An alleged operator of the GandCrab ransomware has been arrested in Belarus. The arrest was a joint operation between the UK, Romania and the Ministry of Internal Affairs (MIA) in Belarus. The individual, who has not been named, was unemployed and living in Gomel, in south-eastern Belarus. He made his living out of writing malware that was distributed across darknet forums. GandCrab was just one of several projects he is believed to have been involved in.
Vladimir Seitsev, Deputy Head of the High-Tech Crime Department of the Interior Ministry said: “It has been established that a 31-year-old resident of Gomel has infected more than a thousand computers. For deciphering each of them required the amount equivalent to 1.2 thousand. US dollars. Access to the admin panel to control the cipher’s botnet was through the Darknet, allowing the attacker to remain anonymous for a long time. Part of the profits was transferred to administrators (operators) of the server he rented.
“The victims of the hacker were users from almost a hundred countries, and the largest number of victims are in India, USA, Ukraine, Great Britain, Germany, France, Italy and Russia.”
What was GandCrab?
GandCrab was one of the most successful ransomware programmes. Its creators estimated that they made around $2 billion from those whose computers were infected. It was run as a Ransomware-as-a-Service business and distributed through associates.
Its creators treated this as a professional business, not a single one-off money-making opportunity. Over the 15 months it was operational, they updated and maintained the code which allowed it to evade security software. They also changed their approach from mass infection to controlled attacks to make it harder to detect.
In May 2019, they announced, on the cybercrime forum Exploit[.]in that they were shutting the service down. In their goodbye statement, the authors of GandCrab said: “We ourselves have earned over US $150 million in one year. This money has been successfully cashed out and invested in various legal projects, both online and offline ones. It has been a pleasure to work with you.
“But, like we said, all things come to an end. We are getting a well-deserved retirement. We are a living proof that you can do evil and get off scot-free. We have proved that one can make a lifetime of money in one year. We have proved that you can become number one by general admission, not in your own conceit.”
They also told all affiliates to stop distributing GandCrab within 20 days.
Brian Krebs wrote a detailed piece Who’s Behind the GandCrab Ransomware in July 2019. He identified several domains and email addresses linked to the author. Krebs also went so far as to name the author. It will be interesting to see if the man arrested by the MIA in Belarus has any links to that individual.
Enterprise Times: What does this mean?
Another day and another arrest of a cybercriminal who thought they had escaped the authorities. Based on the number of computers the MIA claims he had infected and the revenue paid to affiliates, this individual would have made over US$800,000 from GandCrab. For many, that would have been more than enough. Instead, it seems that this individual continued to write and distribute malware. It will be interesting to see what malware he is also accused of creating.
Over 165 people were affected by GandCrab in Belarus. It is unclear if it will prosecute or hand him over to another country. The US, as one of the countries most affected by GandCrab, is almost certainly making extradition overtures to Belarus. It will want to get more information about others involved in GandCrab and other malware campaigns.
This will be seen as another success for cooperation between the cybercrime investigation teams in different countries. The problem is that a few good arrests don’t seem to be stemming the flow or success of cybercriminals. Ransomware, in particular, is proving to be resistant to arrests and the penetration of cybercrime groups.