gandcrab

GandCrab was a prolific Ransomware-as-a-Service (RaaS) operation active from January 2018 to mid-2019. It quickly became one of the most widespread ransomware families due to its affiliate-based distribution model, where operators provided the ransomware to partners in exchange for a revenue share (reportedly 30–40%). GandCrab used a double-extortion approach in later stages, encrypting files with a combination of Salsa20 and RSA-2048 algorithms and appending extensions that varied by version (e.g., .GDCB, .KRAB, .CRAB). Initial access vectors included phishing emails with malicious attachments, exploit kits (notably RIG and GrandSoft), and remote desktop protocol (RDP) attacks. GandCrab’s operators claimed to have earned over $150 million before publicly announcing their retirement in June 2019, after which decryption keys for all versions were released.