An affiliate of the GandCrab ransomware has been arrested
The actual developers of the ransomware are still not identified.
Last week’s press release by the Belarusian Ministry of Internal Affairs has reported the arrest of a 31-year-old man who has been accused of distributing the GandCrab ransomware.
The arrest operation has happened in Gomel, a small town in southeast Belarus at the border with Russia and Ukraine. The name of the man has not been disclosed.
Officials claimed that the man had not been prosecuted and has no history of previous convictions but had applied for a website to become an affiliate of the GandCrab distribution service. According to the authorities, he has rented access to a web panel in which he was tweaking the settings to get a custom GandCrab version that he would subsequently send to other internet users using e-mail spam and malicious attachment files.
Victims who accessed the malicious files would become compromised and their data would become encrypted. As a result, they would have to pay a ransom to the person behind the GandCrab version to receive a decryption code that could get their files back.
More than 1,000 people have been infected
While being a GandCrab affiliate (alternatively regarded as a “distributor”), the arrested man is believed to have infected more than 1,000 computers according to information from the Belarussian officials. The suspect demanded of each victim about 1200 dollars paid in Bitcoin. Officials have not confirmed how many of them had paid the ransom.
People in more than 100 countries, most of which situated in India, US, Ukraine, UK, Germany , France , Italy, and Russia, have been affected, according to Vladimir Zaitsev, Deputy Head of the High Technology Crime Department in the Ministry of Internal Affairs. In Belarus alone, the registered cases have been 156.
The Belarussian officials said that they were helped by the UK and Romania’s law enforcement in identifying and tracking down the GandCrab ransomware distributor. Authorities also reported that the malicious actor was unemployed and was involved in distributing cryptominers, as well as writing code on hacking forums for other users.
The RaaS (Ransomware-as-a-Service) operation linked to GandCrab ransomware that launched in the beginning of 2018 and had hundreds of affiliates was shut down in June 2019. The malicious actors behind the ransomware announced in a post on a hacking website that they have earned nearly $2 billion from their malicious scheme.
However, researchers found these numbers to be a speculation since the GandCrab ransomware wasn’t that well coded and security experts were able to release several free decryption solutions for the victims during the active period of the RaaS operation. By June 2019, the service lost many affiliates as distributors moved to other RaaS offers.
Unfortunatley, the authors of GandCrab have still not been identified. Today, many security researchers suspect that the developers of GandCrab have shifted into building a new Ransomware named Sodinokibi (REvil).