Skip to content
Malware family

GandCrab

GandCrab is a ransomware family and ransomware-as-a-service (RaaS) operation that launched in January 2018 and was active until its operators announced retirement in May 2019.

Profile source: Mallory opens in a new tab

GandCrab

Family profile

GandCrab is a ransomware family and ransomware-as-a-service (RaaS) operation that launched in January 2018 and was active until its operators announced retirement in May 2019. The operation was primarily spread through spam emails, and the content also links GandCrab distribution to campaigns leveraging hijacked or abused GoDaddy-hosted domains in early 2019. GandCrab was also distributed by other criminal actors such as Storm-0324, and other malware families such as Ursnif were observed deploying GandCrab as a follow-on payload.

The malware is associated with a broad affiliate ecosystem rather than a single intrusion set. The content identifies sprite77 as a known GandCrab affiliate and notes that some affiliates later moved to REvil/Sodinokibi. Multiple law-enforcement and reporting sources in the content describe REvil as a successor to GandCrab, with source-code and behavioral similarities suggesting continuity between the two operations. German authorities identified Daniil Maksimovich Shchukin, also known as UNKN/Unknown, as a leader of GandCrab and later REvil, and also named Anatoly Sergeevitsch Kravchuk as a suspected developer involved in the malware and extortion platform. Europol-supported investigations since 2018 targeted GandCrab and later affiliates tied to both GandCrab and REvil.

The content characterizes GandCrab as highly prolific and financially successful. Its operators claimed to have collected more than $2 billion in ransom payments, and one source cites more than one million victims worldwide. The FBI estimate cited in the content says GandCrab caused more than $300 million in damages. Law-enforcement actions led to the release of multiple decryptors via the No More Ransom project, including tools for GandCrab versions V1, V4, and V5 through V5.2; these reportedly enabled tens of thousands of decryptions and prevented substantial ransom losses.

Technical details in the content are limited compared with REvil, but GandCrab is explicitly described as ransomware and as part of the RaaS family. One cited study analyzed GandCrab network traffic alongside Ryuk to generate packet signatures for early detection. Another source notes that GandCrab, like Sodinokibi, used reflective DLL loaders to load dynamic libraries directly into process memory without standard Windows API usage. No specific ransom-note filenames, file extensions, mutexes, registry keys, or hashes for GandCrab itself are provided in the content.

Observed infrastructure

Last seven days

First activity
Jul 14, 2026
Last activity
Jul 14, 2026
Feed role
C2
Host form
0 IP / 1 hostnames

Samples

Recent associated samples

Reported operators

Threat actors

3 named in public reporting
lalartu

Due to source code and behavior similarities between REvil and GandCrab, it was suggested there might be a connection tying the developers of the two ransomware families together.

Storm-0324

Storm-0324 has distributed a range of first-stage payloads since at least 2016, including: ... GandCrab ransomware

GOLD GARDEN

“…the operators of Gandcrab, GOLD GARDEN, retired and sold their operation to an affiliate group we now call GOLD SOUTHFIELD.”

Exploited software

Vulnerabilities linked to GandCrab

1 CVEs

MITRE ATT&CK

GandCrab in ATT&CK

16 distinct techniques

Reporting

Research mentioning GandCrab

May 21
Bleeping Computer

Police seize “First VPN” service used in ransomware, data theft attacks

Related Articles: ... German authorities identify REvil and GandCrab ransomware bosses ...

Apr 7
Zdnet

Cyberattaques REvil et GandCrab, voici les visages des pirates qu ...

Apparu en janvier 2018, GandCrab avait eu une carrière courte mais prolifique. [...] En juin 2019, l’administrateur de ce rançongiciel [...] s'était vanté d’avoir réalisé un chiffre d’affaire criminel de deux milliards de dollars.

Apr 7
Itpro

German authorities want your help finding the hackers behind GandCrab and REvil | IT Pro

Shchukin acted as the head of one of the largest ransomware groups globally, known as GandCrab or, later, REvil. GandCrab operated a ransomware as a service (RaaS) model, primarily through the use of spam emails.

Apr 7
Boingboing

Germany names REvil ransomware leader Shchukin - Boing Boing

Shchukin allegedly ran GandCrab from its January 2018 launch until the gang voluntarily folded in May 2019, announcing it had collected over $2 billion in ransoms.

Apr 6
Security Affairs

BKA unmasks two REvil Ransomware operators behind 130+ German attacks

From at least the beginning of 2019 until at least July 2021, he and others acted as the leader of one of the world’s largest ransomware groups, known as GandCrab/REvil.

Apr 6
The Hacker News

BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks

An evolution of the GandCrab ransomware, the e-crime crew mysteriously went offline in mid-July 2021, only to resurface two months later.

Apr 6
Data Breaches

Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab - DataBreaches.Net

An elusive hacker who went by the handle “UNKN” and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face.

Apr 6
The Record Media

German police unmask two suspects linked to REvil ransomware gang | The Record from Recorded Future News

First advertised in early 2018, GandCrab initially spread through spam emails containing malicious attachments. The operation later evolved into REvil, also known as Sodinokibi.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.