The operators behind the GandCrab ransomware have announced that they are closing up shop after almost a year and a half in which they claimed to have earned $2bn from ransom payments.
GandCrab rose in popularity among cybercriminals after the operators began to market their services on underground criminal sites in January of 2018. Since then, its creators have become some of the most dominant actors in the ransomware space.
News that GandCrab is shutting down came from security researchers Damian and David Montenegro who have closely followed the exploits of the ransomware on the underground hacking and malware forum Exploit.in. It was there that they discovered a post from the GandCrab operators in which they said they are shutting down their operation.
In the post, the operators said that the ransomware has earned over $2bn with average weekly payments of $2.5m while they personally earned over 150m. The GandCrab operators went on to explain their future plans, saying:
“We are leaving for a well-deserved retirement. We have proven that by doing evil deeds, retribution does not come. We proved in a year you can earn money for a lifetime. We have proved that it is possible to become number one not in our own words, but in recognition of other people.”
In the announcement, the operators also said that they have stopped promoting the ransomware while requesting that affiliates stop distributing it within 20 days. Additionally, their forum post is scheduled to be deleted at the end of the month.
The operators even encouraged victims to pay for decryption now as their keys will be deleted at the end of the month. Hopefully though, they release the keys once they shut down as other large ransomware operations have done in the past.
GandCrab’s operators have always operated a bit differently than their counterparts though, using taunts, jokes and references to organizations and researchers in their code. Another such example is the fact that the operators decided to use domain names for their Command & Control servers which were based on organizations and websites known for ransomware research.
While it is good news that GandCrab is finally shutting down, cybercriminals are likely working right now to fill the gap it will leave in the ransomware space.