Gandcrab Overview: Infamous Virus You Heard About

One has probably heard of ransomware, and GandCrab is one of them. It is not the most active malware at the moment, but still an infamous one. It made a significant impact on computer users worldwide, stealing and blocking their data. Notably, many of them could have avoided it by installing an effective antivirus or by simply being cautious.

Definitely, the first variant is about limitations and false-positives. Suppose these terms sound familiar, and you ask now, “is PC Matic any good.” Then, you are likely to be at a safe bay. However, if you don’t want to spend money on antivirus or hear about alarm warnings, it is better to know the Gandcrab specifics and be ready to confront it yourself.

What’s Ransomware?

In simple terms, ransomware is a type of malicious software designed to encrypt a user’s data. The victim will be completely shut out from their data unless they pay a ransom demanded by the cybercriminals.

The GandCrab ransomware

GandCrab is a ransomware that was first identified in early January of 2018. The name “GandCrab” is believed to derive from one of the authors renowned by his online alias “Crab.”

Researchers believe that it refers to a group from the former Soviet Union concerning its country of origin. This assumption arises from the fact that it never attacks devices in Russia or other former Soviet Union countries. In this regard, the arrest of a Belarus resident accused of Gand Crab distribution seems to add to the particular suggestion. Unfortunately, there is still little information regarding the identity of this hacker group.

How the GandCrab Ransomware Spreads

GandCrab once announced that they are going on retirement after having made over 2 billion USD in profits. However, there are grounds to doubt this notion. Subject to Virus Bulletin, several versions of the GandCrab malware were launched to secure their ransomware market share. It seems reasonable, as they accounted for up to 40% of the ransomware market.

That said, users need to understand how the GandCrab infects devices. It has a high chance of attacking you relative to other ransomware known today.

The developers of the ransomware have used an affiliate marketing model for their malware. To be more precise, they used Ransomware-as-a-Service (RaaS). With this method, the GandCrab crew has focused on perfecting their code while third-party cybercriminals do the process of finding potential victims. These are paid on commission on the profits gained from each attack.

Methods Employed by Affiliate Cybercriminal Enterprises

Interestingly, the GandCrab ransomware made a certain revolution due to significant hacker-partners that spread the virus and got the share. Similar practices common at the time of the virus still apply.

Porn extortion

They imbed malware on porn sites. When you click to watch a video, the ransomware finds its way into your device to encrypt your data. At the same time, they hijack your webcam and record to use that as blackmail.

Sentimental emails

From time to time, the attackers distribute malicious emails with attractive subject lines. They try to bait sentimental individuals by writing romantic phrases that seem to come from a crush/ secret admirer. They do this timely on special days such as Valentine’s day, or your birthday, etc. So sinister about these emails is that once you open them or follow a link inside, the GandCrab ransomware automatically begins to download into your device, privately.

Device security flaws

The attackers are also known for exploiting weaknesses found in the Windows OS. In 2017, a security patch was made to fix a security issue in a tool that syncs data between management systems, especially IT enterprises. Later on, GandCrab was found attacking companies that didn’t install the patch.

Alarmist tactics

Naturally, any human being is prompt to respond to any message that screams “emergency.” Cybercriminals write an email with an attachment that mentions a possible emergency at your workplace or business. Whoever will be forwarded the attachment will also be attacked by the ransomware, i.e., if they ever open it.

Cases of GandCrab attacks

According to records, GandCrab once attacked a victim of the war in Syria in 2018. They locked pictures of his children, who had just been killed. The grieving victim lashed out at the authors of GrandCrab for being heartless. After this incident, GandCrab was impelled to make a few changes. It produced a decryption key intended for GandCrab ransomware victims who live in Syria.

The following year, the GandCrab ransomware affiliates started using an RDP (Remote Desktop Protocol). This is a type of attack where the cybercriminals scan a target network to exploit any systems installed for remote access (configured to allow users to log into the network from a different location). During this year, they carried out a number of brute force attacks on several users.

In some of the attacks, the affiliates are recorded as having taken advantage of a severe flu outbreak that lasted for 21 weeks. They distributed phishing emails that helped to spread the ransomware. The email baits worked because they seemed to come from the Centers for Disease Control & Prevention. Victims could never suspect that the messages they were receiving were not genuinely from the CDC.

Will GandCrab ever go?

GandCrab once called it quits in 2019, only to announce its comeback recently. This is proof that as long as the authors live, they will always want to do what they know best. Even when they say they are retired, they can sting more. It’s actually more convenient for them to operate under the radar, away from the watchful eye of law enforcement, than on the surface.

And also, no one can be sure that GandCrab doesn’t have other ransomware operating under a different name. In fact, some third-party cybersecurity researchers claim that they found a new type of ransomware (called Sodinokibi), which has resemblances with GandCrab. Although it’s too early to point fingers at GandCrab, it would not be surprising if this was true.

Payment notices

Victims may receive a payment notice, which comes as an Excel file. When the victim attempts to open it, a dialogue that says the document cannot be previewed will pop up. It will ask the user to click ‘enable editing’ to access the content. If that is done, the ransomware will attack. This typically occurs to Italians.

Ransom Payment

As has been mentioned, an attack by the GandCrabs is followed by some Instructions. These instructions that layout the payment procedure can reach the victim through a specific website mentioned by the crew. What sufferers will also see on the website are a special welcome message and a Mr. Krabs (from SpongeBob SquarePants) animation.

To give the victim assurance that they will regain access to their locked files after payment of the ransom, GandCrab enables them to decrypt any file of their choice without a charge. After that, they will make a payment through a specific cryptocurrency. Dash is their favorite cryptocurrency, renowned for being highly secure and robust on privacy.

What happens on failure to pay?

Typically, GandCrab threatens to lock a victim’s files permanently or erase them. Blackmail is also an option. They can threaten to publish your sensitive private information.

Notably, there is a decryption tool that some Bitdefender experts provided. It won’t be as efficient as many desire, but it gives hope to those subject to the attack. Lastly, it will not prevent the publication; instead, it can help one save precious files.

Is there another option?

Fortunately, it’s possible to not pay the ransom and still regain access to your data. According to records, a few weeks after this ransomware has identified, a decryptor was developed. This could be downloaded and used for free in the event that one has been attacked.

After noticing this, the GandCrab authors became motivated to make an upgrade of the ransomware. They developed a newer version that had advanced encryption. Thus, only the first version could be decrypted by this decrypting tool. Other decrypting tools for versions 4 up to 5.2 were later developed, skipping GandCrab versions 2 and 3. You may be out of luck if you’re attacked by these outstanding GandCrab versions.


There are various ways used by cybercriminals to run GandCrab into your device. At the same time, various measures can be employed to prevent attacks.

In addition to installing an effective antivirus solution, users have to drop terrible habits such as opening random emails.

It’s essential to verify if an email is genuine before opening any attachments inside. And also, try to back up your data.

In the event of an attack, it’s wise not to rush to bow to the demands of the perpetrators. You can try to use various decryptor tools online. There is a good chance of succeeding, thereby saving yourself a lot of money. This has worked for some victims.

About The Author

Nathan Collier

I am a tech writer and editor at, ensuring that every piece of content is relevant and precise. I do believe that our online security and privacy are a necessity nowadays. That’s why I do software reviews and share my knowledge of cybersecurity. Be aware, any click of yours may be crucial for your safety.

You may also like:

Sarcastic Writer

Step by step hacking tutorials about wireless cracking, kali linux, metasploit, ethical hacking, seo tips and tricks, malware analysis and scanning.

Related Posts