The Belarusian department “K” of the Ministry of Internal Affairs, with the assistance of the Cyberpolice of Great Britain and Romania, identified and arrested in Gomel an operator of GandCrab ransomware, which was responsible for hacking more than 1000 computers in 2017-2018.
Let me remind you that the GandCrab ransomware stopped working in the summer of 2019. Through the Raa-S portal of GandCrab, cybercriminals acquired access to the GandCrab ransomware, and then spread this dangerous malware through spam, exploit kits, and so on.When the victims of the ransomware paid ransom to the criminals, the GandCrab developers received a small commission, while the rest of the money settled in the hands of the malware’s “tenants”.
The announcement about the closure was made 20 days later on the official thread of a famous hacker forum, where GandCrab has been promoting itself since its inception in 2018. In their message, the developers of GandCrab boasted that they were going to “retire”, as in total, the ransoms brought criminals more than $2 billion, and the operators received approximately $2.5 million a week ($150 million a year). Security experts agree that these numbers are unlikely to be true.
We have successfully cashed this money and legalized them in various areas of business, both in real life and on the Internet. We are retiring to a well-deserved pension. We have proven that it is possible to commit atrocities, but retaliation will not come”, — wrote GandCrab creators.
Now cybersecurity researchers, having studied the work of another ransomware – Sodinokibi (aka REvil), believe that the authors of GandCrab are engaged in the development and promotion of this particular malware. The identity of the developers is still unknown.
However, with international cooperation of law enforcement officers, they managed to catch one of the most successful ransomware operators. It was established that a 31-year-old resident of Gomel (a city in Belarus) who had no previous convictions infected more than a thousand computers. For decrypting each of them, he demanded an amount equivalent to 1200 US dollars.
The access to the admin panel for managing the ransomware botnet was carried out via the darknet, which allowed the attacker to remain anonymous for a long time. Part of the profit was transferred to the administrators (operators) of the server he leased. The victims of the hacker were users from almost a hundred countries, and the largest number of victims were from India, the USA, Ukraine, Great Britain, Germany, France, Italy and Russia”, — said Vladimir Zaitsev, Deputy Head of the High-Tech Crimes Department.
Law enforcers reported that the Gomel resident was not officially employed, and earned his living by distributing cryptocurrency miners, and also advertised malware writing services on hacker forums.