Authorities Allege He Also Distributed Cryptocurrency Mining Malware
A 31-year-old man who allegedly distributed versions of the GandCrab ransomware has been arrested in Belarus for possession and distribution of malware, according to the country’s Ministry of Internal Affairs.
On July 30, government officials in Belarus announced that the unnamed suspect, who lives in Gomel, was arrested by police in cooperation with the authorities from the U.K. and Romania. Its creators pulled GandCrab ransomware from distribution in 2019 (see: Did GandCrab Gang Fake Its Ransomware Retirement?).
Officials in Belarus note that the suspect appears to have been distributing crypto-miners and programming malicious codes for illegal forums. According to the Ministry of Internal Affairs, the suspect obtained a strain of the Gancrab ransomware by joining a darknet forum and then learned how to operate as a GandCrab affiliate. The creator of the GandCrab malware offered it to others using a ransomware-as-a-service model.
Once the suspect obtained the malware, he sent malicious PDF files through spam emails to victims to infect their systems, authorities allege. The ministry says the suspect charged about $1,200 in cryptocurrency to decrypt each of the infected systems. It asserts that the suspect leased servers to conduct his operation and used the ransomware profits to pay for the facilities.
The hacker allegedly targeted victims in more than 100 countries, including the U.S., U.K., India, Germany, France, Italy, and Russia, says Vladimir Zaitsev, the deputy head of the high-tech crimes department of the Ministry of Internal Affairs.
GandCrab RaaS
GandCrab, discovered in January 2018, opened up a new avenue for criminals interested in launching ransomware attacks. The ransomware-as-a-service offering made it easier for those who lack the skills or resources of more experienced hackers to obtain and use malware (see: Ransomware School: The Rise of GandCrab Disciples).
GandCrab has been one of the most notorious RaaS offerings since it was first spotted targeting South Korean companies. According to previous reports, security experts say the ransomware’s affiliates could sign up to use GandCrab under terms and conditions that included the GandCrab gang getting a 40% cut of all ransoms paid by victims.
GandCrab also served as a launching pad for other ransomware attacks. The ransomware collectives “jsworm” and affiliate “PenLat” later launched the JSworm and Nemty ransomware strains, the New York-based cyber intelligence firm Advanced Intelligence told Information Security Media Group.
The hacking collective known as “truniger” – aka “TeamSnatch” – appeared to learn the RaaS ropes with GandCrab before moving on to take down bigger prey, according to security researchers.
The operators behind GandCrab made an unexpected public announcement in May 2019, saying they would “retire” and claiming their affiliates had earned more than $2 billion in illegal gains over those two years. Once GandCrab left the scene, Sodinokibi became the dominant RaaS player (see: Ransomware: As GandCrab Retires, Sodinokibi Rises).
