Gandcrab

Category: ransomware · Aliases: GandCrab · Sample count (EMBER 2018): 2,992 · Enrichment: curated_sourced · Updated: 2026-06-09

Overview

GandCrab is ransomware that encrypts a victim's files and demands ransom for their return, targeting Windows PCs of both consumers and businesses. Per Malwarebytes, it launched in January 2018 and operated as a ransomware-as-a-service, with affiliates spreading it for a share of the profits. On May 31, 2019 its operators publicly announced they were shutting down. Free decryptors for certain versions were later released through industry and law-enforcement collaboration.

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1486 T1490 T1082 T1083 T1071.001 T1566.001

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_GANDCRAB {
    meta:
        description = "Detects Gandcrab (ransomware)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "gandcrab" ascii wide nocase
        $s2 = "gandcrab" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Gandcrab Activity
id: d4d07dbc129592db4c5ff26cf2c92012
status: experimental
description: Detects generic indicators of the gandcrab malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*gandcrab*"
            - "*gandcrab*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

What is GandCrab?

Ransomware that encrypts files on Windows PCs and demands payment; it targeted both consumers and businesses.

When was GandCrab active?

It launched in January 2018 and its operators announced a shutdown on May 31, 2019.

How was GandCrab distributed?

As a ransomware-as-a-service: affiliates spread it through methods like exploit kits, phishing, and other vectors in exchange for a cut of the ransoms.

Is there a free GandCrab decryptor?

Free decryptors for certain GandCrab versions were released through industry and law-enforcement collaboration; availability depends on the version.

Should I pay the GandCrab ransom?

Security guidance generally discourages paying. Check whether a free decryptor exists for your version (e.g., via the No More Ransom project) and restore from clean backups where possible.

How can I protect against ransomware like GandCrab?

Keep software patched, be cautious with email attachments and links, use reputable security software, and maintain tested offline backups.

Where can I read an authoritative source on GandCrab?

Malwarebytes maintains a GandCrab overview, linked on this page.

Related Families (Category: ransomware)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/gandcrab.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.