Gandcrab creators stop spreading ransomware

The group behind the infamous Gandcrab ransomware is shutting down. The makers say they stop because they have earned enough money from the hostage malware without being tackled by investigative authorities.

The anonymous team behind Gandcrab left a farewell message on various dark web forums where it distributed its ransomware. Screenshots can be seen at Bleeping Computer. Gandcrab has been one of the most notorious and common forms of ransomware in recent years. The makers say they are now stopping for ‘a well-deserved retirement’. “We have proven that we can do evil things without seeing retaliation,” they write in their forum post. Indeed, investigation services often have trouble catching ransomware makers, the chance of being caught is low for large spreaders.

The makers stop selling their ransomware, and ask their buyers to stop spreading the ransomware. Most likely it also means that the makers take their command-and-control servers offline, but they don’t write that themselves. They state that the decryption keys are deleted after 20 days and that victims can no longer decrypt their files. Victims of Gandcrab did get their files back after payment in most cases. In the past, other ransomware gangs like the one behind TeslaCrypt have released all decryption keys after shutting down.

Gandcrab was advertised on forums as ‘ransomware-as-a-service’. Buyers could then use the ransomware themselves for their own campaigns. They then only had to configure a few things themselves, such as the text in the ransom note, the ransom amount, and the encryption method. The original creators got a percentage of that. According to the makers, buyers have earned a total of more than two billion dollars, which they themselves were left with 150 million dollars a year. It is difficult to verify whether these amounts are correct.