Gandcrypt

Category: ransomware · Aliases: Ransom.GandCrab, Win32/GandCrypt, Trojan-Ransom.Win32.GandCrypt · Sample count (EMBER 2018): 474 · Enrichment: documented_reference_only · Updated: 2026-07-02T09:04:51Z

Overview

Executive Summary

GandCrypt (universally known as GandCrab) was one of the most prolific, destructive, and financially successful Ransomware-as-a-Service (RaaS) operations in history. First observed in January 2018, it quickly dominated the ransomware landscape, reportedly generating over $2 billion in extorted funds before its operators officially "retired" in mid-2019. It is characterized by its aggressive encryption, agile development cycles (evading security tools), and massive distribution networks.

Infection Vector and Technical Capabilities

GandCrab affiliates utilized a massive array of distribution methods. It was heavily distributed via major exploit kits (RIG, GrandSoft) and vast malspam campaigns pushed by the Necurs botnet. It was also frequently deployed manually by attackers who purchased RDP access from Initial Access Brokers (IABs). Its technical execution was highly sophisticated:

Threat Assessment

A GandCrab infection is a catastrophic event resulting in immediate, massive data loss and operational downtime. While the original GandCrab operation claims to be defunct, its affiliates and tactics have migrated to modern RaaS syndicates (like REvil/Sodinokibi), and legacy or copycat infections remain a threat.

Incident Response and Remediation

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1486 T1490 T1068

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_GANDCRYPT {
    meta:
        description = "Detects Gandcrypt (ransomware)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "gandcrypt" ascii wide nocase
        $s2 = "ransom.gandcrab" ascii wide nocase
        $s3 = "win32/gandcrypt" ascii wide nocase
        $s4 = "trojan-ransom.win32.gandcrypt" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Gandcrypt Activity
id: c960ab4a684244f327b26e6cf54a62ca
status: experimental
description: Detects generic indicators of the gandcrypt malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*gandcrypt*"
            - "*ransom.gandcrab*"
            - "*win32/gandcrypt*"
            - "*trojan-ransom.win32.gandcrypt*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

Where can I learn more about gandcrypt?

Refer to the linked MITRE ATT&CK technique pages, which document the behaviors associated with this family.

Related Families (Category: ransomware)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/gandcrypt.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.