Who’s Behind a GandCrab Ransomware?

The crooks behind an associate module that paid cybercriminals to implement a mortal and extravagantly successful GandCrab ransomware aria announced on May 31, 2019 they were terminating a module after allegedly carrying warranted some-more than $2 billion in coercion payouts from victims. What follows is a low dive into who competence be obliged for recruiting new members to assistance widespread a contagion.

Image: Malwarebytes.

Like many ransomware strains, a GandCrab ransomware-as-a-service charity hold files on putrescent systems warrant unless and until victims concluded to compensate a demanded sum. But GandCrab distant eclipsed a success of competing ransomware associate programs mostly given a authors worked assiduously to refurbish a malware so that it could hedge antivirus and other confidence defenses.

In a 15-month camber of a GandCrab associate craving beginning in Jan 2018, a curators shipped 5 vital revisions to a code, any analogous with disreputable new facilities and bug fixes directed during thwarting a efforts of mechanism confidence firms to stymie a widespread of a malware.

“In one year, people who worked with us have warranted over US $2 billion,” examination a farewell post by a eponymous GandCrab temperament on a cybercrime forum Exploit[.]in, where a organisation recruited many of a distributors. “Our name became a ubiquitous tenure for ransomware in a underground. The normal weekly income of a plan was equal to US $2.5 million.”

The summary continued:

“We ourselves have warranted over US $150 million in one year. This income has been successfully cashed out and invested in several authorised projects, both online and offline ones. It has been a pleasure to work with you. But, like we said, all things come to an end. We are removing a well-deserved retirement. We are a vital explanation that we can do immorality and get off scot-free. We have valid that one can make a lifetime of income in one year. We have valid that we can turn array one by ubiquitous admission, not in your possess conceit.”

Evil indeed, when one considers a repairs inflicted on so many people and businesses strike by GandCrab — simply a many covetous and rapacious malware of 2018 and good into 2019.

The GandCrab temperament on Exploit[.]in intermittently posted updates about plant depends and release payouts. For example, in late Jul 2018, GandCrab crowed that a singular associate of a ransomware let use had putrescent 27,031 victims in a prior month alone, receiving about $125,000 in commissions.

The following month, GandCrab bragged that a module in Jul 2018 netted roughly 425,000 victims and extorted some-more than one million dollars value of cryptocurrencies, many of that went to affiliates who helped to widespread a infections.

Russian confidence organisation Kaspersky Lab estimated that by a time a module ceased operations, GandCrab accounted for adult to half of a tellurian ransomware market.


It stays misleading how many people were active in a core GandCrab malware growth team. But KrebsOnSecurity located a array of clues that indicate to a real-life temperament of a Russian male who appears to have been put in assign of recruiting new affiliates for a program.

In Nov 2018, a GandCrab associate posted a screenshot on a Exploit[.]in cybercrime forum of a private summary between himself and a forum member famous variously as “oneiilk2” and “oneillk2” that showed a latter was in assign of recruiting new members to a ransomware gain program.

Oneiilk2 also was a successful GandCrab associate in his possess right. In May 2018, he could be seen in mixed Exploit[.]in threads seeking for obligatory assistance receiving entrance to hacked businesses in South Korea. These solicitations go on for several weeks that month — with Oneiilk2 observant he’s peaceful to compensate tip dollar for a requested resources. At a same time, Oneiilk2 can be seen on Exploit seeking for assistance reckoning out how to qualification a convincing malware captivate regulating a Korean alphabet.

Later in a month, Oneiilk2 says he no longer needs assistance on that request. Just a few weeks later, confidence firms began warning that enemy were entertainment a spam debate to aim South Korean businesses with chronicle 4.3 of GandCrab.


When Oneiilk2 purebred on Exploit in Jan 2015, he used a email residence hottabych_k2@mail.ru. That email residence and nickname had been used given 2009 to register mixed identities on some-more than a half dozen cybercrime forums.

In 2010, a hottabych_k2 residence was used to register a domain name dedserver[.]ru, a site that marketed dedicated Web servers to people concerned in several cybercrime projects. That domain registration record enclosed a Russian phone array +7-951-7805896, that mail.ru’s cue liberation duty says is indeed a phone array used to register a hottabych_k2 email account.

At slightest 4 posts done in 2010 to a hosting examination use makeserver.ru publicize Dedserver and embody images watermarked with a nickname “oneillk2.”

Dedserver also heavily promoted a practical private networking (VPN) use called vpn-service[.]us to assistance users blear their loyal online locations. It’s misleading how closely connected these businesses were, nonetheless a cached duplicate of a Dedserver homepage during Archive.org from 2010 suggests a site’s owners claimed it as their own.

Vpn-service[.]us was purebred to a email residence sec-service@mail.ru by an particular who used a nickname (and infrequently password) — “Metall2” — opposite mixed cybercrime forums.

Around a same time a GandCrab associate module was kicking into high gear, Oneiilk2 had emerged as one of a many devoted members of Exploit and several other forums. This was clear by measuring a sum “reputation points” reserved to him, that are certain or disastrous feedback awarded by other members with whom a member has formerly transacted.

In late 2018, Oneiilk2 was one of a tip 20 highest-rated members among thousands of denizens on a Exploit forum, interjection in no tiny partial to his organisation with a GandCrab enterprise.

Searching on Oneiilk2’s registration email residence hottabych_k2@mail.ru around sites that lane hacked or leaked databases incited adult some extraordinary results. Those annals uncover this particular customarily re-used a same cue opposite mixed accounts: 16061991.

For instance, that email residence and cue shows adult in hacked cue databases for an criticism “oneillk2” during zismo[.]biz, a Russian-language forum dedicated to news about several online money-making associate programs.

In a post done on Zismo in 2017, Oneiilk2 states that he lives in a tiny city with a race of around 400,000, and is intent in a make of furniture.


Further digging suggested that a hottabych_k2@mail.ru residence had also been used to register during slightest dual accounts on a amicable networking site Vkontakte, a Russian-language homogeneous of Facebook.

One of those accounts was purebred to a “Igor Kashkov” from Magnitogorsk, Russia, a metal-rich industrial city in southern Russia of around 410,000 residents that is home to a largest iron and steel works in a country.

The Kashkov criticism used a cue “hottabychk2,” a phone array 890808981338, and during one indicate supposing a choice email residence “prokopenko_k2@bk.ru.” However, this appears to have been simply an deserted account, or during slightest there are usually a integrate of meagre updates to a profile.

The more engaging Vkontakte account tied to a hottabych_k2@mail.ru residence belongs to a form underneath a name “Igor Prokopenko,” who says he also lives in Magnitogorsk. The Igor Prokopenko form says he has complicated and is meddlesome in several forms of metallurgy.

There is also a Skype voice-over-IP criticism tied to an “Igor” from Magnitogorsk whose listed birthday is Jun 16, 1991. In addition, there is a sincerely active Youtube criticism dating behind to 2015 — youtube.com/user/Oneillk2 — that belongs to an Igor Prokopenko from Magnitogorsk.

That Youtube criticism includes mostly brief videos of Mr. Prokopenko angling for fish in a internal stream and diagnosing problems with his Lada Kalina — a Russian-made vehicle line that is utterly common opposite Russia. An criticism combined in Jan 2018 regulating a Oneillk2 nickname on a forum for Lada enthusiasts says a owners is 28 years aged and lives in Magnitogorsk.

Sources with a ability to check Russian citizenship annals identified an Igor Vladimirovich Prokopenko from Magnitogorsk who was innate on Jun 16, 1991.  Recall that “16061991” was a cue used by large online accounts tied to both hottabych_k2@mail.ru and a Oneiilk2/Oneillk2 identities.

To move all of a above investigate full circle, Vkontakte’s cue reset page shows that a Igor Prokopenko form is tied to a mobile phone number +7-951-7805896, that is a same array used to set adult a email account hottabych_k2@mail.ru almost 10 years ago.

Mr. Prokopenko did not respond to mixed requests for comment.

It is wholly probable that whoever is obliged for handling a GandCrab associate module grown an elaborate, years-long disinformation debate to lead destiny would-be researchers to an trusting party.

At a same time, it is not odd for many Russian malefactors to do small to censor their loyal identities — during slightest early on in their careers — maybe in partial given they understand that there is small odds that someone will worry joining a dots after on, or given maybe they don’t fear detain and/or charge while they reside in Russia. Anyone puzzled about this energetic would do good to deliberate a Breadcrumbs array on this blog, that used identical methods as described above to expose dozens of other vital malware purveyors.

It should be remarkable that a GandCrab associate module took measures to forestall a designation of a ransomware on computers staying in Russia or in any of a countries that were formerly partial of a Soviet Union — referred to as a Commonwealth of Independent States and including Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine and Uzbekistan. This is a standard prevision taken by cybercriminals using malware operations from one of those countries, as they try to equivocate creation difficulty in their possess backyards that competence attract courtesy from internal law enforcement.

KrebsOnSecurity would like to appreciate domaintools.com (an advertiser on this site), as good as cyber comprehension firms Intel471, Hold Security and 4IQ for their assistance in researching this post.

Update, Jul 9, 2:53 p.m. ET: Mr. Prokopenko responded to my requests for comment, nonetheless he declined to answer any of a questions we put to him about a above findings. His response was simply, “Hey. You’re wrong. I’m not doing this.” Silly me.

Tags: , , , , , , , , ,

You can skip to a finish and leave a comment. Pinging is now not allowed.