What is GandCrab ransomware

What is ransomware?

Ransomware is a dangerous form of malware that specifically targets individuals, organizations, and businesses. Its malicious intent is to encrypt files or lock computer systems, essentially holding them hostage until a ransom is paid to the attacker. This devious strategy aims to extort money by depriving victims of access to their own data or systems.
When a computer or network falls victim to ransomware, the malware takes control by encrypting the files, rendering them inaccessible to the user. Subsequently, the attacker demands a ransom, typically in the form of cryptocurrency like Bitcoin, as a condition for providing the decryption key or unlocking the compromised system.
Ransomware often spreads through various channels, including deceptive phishing emails, malicious attachments, or by taking advantage of vulnerabilities present in software or operating systems. Once the ransomware successfully infiltrates a system, it initiates the process of encrypting files, effectively blocking user access to their own data.
Paying the ransom does not guarantee that the attacker will provide the decryption key or unlock the system, and it may even encourage further attacks. Additionally, complying with the demands of ransomware attacks can support criminal activities and contribute to the perpetuation of such threats.

What is GandCrab Ransomware
GandCrab was a highly prevalent and notorious ransomware strain that emerged in early 2018. It was one of the most widespread and successful ransomware families during its active period. The GandCrab ransomware operated on a Ransomware-as-a-Service (RaaS) model, where the creators developed the malware and allowed other cybercriminals to use it in exchange for a share of the profits.
GandCrab infected victims’ computers by exploiting various vulnerabilities, social engineering techniques, or through malicious email attachments. Once it infected a system, it encrypted the victim’s files, making them inaccessible, and displayed a ransom note demanding payment in cryptocurrency, usually Bitcoin, in exchange for the decryption key.
The ransom note typically provided instructions on how to make the payment and often included threats of permanent data loss or increased ransom amounts if the victim did not comply within a specified time frame. GandCrab was known for using aggressive tactics, including customer support services to assist victims in making ransom payments and providing decryption keys upon payment.
However, due to efforts from cybersecurity researchers, law enforcement agencies, and collaboration between various cybersecurity organizations, significant progress was made in fighting against GandCrab. In June 2019, the creators of GandCrab announced that they were retiring the ransomware, claiming to have earned enough money. They also released decryption tools to assist victims in recovering their files without paying the ransom.

History of GandCrab Ransomware

The GandCrab ransomware made its debut in January 2018, capturing attention with its advanced capabilities and extensive reach. This particular ransomware strain swiftly gained notoriety as one of the most prominent and effective families of ransomware during its time. The following is a timeline of the notable events and developments in the history of GandCrab:

  1. January 2018: GandCrab Version 1.0 is discovered – The initial version of GandCrab ransomware is detected, targeting victims through exploit kits, spam emails, and malicious websites. It employed strong encryption algorithms to lock victims’ files.
  2. February 2018: GandCrab Version 2.0 released – The creators of GandCrab introduce an updated version with improved encryption techniques and new distribution methods.
  3. March 2018: GandCrab Version 3.0 released – The ransomware evolves again, adding new features such as the ability to avoid detection by certain security tools.
  4. May 2018: GandCrab Version 4.0 released – This version of the ransomware introduces additional evasion techniques, including the use of steganography to hide malicious code within image files.
  5. June 2018: GandCrab Version 4.1 released – The ransomware developers continue to refine their creation, making it more resilient to decryption attempts and introducing new distribution methods.
  6. August 2018: GandCrab Version 5.0 released – This version implements an offline encryption feature, enabling the ransomware to encrypt files without requiring a command-and-control server connection.
  7. October 2018: Law enforcement and cybersecurity organizations collaborate – A joint operation between Europol, Romanian Police, Bitdefender, and other cybersecurity companies results in the seizure of command-and-control servers used by GandCrab, disrupting its operations temporarily.
  8. January 2019: GandCrab Version 5.1 released – The ransomware authors release an updated version with improved encryption algorithms and distribution techniques.
  9. June 2019: GandCrab operators announce retirement – In a surprising turn of events, the creators of GandCrab declare that they are shutting down the operation, claiming to have earned substantial profits. They also release decryption keys and a decryptor tool, allowing victims to recover their files without paying the ransom.

What to do if you think you have GandCrab Ransomware?

If you suspect that your computer has been infected with GandCrab ransomware or any other type of ransomware, it’s crucial to take immediate action to minimize damage and potential data loss. Here are the steps you should consider:

  1. Isolate the infected computer: Disconnect the affected computer from the network, both wired and wireless, to prevent the ransomware from spreading to other devices or encrypting shared files.
  2. Preserve evidence: Take screenshots or photos of any ransom notes or error messages displayed on your screen. These can be useful for law enforcement or cybersecurity professionals investigating the incident.
  3. Report the incident: Contact your local law enforcement agency or a dedicated cybercrime reporting center in your country. Provide them with the details of the ransomware attack and any evidence you have collected.
  4. Notify your IT department or a professional: If you’re using a work computer, inform your organization’s IT department immediately. They can provide guidance and support to mitigate the impact of the ransomware and ensure other systems are not affected.
  5. Disconnect external storage devices: Unplug any external hard drives, USB drives, or other storage devices connected to the infected computer. This helps prevent the ransomware from encrypting the files on those devices as well.
  6. Do not pay the ransom: It’s generally not recommended to pay the ransom demanded by the attackers. There is no guarantee that they will provide the decryption key, and paying the ransom only encourages further criminal activity. Additionally, by not paying, you contribute to the overall effort of discouraging ransomware operations.
  7. Remove the ransomware: To tackle a ransomware infection, it is crucial to utilize an antivirus or antimalware software that is regularly updated. This ensures that your security software has the latest ransomware definitions and capabilities to detect and eliminate the malicious threat. Initiate a full system scan using your security software, allowing it to identify and remove the ransomware from your computer. It’s important to choose a reputable security solution that specializes in ransomware detection and remediation to increase your chances of successful removal.
  8. Restore your files: If you have backups of your important files, restore them after ensuring that the ransomware has been completely removed from your system. Ensure that the backups were created prior to the infection to avoid restoring encrypted files.
  9. Strengthen security measures: Update your operating system, applications, and security software to the latest versions. Implement robust security practices such as regularly backing up your data, using strong passwords, and exercising caution when opening email attachments or visiting unfamiliar websites.
    If you have been affected by ransomware and are unsure about how to proceed with the removal process or want to enhance your system’s security to prevent future infections, it is highly recommended to seek the assistance of a cybersecurity professional or an IT expert. These experts possess the knowledge and expertise to effectively handle ransomware incidents and provide guidance on preventive measures. They can analyze your system, ensure proper removal of the ransomware, and provide recommendations on security best practices. Consulting with professionals can significantly increase the chances of successful remediation and help you strengthen your overall cybersecurity posture.

How to protect yourself and avoid infection by GandCrab Ransomware

Protecting yourself and preventing infection by ransomware, including GandCrab, involves a combination of proactive measures and cybersecurity best practices. Here are some essential steps to help safeguard your computer and data:

  1. Keep your operating system and software up to date: Regularly install updates and patches for your operating system, web browsers, and other software. These updates often include security fixes that address vulnerabilities that ransomware can exploit.
  2. Use reputable security software: Install and maintain robust antivirus or antimalware software on your computer. Keep it updated with the latest virus definitions to ensure effective protection against known threats, including ransomware.
  3. Enable automatic backups: Regularly backup your important files and ensure that the backups are stored offline or in a separate location. This helps you restore your files in case of a ransomware infection without needing to pay the ransom.
  4. Exercise caution with email attachments and links: Be wary of email attachments, especially from unknown or suspicious sources. Avoid clicking on links in emails or messages that appear suspicious or unexpected. Verify the authenticity of email senders before opening attachments or clicking on links.
  5. Practice safe browsing habits: Be cautious while visiting websites, especially those of questionable reputation or that offer pirated content. Malicious advertisements and compromised websites can distribute ransomware. Use browser extensions or security software that blocks known malicious websites.
  6. Implement strong passwords and two-factor authentication (2FA): Use unique, complex passwords for your accounts and avoid using the same password across multiple platforms. Enable 2FA whenever possible, as it adds an extra layer of security to your accounts.
  7. Be cautious with remote desktop connections: If you use remote desktop protocols (RDP) to access your computer remotely, ensure that you have a strong password and consider enabling additional security measures like network-level authentication (NLA). Restrict access to RDP by allowing only trusted IP addresses or using a virtual private network (VPN).
  8. Educate yourself and your employees: Stay informed about the latest ransomware threats and educate yourself and your staff on safe computing practices. Train them to recognize phishing emails, suspicious links, and potentially harmful file attachments.
  9. Regularly review and update security policies: Evaluate and update your organization’s security policies to incorporate the latest best practices. Ensure that employees are aware of the policies and follow them diligently.

By following these preventive measures and staying vigilant, you can significantly reduce the risk of falling victim to GandCrab ransomware or any other ransomware strain. Remember, maintaining a multi-layered approach to security is crucial in protecting your computer systems and data.


Ransomware, including the notorious GandCrab ransomware, poses a significant threat to individuals and organizations alike. It encrypts victims’ files and demands payment in exchange for a decryption key, potentially causing substantial damage and financial losses. However, by staying informed and implementing proactive security measures, you can protect yourself and minimize the risk of infection.
Key steps to protect yourself from GandCrab and other ransomware include keeping your operating system and software up to date, using reputable security software, regularly backing up your files, exercising caution with email attachments and links, practicing safe browsing habits, implementing strong passwords and two-factor authentication, being cautious with remote desktop connections, educating yourself and your employees about security best practices, and regularly reviewing and updating security policies.
Remember, ransomware threats evolve over time, and it’s crucial to stay updated on the latest trends and security recommendations. By maintaining a proactive and vigilant approach, you can significantly reduce the likelihood of falling victim to ransomware attacks and protect your valuable data and systems.

Press ESC to close