Last seven days
- First activity
- Jul 14, 2026
- Last activity
- Jul 14, 2026
- Feed role
- C2
- Host form
- 0 IP / 1 hostnames
GandCrab is a ransomware family and ransomware-as-a-service (RaaS) operation that launched in January 2018 and was active until its operators announced retirement in May 2019.
Profile source: Mallory opens in a new tabGandCrab
GandCrab is a ransomware family and ransomware-as-a-service (RaaS) operation that launched in January 2018 and was active until its operators announced retirement in May 2019. The operation was primarily spread through spam emails, and the content also links GandCrab distribution to campaigns leveraging hijacked or abused GoDaddy-hosted domains in early 2019. GandCrab was also distributed by other criminal actors such as Storm-0324, and other malware families such as Ursnif were observed deploying GandCrab as a follow-on payload.
The malware is associated with a broad affiliate ecosystem rather than a single intrusion set. The content identifies sprite77 as a known GandCrab affiliate and notes that some affiliates later moved to REvil/Sodinokibi. Multiple law-enforcement and reporting sources in the content describe REvil as a successor to GandCrab, with source-code and behavioral similarities suggesting continuity between the two operations. German authorities identified Daniil Maksimovich Shchukin, also known as UNKN/Unknown, as a leader of GandCrab and later REvil, and also named Anatoly Sergeevitsch Kravchuk as a suspected developer involved in the malware and extortion platform. Europol-supported investigations since 2018 targeted GandCrab and later affiliates tied to both GandCrab and REvil.
The content characterizes GandCrab as highly prolific and financially successful. Its operators claimed to have collected more than $2 billion in ransom payments, and one source cites more than one million victims worldwide. The FBI estimate cited in the content says GandCrab caused more than $300 million in damages. Law-enforcement actions led to the release of multiple decryptors via the No More Ransom project, including tools for GandCrab versions V1, V4, and V5 through V5.2; these reportedly enabled tens of thousands of decryptions and prevented substantial ransom losses.
Technical details in the content are limited compared with REvil, but GandCrab is explicitly described as ransomware and as part of the RaaS family. One cited study analyzed GandCrab network traffic alongside Ryuk to generate packet signatures for early detection. Another source notes that GandCrab, like Sodinokibi, used reflective DLL loaders to load dynamic libraries directly into process memory without standard Windows API usage. No specific ransom-note filenames, file extensions, mutexes, registry keys, or hashes for GandCrab itself are provided in the content.
Samples
Reported operators
Due to source code and behavior similarities between REvil and GandCrab, it was suggested there might be a connection tying the developers of the two ransomware families together.
Storm-0324 has distributed a range of first-stage payloads since at least 2016, including: ... GandCrab ransomware
“…the operators of Gandcrab, GOLD GARDEN, retired and sold their operation to an affiliate group we now call GOLD SOUTHFIELD.”
Exploited software
MITRE ATT&CK
Reporting
Related Articles: ... German authorities identify REvil and GandCrab ransomware bosses ...
Apparu en janvier 2018, GandCrab avait eu une carrière courte mais prolifique. [...] En juin 2019, l’administrateur de ce rançongiciel [...] s'était vanté d’avoir réalisé un chiffre d’affaire criminel de deux milliards de dollars.
Shchukin acted as the head of one of the largest ransomware groups globally, known as GandCrab or, later, REvil. GandCrab operated a ransomware as a service (RaaS) model, primarily through the use of spam emails.
Shchukin allegedly ran GandCrab from its January 2018 launch until the gang voluntarily folded in May 2019, announcing it had collected over $2 billion in ransoms.
From at least the beginning of 2019 until at least July 2021, he and others acted as the leader of one of the world’s largest ransomware groups, known as GandCrab/REvil.
An evolution of the GandCrab ransomware, the e-crime crew mysteriously went offline in mid-July 2021, only to resurface two months later.
An elusive hacker who went by the handle “UNKN” and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face.
First advertised in early 2018, GandCrab initially spread through spam emails containing malicious attachments. The operation later evolved into REvil, also known as Sodinokibi.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.