GandCrab Ransomware Affiliate Member Was Arrested For Phishing Attacks
A GandCrab Ransomware member was arrested in South Korea for using phishing emails to infect victims.
GandCrab malware is spread via an executable binary file which is returned after GandCrab is running on the local machine as a file called “bhxsew.exe”. During the process, the ransomware will try to collect and determine the external IP addresses of the victims via legitimate services.
Some background information
The GandCrab ransomware, a RaaS operation, began in January 2018 and it quickly became a malware empire starting to threaten businesses worldwide.
The GandCrab is Operated as a Ransomware-as-a-Service (RaaS), therefore developers teamed up with affiliates in a revenue share partnership, with affiliates being able to earn between 70-80% of a ransom payment.
The operation had shut down in the summer of 2019, but some security researchers believe that the core developers went on to and founded the REvil ransomware group.
What happened?
A 20-year-old man was arrested on February 25th by the South Korean police following an international investigation that was able to trace GandCrab ransom payments to withdrawals made by the suspect.
South Korean media declared the suspect distributed 6,486 phishing emails. The emails pretended to be sent from the South Korean police investigating the email recipient’s online defamation.
Included in the emails were found attachments that were aiming to infect the victim with the GandCrab ransomware, encrypt files, and demand $1,300 ransom in bitcoin.
The GandCrab members were saying they generated $2 billion in ransom payments, but the South Korean police announced that the suspect only earned 12 million South Korean won or, approximately $10,500 as part of the illicit activities.
The police declared that another suspect they’re after, who shared the GandCrab ransomware with the arrested individual, is still at large.