{
  "family": "gandcrab",
  "sample_count": 2992,
  "category": "ransomware",
  "description": "GandCrab is a ransomware-as-a-service family that operated from January 2018 to mid-2019 and accounted for a substantial share of global ransomware infections during that period, generating an estimated 2 billion dollars in payments. It spread through exploit kits, phishing, and remote desktop compromise, encrypting files and demanding payment in DASH or Bitcoin. The operators publicly retired in June 2019, but successor families including REvil/Sodinokibi share infrastructure and code with GandCrab. Bitdefender and Europol released free decryptors for several GandCrab versions.",
  "cta": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.",
  "aliases": [
    "crab",
    "gdcb"
  ],
  "enrichment_level": "hand-curated",
  "faq": [
    {
      "@type": "Question",
      "name": "What is Gandcrab?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "GandCrab is a ransomware-as-a-service family that operated from January 2018 to mid-2019 and accounted for a substantial share of global ransomware infections during that period, generating an estimated 2 billion dollars in payments. It spread through exploit kits, phishing, and remote desktop compromise, encrypting files and demanding payment in DASH or Bitcoin. The operators publicly retired in June 2019, but successor families including REvil/Sodinokibi share infrastructure and code with GandCrab. Bitdefender and Europol released free decryptors for several GandCrab versions."
      }
    },
    {
      "@type": "Question",
      "name": "How does Gandcrab spread?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "GandCrab spread through exploit kits (RIG, GrandSoft), phishing emails, and remote desktop protocol brute-force attacks before its operators announced retirement in mid-2019."
      }
    },
    {
      "@type": "Question",
      "name": "What are the signs of a Gandcrab infection?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Files renamed with .GDCB, .KRAB, .CRAB, or random 5-letter extensions, ransom notes named KRAB-DECRYPT.txt or similar, and antivirus references to GandCrab or GDCB are signatures."
      }
    },
    {
      "@type": "Question",
      "name": "What should I do if I think I have Gandcrab on my system?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance."
      }
    }
  ],
  "faq_count": 4,
  "mitre_attack": [
    "T1486",
    "T1490"
  ],
  "cisa_advisory": null,
  "last_updated": "2026-05-27"
}