How GandCrab Ransomware Made Its Developers Nine Figures

2018 was the year where malware stopped being a malicious hobby and became a real money-making venture. The rise in ransomware and cryptomining attacks is a clear sign that hackers no longer want to just cause havoc – they also want to make a pretty penny while they do so.

Up until now we’ve had no real income figures to work with; were hackers living the dream, or getting by on scraps? It was clear that hackers were trying to make money, but there was no sign on whether they were succeeding. Recently BitDefender released an estimate on the most popular ransomware of this year, and the figures were a little worrisome .

How Much Is Being Made?


We saw some fledgling ransomware attacks around the start of 2018. Things began to kick off when hackers began adopting GandCrab as their weapon of choice back in February 2018. GandCrab was offered as ransomware-as-a-service, where a developer allows others to use their malicious software for either an upfront cost or a share of the total cut. This meant that the developers of GandCrab got a slice of the pie every time someone used their software to successfully carry out an attack.

With GandCrab available for cybercriminals to launch their attacks, how much did its developers make? While BitDefender didn’t have access to the income logs of the developers, they were able to use some educated logic to make a guess-timate.

We know that 500,000 users were infected with GandCrab. We also know that the absolute minimum ransom bounty was $600. Around half of the total people infected with GandCrab give up and pay out. That already gives you a $150 million figure at the absolute least. BitDefender believes the actual figure comes to around $300 million, given how some of the higher ransom demands reached an eye-watering $700,000.

This is an absolutely stunning figure, as this was a movement that started early in 2018. With these numbers being thrown around, it’s not hard to see why ransomware is quickly become the biggest threat of 2018.

How Did this Happen?

With such rapid development in just under nine months, it begs the question: how did GandCrab manage to rake in the big bucks so quickly? While malware such as WannaCry did the rounds earlier this year, it didn’t quite have the same impact as GandCrab. This is because GandCrab does something that WannaCry could only dream of doing – target individual users.


GandCrab comes with the ability to customise the ransom message and payment amount from each victim. Gone are the days where ransomware developers carpet-bomb as many users as possible in the hopes they hit someone who’s both rich and has a strong desire to save their files. Now they can individually tweak the malware to suit their targets. They can customise the malware to suit the target’s ability to pay and ensure they’re getting the most possible out of their victims.

This method of extraction was demoed by IBM with their DeepLocker malware, which used webcams to scan the faces of users and lock down the PC of the target it was looking for. Infecting the PCs of people who can’t pay or aren’t worried about losing their files only makes the malware more visible and susceptible to a counterattack. Using the initial window of freedom to hit affluent targets ensures a nice payout until the ransomware is solved and a solution is released.

What’s Being Done?


Thankfully, security experts around the world realise how bad a ransomware epidemic can be. Reverse-engineering a ransomware attack can make it effectively powerless, and people are pushing out decrypters to fight the latest versions of GandCrab. Of course, being diligent with your Internet security also goes a good distance for avoiding being infected!

Money Grab Crab

We’ve known for a while that malware is shifting towards making profit. Despite this, we didn’t know how much hackers were actually making. With nine-digit estimates being suggested, malware is now a highly profitable venture for those who can muster it.

Do you think this is the start of a wave of malware trying to emulate GandCrab’s success? Or are we ready for the onslaught? Let us know below.

Simon Batt
Simon Batt

Simon Batt is a Computer Science graduate with a passion for cybersecurity.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox