Gandcrab

Category: ransomware · Aliases: crab, gdcb · Sample count (EMBER 2018): 2,992 · Enrichment: hand-curated · Updated: 2026-05-27

Overview

GandCrab is a ransomware-as-a-service family that operated from January 2018 to mid-2019 and accounted for a substantial share of global ransomware infections during that period, generating an estimated 2 billion dollars in payments. It spread through exploit kits, phishing, and remote desktop compromise, encrypting files and demanding payment in DASH or Bitcoin. The operators publicly retired in June 2019, but successor families including REvil/Sodinokibi share infrastructure and code with GandCrab. Bitdefender and Europol released free decryptors for several GandCrab versions.

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1486 T1490

Frequently Asked Questions

What is Gandcrab?

GandCrab is a ransomware-as-a-service family that operated from January 2018 to mid-2019 and accounted for a substantial share of global ransomware infections during that period, generating an estimated 2 billion dollars in payments. It spread through exploit kits, phishing, and remote desktop compromise, encrypting files and demanding payment in DASH or Bitcoin. The operators publicly retired in June 2019, but successor families including REvil/Sodinokibi share infrastructure and code with GandCrab. Bitdefender and Europol released free decryptors for several GandCrab versions.

How does Gandcrab spread?

GandCrab spread through exploit kits (RIG, GrandSoft), phishing emails, and remote desktop protocol brute-force attacks before its operators announced retirement in mid-2019.

What are the signs of a Gandcrab infection?

Files renamed with .GDCB, .KRAB, .CRAB, or random 5-letter extensions, ransom notes named KRAB-DECRYPT.txt or similar, and antivirus references to GandCrab or GDCB are signatures.

What should I do if I think I have Gandcrab on my system?

If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.

Need help with an active incident? If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/gandcrab.json

About this catalog

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families extracted from the EMBER 2018 benchmark. The catalog is also published on Hugging Face and Kaggle.

If you encountered gandcrab, you may also see related ransomware threats. Explore the full ransomware category in this catalog:

View all 5 ransomware families →