The cybercriminal gang behind GandCrab ransomware will be retiring in a month and their operation will be shut down. The gang announced on a popular hacking forum where the ransomware has previously been advertised that the ransomware-as-a-service operation will soon be no more and that ‘all the good come to an end.’
According to the post, the ransomware has been earing around $2.5 million a week and the gang claims around $2 billion has been earned from the ransomware, and that the gang has personally pocketed more than $150 million. It was claimed that the money has been laundered through a variety of ‘spheres of white business, both in real life and the internet.”
It is highly likely that the earnings have been inflated somewhat, but there is no denying that GandCrab ransomware has been very lucrative. GandCrab ransomware has arguably been the biggest ransomware threat over the past 18 months.
“We are leaving for a well-deserved retirement,” wrote the crew. “We have proved that by doing evil deeds, retribution does not come.”
The ransomware was first observed in use in January 2018 and has undergone various revisions during that time. Free decryptors have been released for certain versions, although new versions of the ransomware were soon released. The current version in use is v5.2.
GandCrab ransomware was offered on hacking forums as ransomware-as-a-service. Individuals could pay to get access to the ransomware to use in their own campaigns and were allowed to keep a percentage of any ransom payments that they generated.
There was no shortage of affiliates willing to use the ransomware. Large scale spam campaigns were conducted that distributed the ransomware, more targeted email attacks were conducted on large companies, and the ransomware was incorporated into exploit kits and was used in attacks on MySQL databases.
The crew has been emailing its affiliates telling them to wind down their operations and attacks have been slowly dwindling over the past month. The gang has now announced the end of the ransomware, has stopped promoting the ransomware, and has told affiliates to stop their operations within 20 days.
Several other ransomware threat actors have released the decryption keys when their ransomware variants have been retired, although it looks like that will not be the case with GandCrab. The threat actors have posted saying that when the end comes all keys will be deleted. It will then no longer be possible to recover encrypted data.
While it is certainly good news that such a dominant ransomware variant will soon be no more, it is probable that another ransomware operation will simply take its place. There are, after all, a lot of affiliates that will be sad to see their own campaigns come to an end and they will no doubt not yet be ready to retire and will no doubt be eager to find an alternative ransomware variant to use.