On January 28th 2018, our analysts on watch saw a small blip pop up on the Bitdefender Threat Map. It was one of millions of blips we see daily here at Bitdefender, but that blip marked the birth of a new family of ransomware that would cause great pain to innocent victims around the world. The same blip would show up at least 50,000 more times in the following month and several more million times in the next year. It came to be known as “GandCrab.”
This family of ransomware, likely operated out of the former Soviet space, grabbed more than 50 percent of the ransomware market share by August 2018. Access to GandCrab ransomware was sold on underground markets to affiliates, who were responsible for infecting victims and extorting money from them. In exchange, the affiliates gave 40% of their profit to the original GandCrab developers. This fostered a diverse distribution system. Some affiliates would spam out their payloads, while others would infect victims through, for instance, exploit kits or remote access to enterprise computers.