Pierluigi Paganini reports that the Russian Ransomware as a Service (RaaS) provider behind the GandCrab ransomware has announced it is shutting down its operations as of June 1st, 2019. It has given its patrons 20 days to cease using the service.

They are also warning victims that time is running out and they have to pay the ransom as soon as possible to avoid to lose their file forever.

GandCrab Ransomware (which drops the file 'gandcrab.exe' on infected systems where it adds the extension .GDCB to encrypted files) came on the scene in January of 2018 and quickly rocketed to prominence as the premier ransomware and RaaS provider of 2018.

The operators revealed in their posting that they have generated more than $2 billion in ransom payments, earning on average of $2.5 million dollars per week. The operators revealed to have earned a net of $150 million that now have invested in legal activities.

According to Bleeping Computer however "While the operators behind GandCrab most likely made many millions of dollars, the claims of $2 billion in ransom payments are very likely to be untrue."

In the year and a half since its first discovery, the GandCrab team has been very tuned in to the research community's efforts around their malware, regularly updating it and

often including references to reports about their ransomware and how the team has adapted to those reports in their underground ads. Delivered primarily via phishing campaigns (though they also use exploit kits), the GandCrab team relies heavily on Microsoft Office macros, VBScript, and PowerShell to avoid detection, but will often incorporate new means of exploitation and avoidance as proof-of-concept code is released.

Some general details on this malware family and service model: