransom. Several affected businesses also lacked tested disaster recovery plans, leaving them ill-prepared and with few options other than expensive downtime or payment.

Personalized Demands and Crypto Obfuscation Amplified the Financial Impact

Unlike more generic ransomware strains, GandCrab used a tailored approach when demanding payment. Ransom demands varied significantly based on the size and type of the victim. Enterprises were hit with demands ranging from $10,000 up to $700,000, while smaller organizations were typically asked to pay a few hundred dollars. GandCrab demanded payment in DASH cryptocurrency—a privacy-focused altcoin that was harder to trace than more mainstream options like Bitcoin.

Why GandCrab Ransomware Chose DASH Instead of Bitcoin

By 2018, Bitcoin transactions had become relatively easier to trace thanks to the growth of blockchain analysis tools. To lower the risk of detection and arrest, GandCrab’s creators chose DASH, which offered greater anonymity through its PrivateSend feature. This allowed them to conduct transactions without easily revealing wallet ownership or transaction histories.

For corporate incident response teams, this switch to a less-transparent cryptocurrency added another layer of complexity. Working with law enforcement became more challenging, and organizations that paid the ransom—in many cases through external negotiators or their cyber insurance—had limited visibility into where the payments went or whether follow-up attacks were funded by recovered ransom sums.

Ransom isn’t the Only Cost

Paying the ransom did not always result in full data recovery. In several cases, the decryption tools either returned incomplete data or failed entirely. Beyond the ransom, victims often faced additional costs, including forensic analysis, regulatory compliance reviews, increases in cyber insurance premiums, and prolonged business disruption.

On average, affected organizations incurred around $200,000 in recovery expenses—excluding ransom payments. These costs included system restoration, lost productivity, customer notification, and legal or regulatory fallout related to data exposure.

The more prepared organizations—those that invested in layered security, offline backup strategies, and clear incident response protocols—were able to contain the damage and recover more quickly. Key strategies included adopting zero-trust frameworks, real-time monitoring of network activity, and running frequent ransomware simulation exercises to validate response efforts.

Free GandCrab Decryption Tools Available Only for Versions Up to 5.2

GandCrab ransomware, which was active mainly across 2018 and early 2019, followed a Ransomware-as-a-Service (RaaS) model and was responsible for thousands of infections worldwide. Although its creators eventually discontinued the malware, many older systems remain encrypted—especially in environments where a full, verified recovery was never completed.

For those unfamiliar, GandCrab was one of the more advanced malware families of its time. It featured polymorphic properties to bypass antivirus detection and used communication methods that included TOR networks to keep payments anonymous. Versions 1.0 through 5.2 evolved quickly, increasing the ransomware’s effectiveness and complexity with each new release.

In response, cybersecurity companies and law enforcement agencies joined forces to mitigate the damage. As part of the NoMoreRansom project—a collaboration between Europol, Intel Security, Kaspersky Lab, and others—several decryption tools were developed and made available to the public. These tools can help users recover files encrypted by GandCrab versions up to 5.2.

If an organization was hit by GandCrab version 5.2 or earlier, there’s a decent chance they can recover their data without paying a ransom. The decryption tools for these versions have been tested and used in numerous recovery efforts documented during the height of the ransomware’s activity. However, for infections involving versions 5.3 or later, no public decryption tools exist. Later builds utilized enhanced cryptographic methods, and since the RaaS platform was shut down shortly after their release, law enforcement never gained access to the required keys.

To determine which version of GandCrab infected a system, IT teams should check the ransom note or review the file extensions of encrypted data. Identifying the version allows security teams to select the correct decryption utility from the NoMoreRansom repository or trusted cybersecurity vendors involved in earlier mitigation work.

Always run decryption tools in a contained environment. Avoid using production systems for this process. Before making any changes, capture memory dumps and forensic images—these can aid further analysis or support legal efforts later.

Effective Remediation Goes Beyond Decryption—Focus on Incident Response

Recovering from a GandCrab attack involves more than retrieving encrypted data. A reliable response should include a coordinated incident management strategy, comprehensive system scanning, and a focus on restoring long-term security integrity.

GandCrab typically infiltrated systems through phishing emails, exploit kits, or brute-force attacks on Remote Desktop Protocol (RDP). In many cases, it gained administrative access, allowing the malware to move across the network and lock down local drives, network shares, and even backup destinations.

As soon as an infection is spotted, isolate the affected systems. Disconnect them from the network immediately to prevent the ransomware from locking other endpoints. Practices like privilege segmentation and firewalled network zones can limit the spread significantly—something worth implementing before an attack occurs.

The next step is to thoroughly assess the compromised environment by:

– Scanning endpoints and servers for forensic evidence,
– Checking logs for unusual outbound traffic—particularly traffic linked to TOR nodes or Command & Control servers often used by GandCrab,
– Running memory analysis tools to pinpoint in-memory or fileless malicious processes.

Once you’ve identified all compromised areas, restore systems from confirmed clean backups or perform a full reimage. Backup best practices become vital here. In many incident reports, attackers encrypted backup directories or interfered with automated snapshot processes. As a result, organizations should monitor, test, and verify backup jobs routinely—not just configure them and forget.

One important but frequently overlooked layer of defense is isolating backups from potential malware exposure. Businesses using cloud-integrated storage or hyperconverged platforms should ensure backup data can’t be overwritten by compromised credentials. Tools like WORM (Write Once Read Many) or immutable snapshots can provide added assurance.

Administrators should also:

– Maintain detailed records of backup retention policies,
– Replicate backups across multiple regions or data centers,
– Use storage systems with built-in ransomware detection and behavioral monitoring capabilities.

Once recovery is complete, conduct a full audit of all systems and domains. Patch every vulnerable asset, and make sure monitoring policies are in place to watch for signs of lingering compromise or reinfection risks.

Organizations also need to revisit their cybersecurity insurance coverage and initiate a proper review with their compliance or internal audit teams. Keeping a clear log of each action taken during the response and recovery processes can help with regulatory filings and reduce potential legal exposure.

Recovery from a GandCrab ransomware attack is about more than decryption—it’s about reinforcing security foundations. Long-term resilience depends on adopting a layered cybersecurity approach that includes proactive threat detection, endpoint protection, and backup preparedness as integral parts of day-to-day operations.

GandCrab RaaS Explained: Enterprise Risks from Ransomware-as-a-Service Models

GandCrab ransomware marked a turning point in the evolution of ransomware operations, particularly with its use of the Ransomware-as-a-Service (RaaS) model. Active between 2018 and 2019, GandCrab quickly became one of the most widespread threats, responsible for numerous enterprise breaches and millions in ransom demands. For cybersecurity teams, understanding how this model worked is key to defending against similar threats that continue to build on its foundation.

GandCrab’s Affiliate System Resembled a SaaS-Based Business Model

GandCrab operated under a Ransomware-as-a-Service (RaaS) structure, using darknet forums to recruit affiliates. Rather than launching every attack themselves, the ransomware developers managed and updated the core payload and provided the necessary infrastructure. The affiliates—sometimes referred to as partners—were responsible for distributing the malware and handling interactions with victims.

Recruitment took place mostly on closed-access forums, where developers promoted their ransomware packages. Affiliates were given ready-to-use payloads, an infection-tracking dashboard, and technical assistance. In return, a portion of every ransom—ranging from 20% to 40%—was sent back to the developers, with the remaining amount kept by the affiliate.

GandCrab variants implemented a range of advanced features, including code obfuscation and Domain Generation Algorithms (DGAs), to make it harder for defenders to track Command-and-Control (C2) servers. The malware also came with built-in controls to avoid infecting devices in countries like Russia and members of the Commonwealth of Independent States (CIS), likely pointing to its geographic origin.

For payments, GandCrab used cryptocurrencies—often DASH due to its privacy-enhancing properties—which made tracing transactions difficult for investigators.

Despite its criminal usage, the operation resembled a mature SaaS offering. It provided affiliates with ongoing payload updates, feature improvements, dashboards for campaign management, and even support channels. This service-based model fueled widespread adoption, leading to thousands of infections globally during its peak and cementing its place in cybercriminal history.

How GandCrab and Similar RaaS Platforms Widen the Threat Landscape for Enterprises

The main concern for enterprise IT and security teams is not just the malware itself—it’s how RaaS platforms like GandCrab make ransomware easily accessible. With little-to-no technical expertise, attackers could launch sophisticated campaigns, thanks to pre-built infrastructure and tools provided by seasoned developers. The barrier to entry was drastically lowered.

This accessibility led to a surge in ransomware incidents targeting industries of all kinds—from hospitals and city governments to law firms and financial service providers. Attackers used a range of initial attack vectors, including exploit kits, phishing emails, and unsecured Remote Desktop Protocol (RDP) services.

Defensive tools often fell short. GandCrab’s developers continually released new versions with updated encryption methods and stealth tactics. These frequent changes helped affiliates bypass antivirus and endpoint protection systems. The malware also employed methods like sandbox evasion and anti-virtual machine logic to avoid detection during analysis.

Several affiliates went a step further, conducting reconnaissance and data theft before launching the ransomware—turning a straightforward encryption attack into a double extortion scheme. For organizations without advanced monitoring or behavioral analysis tools, these multi-stage attacks could go unnoticed until the damage was already done.

Protecting against threats like GandCrab requires more than perimeter defenses. Organizations need layered security strategies that include network segmentation, incident response planning, employee training, and regular offline backups. Advanced Security Information and Event Management (SIEM) solutions that leverage machine learning and anomaly detection can greatly improve early threat detection.

Though the GandCrab developers claimed to retire in mid-2019 after reportedly earning over $2 billion, their model continues to influence modern ransomware groups. Threat actors such as REvil and DarkSide have adopted similar techniques. While security researchers managed to decrypt some of the earlier GandCrab variants, the later versions—especially v5.2 and onwards—remain inaccessible without private keys.

Enterprises should treat GandCrab not just as a threat of the past but as a foundational model of today’s organized ransomware operations. As long as anonymity, profit, and scalable malware delivery remain viable for cybercriminals, ransomware-as-a-service will continue to evolve and pose a challenge.

What Happened After GandCrab Ransomware’s Shutdown in 2019

When GandCrab ransomware suddenly shut down in June 2019, it caught cybersecurity experts, law enforcement, and enterprises off guard. After dominating the ransomware-as-a-service (RaaS) market for over a year, its operators unexpectedly announced their retirement, claiming to have made over $2 billion in ransom payments. The abrupt nature of the shutdown raised many questions—chief among them: why walk away at the height of success, and what came next?

Here’s a closer look at what may have driven GandCrab’s exit and how its affiliates quickly moved on to continue their work under new names.

Why Did GandCrab Shut Down? A Mix of Pressure and Profit

In June 2019, GandCrab’s developers posted a public statement on underground forums, declaring they were stepping away with substantial profits. They claimed those who wanted to make money had already done so, and confirmed that no decryption keys would be released, despite mounting pressure from global law enforcement and cybersecurity firms.

While the messaging painted their departure as a personal decision motivated by success, growing pressure from international authorities may have been the real reason they backed out.

Global Law Enforcement Was Closing In

Prior to the shutdown, agencies like Europol and the FBI had ramped up investigations into GandCrab, often in collaboration with cybersecurity firms. These efforts resulted in multiple decryption tools, developed between 2018 and 2019, that successfully neutralized several versions of the ransomware—ranging from V1 to V5.1.

Bit by bit, these advancements eroded the group’s image of invulnerability. As cross-border investigations became more organized and data sharing more effective, it became increasingly difficult for high-profile attackers to operate anonymously.

In light of this, quitting the scene may have been a strategic retreat—aimed at avoiding prosecution and holding onto whatever gains they had secured.

The Rise of REvil Ransomware: A Familiar Successor

While GandCrab officially stopped operating in mid-2019, the people and infrastructure behind it didn’t disappear. Many of its affiliates shifted their efforts to newer ransomware families, the most prominent being REvil, also known as Sodinokibi.

A New Name, Same Tactics

Technical analysis quickly revealed similarities between GandCrab and REvil—not just in their code, but in the way they operated. Both targeted Managed Service Providers (MSPs), manipulated Remote Desktop Protocol (RDP) vulnerabilities, and ran email-based phishing attacks.

Cybersecurity researchers also found overlapping configurations and reused resources, such as Command-and-Control (C2) server IPs. These findings strongly suggest that many GandCrab operators simply transitioned to REvil, continuing their attacks with minimal disruption. For businesses, this meant the threat never really went away—just changed labels.

GandCrab’s RaaS Model Set the Stage for What’s Next

From its launch in early 2018, GandCrab was more than just malware—it was a business. Its RaaS structure allowed technically inexperienced criminals to launch ransomware attacks using professional tools. In exchange for a cut of the ransom—typically 30 to 40 percent—the developers offered ongoing support, updates, a user-friendly dashboard, and round-the-clock chat assistance through private forums.

When GandCrab was taken offline, many of these workstreams and resources found new life in REvil’s operations. The strategy and structure were already proven—there was little reason to reinvent them.

Post-GandCrab, these tools continued to shape the threat landscape. Security teams identified that many of the same IP addresses and attack vectors used by GandCrab were now being deployed in REvil campaigns. This continuity added complexity to defending enterprise networks, as old threats resurfaced in new forms.

Why Enterprises Can’t Ignore “Retired” Threats

Although GandCrab hasn’t been active since mid-2019, the risk environment hasn’t exactly cooled off. Ransomware families that followed in its footsteps took many of the same approaches and refined them further. This means organizations still face a similar level of danger today—just from attackers using evolved methods grounded in GandCrab’s original playbook.

For security teams, this requires vigilance beyond keeping up with current attack names. Many of the tools and techniques once associated with GandCrab continue to appear in new campaigns. Log monitoring, behavioral analytics, and endpoint protection are as important now as they were when GandCrab was active.

Key Lessons for CISOs From the GandCrab Campaign

GandCrab’s rise and abrupt shutdown revealed a number of patterns that are still relevant. For one, it highlighted the need to pair technology with operational flexibility. Defending against ransomware requires both solid infrastructure and a team ready to respond effectively.

Actionable Guidance for Cybersecurity Leaders

Though GandCrab’s operators claimed to shut down operations in 2019, their methods continue to influence newer campaigns. For CISOs, this presents an opportunity to strengthen their security strategies through targeted improvements and collaborative defense efforts.

Building Stronger Threat Intelligence Sharing Across Industries

One major obstacle during the height of the GandCrab campaign was the lack of coordination between sectors. Timely intelligence sharing was limited, and many organizations were slow to respond to known indicators of compromise (IoCs). Infrastructure reuse and overlapping indicators across campaigns were often missed due to siloed datasets.

To improve response times and detection, security leaders should encourage collaboration through platforms like ISACs, MITRE ATT&CK mappings, and industry-specific exchanges. The earlier an SOC identifies attack patterns similar to GandCrab — such as use of PowerShell for code execution or lateral movement using unsecured SMB shares — the faster teams can limit the impact.

Creating standardized playbooks that can be shared across industries also helps. GandCrab didn’t target a specific sector — it was opportunistic — which means that defensive strategies effective in one domain can often be applied broadly with minor adjustments.

SOCs Need More Than Tools — They Need Training and Realistic Testing

Technology plays an important role in defense, but it’s not a silver bullet. Too many organizations focus solely on EDR or SIEM tools without ensuring their teams are trained to detect early ransomware behavior.

GandCrab frequently used phishing emails designed to resemble official Microsoft Office documents or financial statements. These emails were effective because users weren’t properly trained to spot them. Addressing this means investing in regular simulations that mirror real attack scenarios, including initial infection, privilege escalation, and internal reconnaissance — all common in GandCrab-related incidents.

CISOs should also prioritize upskilling their security teams with exercises that focus on early warning signs. In the case of GandCrab, those included unexpected outbound connections, newly created scheduled tasks, and unauthorized registry modifications — all signals that should trigger immediate investigation.

Perhaps most importantly, GandCrab attackers actively targeted and removed backups before encrypting data. In several incidents, backup files and shadow copies were deleted, leaving victims unable to recover.

Reliable backup strategies are non-negotiable. Organizations must implement air-gapped and immutable backups secured with version control and anomaly detection — features available in StoneFly’s enterprise storage solutions. These capabilities ensure that even if production systems are compromised, critical data remains protected and recoverable.

Conclusion

The technical sophistication and business model introduced by the GandCrab ransomware campaign exposed several common vulnerabilities in enterprise security strategies. As attackers continue to evolve, with a focus on automation, scale, and disruption, security teams must shift their mindset — ransomware defense isn’t a one-time event; it’s an ongoing strategy.

By adopting a layered approach — from immutable backups and proactive threat detection to cross-industry collaboration and workforce training — organizations can significantly reduce their exposure. StoneFly’s enterprise data protection and storage platforms provide the tools needed to build this kind of resilience.

Learning from past attacks like GandCrab helps close gaps before they’re exploited again. With the right preparation, ransomware doesn’t have to be a business-ending event — it becomes a manageable risk instead.