GandCrab is ransomware that encrypts a victim's files and demands ransom for their return, targeting Windows PCs of both consumers and businesses. Per Malwarebytes, it launched in January 2018 and operated as a ransomware-as-a-service, with affiliates spreading it for a share of the profits. On May 31, 2019 its operators publicly announced they were shutting down. Free decryptors for certain versions were later released through industry and law-enforcement collaboration.
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1486 T1490 T1082 T1083 T1071.001 T1566.001
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_GANDCRAB {
meta:
description = "Detects Gandcrab (ransomware)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "gandcrab" ascii wide nocase
$s2 = "gandcrab" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Gandcrab Activity
id: d4d07dbc129592db4c5ff26cf2c92012
status: experimental
description: Detects generic indicators of the gandcrab malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*gandcrab*"
- "*gandcrab*"
condition: selection
level: mediumRansomware that encrypts files on Windows PCs and demands payment; it targeted both consumers and businesses.
It launched in January 2018 and its operators announced a shutdown on May 31, 2019.
As a ransomware-as-a-service: affiliates spread it through methods like exploit kits, phishing, and other vectors in exchange for a cut of the ransoms.
Free decryptors for certain GandCrab versions were released through industry and law-enforcement collaboration; availability depends on the version.
Security guidance generally discourages paying. Check whether a free decryptor exists for your version (e.g., via the No More Ransom project) and restore from clean backups where possible.
Keep software patched, be cautious with email attachments and links, use reputable security software, and maintain tested offline backups.
Malwarebytes maintains a GandCrab overview, linked on this page.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/gandcrab.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.