SoylentNews

RandomFactor [soylentnews.org] writes:

Pierluigi Paganini [linkedin.com] reports that the Russian Ransomware as a Service (RaaS) provider behind the GandCrab ransomware has announced it is shutting down its operations [securityaffairs.co] as of June 1st, 2019. It has given its patrons 20 days to cease using the service.

They are also warning victims that time is running out and they have to pay the ransom as soon as possible to avoid to lose their file forever.

GandCrab Ransomware (which drops the file 'gandcrab.exe' on infected systems where it adds the extension .GDCB to encrypted files) came on the scene in January of 2018 and quickly rocketed to prominence as the premier ransomware and RaaS provider of 2018.

The operators revealed in their posting that they have generated more than $2 billion in ransom payments, earning on average of $2.5 million dollars per week. The operators revealed to have earned a net of $150 million that now have invested in legal activities.

According to Bleeping Computer however “While the operators behind GandCrab most likely made many millions of dollars, the claims of $2 billion in ransom payments are very likely to be untrue.”

In the year and a half since its first discovery, the GandCrab team has been very tuned in to the research community's efforts around their malware [recordedfuture.com], regularly updating it and

often including references to reports about their ransomware and how the team has adapted to those reports in their underground ads. Delivered primarily via phishing campaigns (though they also use exploit kits), the GandCrab team relies heavily on Microsoft Office macros, VBScript, and PowerShell to avoid detection, but will often incorporate new means of exploitation and avoidance as proof-of-concept code is released.

Some general details on this malware family and service model:

Prospective buyers are asked to join the ‘partner program’, in which profits from the ransomware are split 60:40
Large’ partners are able to increase their percentage of proceeds to 70 per cent
As a Ransomware-as-a-service offering, technical support and updates are offered to ‘partners’
Partners are prohibited from targeting countries in the Commonwealth of Independent States (Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan and Ukraine) – violating this rule results in account deletion
Partners must apply to use the ransomware, and there is a limited amount of ‘seats’ available.” reads the translation of the ad.
The operators behind the RaaS offer they platform maintaining 40% of the ransom, the percentage is reduced to 30% for large partners.

Once infected, if the victim does not pay on time, he will have to pay a double ransom.

Other specific features related to GandCrab RaaS is the that it allows payment using the cryptocurrency Dash and the service is provided by a server hosted on a .bit domain.

The authors of the GandCrab RaaS also offers technical support and updates to its members, they also published a video tutorial that shows how the ransomware is able to avoid antivirus detection.

It is possible that GandCrab will take a page from prior ransomware authors and release their encryption keys after shutting down, but this remains to be seen.

Original Submission