GandCrab ransomware evolves thanks to an AGILE development process

Pierluigi Paganini March 16, 2018

According to Check Point report, the authors of the prolific GandCrab ransomware are continuously improving their malware by adopting the AGILE development process.

Early February experts at cyber security firm LMNTRIX have discovered a new ransomware-as-a-service dubbed GandCrab. advertised in Russian hacking community on the dark web.

The GandCrab was advertised in Russian hacking communities, researchers noticed that authors leverage the RIG and GrandSoft exploit kits to distribute the malware.

Partners are prohibited from targeting countries in the Commonwealth of Independent States (Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan and Ukraine). Security experts believes that the hackers behind the ransomware are likely Russia-based.

It has been estimated that the GandCrab ransomware has managed to infect approximately 50,000 computers, most of them in Europe, in less than a month asking from each victim for ransoms of $400 to $700,000 in DASH cryptocurrency.

Earlier March, a joint operation conducted by Romanian Police and Europol allowed to identify and seize the command-and-control servers tied to the GandCrab ransomware campaigns.

The Romanian Police (IGPR) under the supervision of the General Prosecutor’s Office (DIICOT) and in collaboration with the internet security company Bitdefender and Europol released the GandCrab ransomware decryptor.

Even after the success of the operation conducted by law enforcement, crooks behind the GandCrab ransomware are still active.

According to experts at Check Point security firm, the gang has already infected over 50,000 victims mostly in the U.S., U.K. and Scandinavia. It has been estimated that the revenues in two months have reached $600,000.

“GandCrab is the most prominent ransomware of 2018. By the numbers this ransomware is huge,” explained Yaniv Balmas, security research at Check Point.

Balmas compares the ransomware to the Cerber malware, the expert also added that GandCrab authors are adopting an agile malware development approach, and this is the first time for a malware development.

“For those behind GandCrab, staying profitable and staying one-step ahead of white hats means adopting a never-before-seen agile malware development approach, said Check Point.” reported Threat Post.

“Check Point made the assessment after reviewing early incarnations of the GandCrab ransomware (1.0) and later versions (2.0).”

Researchers have analyzed both GandCrab ransomware (1.0) and later versions (2.0) and have deduced that vxers are continuously improving the malicious code adopting an Agile approach.

“The authors started by publishing the least well-built malware that could possibly work, and improved it as they went along. Given this, and given that this newest version was released within the week, the bottom line seems to be: It’s the year 2018, even ransomware is agile,” reads an upcoming report to be released by Check Point.

The code for early versions of the GandCrab ransomware was affected by numerous bugs, but the development team has fixed them.

According to the researchers, the authors of the GandCrab ransomware doesn’t conduct any campaign, instead they are focused on the development of their malware.

“They have been diligent about fixing issues as they pop up. They are clearly doing their own code review and fixing bugs reported in real-time, but also fixing unreported bugs in a very efficient manner.” explained Michael Kajiloti, team leader, malware research at Check Point.

The researchers believe that future versions will address several major bugs that currently allowed experts to decrypt the files locked by the ransomware.

“GandCrab itself is an under-engineered ransomware that manages to still be effective. For example, until recently, the malware accidentally kept local copies of its RSA private decryption key – the essential ingredient of the extortion – on the victim’s machine. This is the ransomware equivalent of someone locking you out of your own apartment and yet leaving a duplicate of the key for you under the doormat,” continues Check Point.

“If you monitor your internet traffic while you are infected for the private key, this means you can easily decrypt your files,” Balmas said. “The private key is encrypted in transit. But it is encrypted using the same password every time. And the password is embedded in the malware code.”

The developers also focused on improving evasion capabilities, a continuous development process like the one used in Agile allows the GandCrab to easily bypass signature-based AV engines.

“Cosmetics and incremental code changes keep the core of the malware behavior essentially the same. This comes to show the core differentiator of dynamic analysis and heuristic-based detection, which is signature-less,” states Check Point report.

“With agile development and the infection rate and affiliates, GandCrab will keep making money,”

Only monitoring the evolution of the threat, we can prevent infections.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – GandCrab RaaS, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini October 08, 2025

Qilin ransomware claimed responsibility for the attack on the beer giant Asahi

Pierluigi Paganini October 08, 2025