Authorities Allege He Also Distributed Cryptocurrency Mining Malware
Cybercriminals could rent GandCrab V5 ransomware.
A 31-year-old man who allegedly distributed versions of the GandCrab ransomware has been arrested in Belarus for possession and distribution of malware, according to the country’s Ministry of Internal Affairs.
On July 30, government officials in Belarus announced that the unnamed suspect, who lives in the city of Gomel, was arrested by police in cooperation with the authorities from the U.K. and Romania. GandCrab ransomware was pulled from distribution by its creators in 2019 (see: Did GandCrab Gang Fake Its Ransomware Retirement?).
Officials in Belarus note that the suspect also appears to have also been distributing cryptominers and programming malicious codes for illegal forums. The suspect apparently obtained a strain of the Gancrab ransomware by joining a darknet forum and then learned how to operate as a GandCrab affiliate, according to the Ministry of Internal Affairs. The creator of the GandCrab malware offered it to others using a ransomware-as-a-service model.
Once the suspect obtained the malware, he sent malicious PDF files through spam emails to victims to infect their system, authorities allege. The suspect charged a fee of about $1,200 in cryptocurrency to decrypt each of the infected systems, the ministry says. The suspect leased servers to conduct his operation and used the ransomware profits to pay for the facilities, it alleges.
The hacker allegedly targeted victims in more than 100 countries, including the U.S., U.K. India, Germany, France, Italy and Russia, says Vladimir Zaitsev, the deputy head of the high-tech crimes department of the Ministry of Internal Affairs.
GandCrab, which was discovered in January 2018, opened up a new avenue for criminals interested in launching ransomware attacks. The ransomware-as-a-service offering made it easier for those who lack the skills or resources of more experienced hackers to obtain and use malware (see: Ransomware School: The Rise of GandCrab Disciples).
GandCrab had been one of the most notorious RaaS offerings since it was first spotted targeting South Korean companies. Security experts say the ransomware’s affiliates could sign up to use GandCrab under terms and conditions that included the GandCrab gang getting a 40% cut of all ransoms paid by victims, according to previous reports.
GandCrab also served as a launching pad for other ransomware attacks. The ransomware collectives “jsworm” and affiliate “PenLat” later launched the JSworm and Nemty ransomware strains, the New York-based cyber intelligence firm Advanced Intelligence told Information Security Media Group.
The hacking collective known as “truniger” – aka “TeamSnatch” – appeared to learn the RaaS ropes with GandCrab before moving on to take down bigger prey, according to security researchers.
The operators behind GandCrab made an unexpected public announcement in May 2019, saying they would “retire” and claiming that their affiliates had earned more than $2 billion in illegal gains over that two-year span. Once GandCrab left the scene, Sodinokibi became the dominant RaaS player (see: Ransomware: As GandCrab Retires, Sodinokibi Rises).