08
Jul 19

Who’s Behind the GandCrab Ransomware?

The crooks behind an affiliate program that paid cybercriminals to install the destructive and wildly successful GandCrab ransomware strain announced on May 31, 2019 they were terminating the program after allegedly having earned more than $2 billion in extortion payouts from victims. What follows is a deep dive into who may be responsible for recruiting new members to help spread the contagion.

Image: Malwarebytes.

Like most ransomware strains, the GandCrab ransomware-as-a-service offering held files on infected systems hostage unless and until victims agreed to pay the demanded sum. But GandCrab far eclipsed the success of competing ransomware affiliate programs largely because its authors worked assiduously to update the malware so that it could evade antivirus and other security defenses.

In the 15-month span of the GandCrab affiliate enterprise beginning in January 2018, its curators shipped five major revisions to the code, each corresponding with sneaky new features and bug fixes aimed at thwarting the efforts of computer security firms to stymie the spread of the malware.

“In one year, people who worked with us have earned over US $2 billion,” read the farewell post by the eponymous GandCrab identity on the cybercrime forum Exploit[.]in, where the group recruited many of its distributors. “Our name became a generic term for ransomware in the underground. The average weekly income of the project was equal to US $2.5 million.”

The message continued:

“We ourselves have earned over US $150 million in one year. This money has been successfully cashed out and invested in various legal projects, both online and offline ones. It has been a pleasure to work with you. But, like we said, all things come to an end. We are getting a well-deserved retirement. We are a living proof that you can do evil and get off scot-free. We have proved that one can make a lifetime of money in one year. We have proved that you can become number one by general admission, not in your own conceit.”

Evil indeed, when one considers the damage inflicted on so many individuals and businesses hit by GandCrab — easily the most rapacious and predatory malware of 2018 and well into 2019.

The GandCrab identity on Exploit[.]in periodically posted updates about victim counts and ransom payouts. For example, in late July 2018, GandCrab crowed that a single affiliate of the ransomware rental service had infected 27,031 victims in the previous month alone, receiving about $125,000 in commissions.

The following month, GandCrab bragged that the program in July 2018 netted almost 425,000 victims and extorted more than one million dollars worth of cryptocurrencies, much of which went to affiliates who helped to spread the infections.

Russian security firm Kaspersky Lab estimated that by the time the program ceased operations, GandCrab accounted for up to half of the global ransomware market.

ONEIILK2

It remains unclear how many individuals were active in the core GandCrab malware development team. But KrebsOnSecurity located a number of clues that point to the real-life identity of a Russian man who appears to have been put in charge of recruiting new affiliates for the program.

In November 2018, a GandCrab affiliate posted a screenshot on the Exploit[.]in cybercrime forum of a private message between himself and a forum member known variously as “oneiilk2” and “oneillk2” that showed the latter was in charge of recruiting new members to the ransomware earnings program.

Oneiilk2 also was a successful GandCrab affiliate in his own right. In May 2018, he could be seen in multiple Exploit[.]in threads asking for urgent help obtaining access to hacked businesses in South Korea. These solicitations go on for several weeks that month — with Oneiilk2 saying he’s willing to pay top dollar for the requested resources. At the same time, Oneiilk2 can be seen on Exploit asking for help figuring out how to craft a convincing malware lure using the Korean alphabet.

Later in the month, Oneiilk2 says he no longer needs assistance on that request. Just a few weeks later, security firms began warning that attackers were staging a spam campaign to target South Korean businesses with version 4.3 of GandCrab.

HOTTABYCH

When Oneiilk2 registered on Exploit in January 2015, he used the email address hottabych_k2@mail.ru. That email address and nickname had been used since 2009 to register multiple identities on more than a half dozen cybercrime forums.

In 2010, the hottabych_k2 address was used to register the domain name dedserver[.]ru, a site which marketed dedicated Web servers to individuals involved in various cybercrime projects. That domain registration record included the Russian phone number +7-951-7805896, which mail.ru’s password recovery function says is indeed the phone number used to register the hottabych_k2 email account.

At least four posts made in 2010 to the hosting review service makeserver.ru advertise Dedserver and include images watermarked with the nickname “oneillk2.”

Dedserver also heavily promoted a virtual private networking (VPN) service called vpn-service[.]us to help users obfuscate their true online locations. It’s unclear how closely connected these businesses were, although a cached copy of the Dedserver homepage at Archive.org from 2010 suggests the site’s owners claimed it as their own.

Vpn-service[.]us was registered to the email address sec-service@mail.ru by an individual who used the nickname (and sometimes password) — “Metall2” — across multiple cybercrime forums.

Around the same time the GandCrab affiliate program was kicking into high gear, Oneiilk2 had emerged as one of the most trusted members of Exploit and several other forums. This was evident by measuring the total “reputation points” assigned to him, which are positive or negative feedback awarded by other members with whom the member has previously transacted.

In late 2018, Oneiilk2 was one of the top 20 highest-rated members among thousands of denizens on the Exploit forum, thanks in no small part to his association with the GandCrab enterprise.

Searching on Oneiilk2’s registration email address hottabych_k2@mail.ru via sites that track hacked or leaked databases turned up some curious results. Those records show this individual routinely re-used the same password across multiple accounts: 16061991.

For instance, that email address and password shows up in hacked password databases for an account “oneillk2” at zismo[.]biz, a Russian-language forum dedicated to news about various online money-making affiliate programs.

In a post made on Zismo in 2017, Oneiilk2 states that he lives in a small town with a population of around 400,000, and is engaged in the manufacture of furniture.

HEAVY METALL

Further digging revealed that the hottabych_k2@mail.ru address had also been used to register at least two accounts on the social networking site Vkontakte, the Russian-language equivalent of Facebook.

One of those accounts was registered to a “Igor Kashkov” from Magnitogorsk, Russia, a metal-rich industrial town in southern Russia of around 410,000 residents which is home to the largest iron and steel works in the country.

The Kashkov account used the password “hottabychk2,” the phone number 890808981338, and at one point provided the alternative email address “prokopenko_k2@bk.ru.” However, this appears to have been simply an abandoned account, or at least there are only a couple of sparse updates to the profile.

The more interesting Vkontakte account tied to the hottabych_k2@mail.ru address belongs to a profile under the name “Igor Prokopenko,” who says he also lives in Magnitogorsk. The Igor Prokopenko profile says he has studied and is interested in various types of metallurgy.

There is also a Skype voice-over-IP account tied to an “Igor” from Magnitogorsk whose listed birthday is June 16, 1991. In addition, there is a fairly active Youtube account dating back to 2015 — youtube.com/user/Oneillk2 — that belongs to an Igor Prokopenko from Magnitogorsk.

That Youtube account includes mostly short videos of Mr. Prokopenko angling for fish in a local river and diagnosing problems with his Lada Kalina — a Russian-made automobile line that is quite common across Russia. An account created in January 2018 using the Oneillk2 nickname on a forum for Lada enthusiasts says its owner is 28 years old and lives in Magnitogorsk.

Sources with the ability to check Russian citizenship records identified an Igor Vladimirovich Prokopenko from Magnitogorsk who was born on June 16, 1991.  Recall that “16061991” was the password used by countless online accounts tied to both hottabych_k2@mail.ru and the Oneiilk2/Oneillk2 identities.

To bring all of the above research full circle, Vkontakte’s password reset page shows that the Igor Prokopenko profile is tied to the mobile phone number +7-951-7805896, which is the same number used to set up the email account hottabych_k2@mail.ru almost 10 years ago.

Mr. Prokopenko did not respond to multiple requests for comment.

It is entirely possible that whoever is responsible for operating the GandCrab affiliate program developed an elaborate, years-long disinformation campaign to lead future would-be researchers to an innocent party.

At the same time, it is not uncommon for many Russian malefactors to do little to hide their true identities — at least early on in their careers — perhaps in part because they perceive that there is little likelihood that someone will bother connecting the dots later on, or because maybe they don’t fear arrest and/or prosecution while they reside in Russia. Anyone doubtful about this dynamic would do well to consult the Breadcrumbs series on this blog, which used similar methods as described above to unmask dozens of other major malware purveyors.

It should be noted that the GandCrab affiliate program took measures to prevent the installation of its ransomware on computers residing in Russia or in any of the countries that were previously part of the Soviet Union — referred to as the Commonwealth of Independent States and including Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine and Uzbekistan. This is a typical precaution taken by cybercriminals running malware operations from one of those countries, as they try to avoid making trouble in their own backyards that might attract attention from local law enforcement.

KrebsOnSecurity would like to thank domaintools.com (an advertiser on this site), as well as cyber intelligence firms Intel471, Hold Security and 4IQ for their assistance in researching this post.

Update, July 9, 2:53 p.m. ET: Mr. Prokopenko responded to my requests for comment, although he declined to answer any of the questions I put to him about the above findings. His response was simply, “Hey. You’re wrong. I’m not doing this.” Silly me.

Tags: , , , , , , , , ,

61 comments

  1. First

    Great article

  2. Brian be careful that you don’t end up like a Clinton associate. “Suicide” by 2 shots to the back of the head. These maniacs are just that. Maniacs. Great article, great investigative work, but please be careful. I mean damn, if they can choot Big Papi Dabid Ortiz in the Dominican Republic, they can choot anybody!! 150 million to 2 BILLION dollars will hire a lot of ne’er do wells.

  3. Also I LOL’d @ “Mr. Prokopenko did not respond to multiple requests for comment.”

    I bet!

    • Phil, that had me cracking me up too! I agree with your earlier comment too. That was my initial thought. Brian is a straight mad lad lol. I admire the heck out of someone that is trying to do good and take down cyber-criminals… especially ones of such high profile. Those bread crumbs sure don’t seem to be bread crumbs to me, but whole pieces of toast. Let’s hope something good comes out of this!

    • ThursdaysGeek

      And when he finally did respond, it wasn’t “Huh? Can you explain what you’re talking about?” So, if he understood the accusation, that indicates some knowledge of it.

  4. The Sunshine State

    The miscreants behind ransomware are like spammers, they don’t quit what they are doing, they just move onto some other criminal activity.

    • Not really alike in this case. Spammers make pennies, so they are incentivized to scale and always continue. They’ll never make enough to retire. And even the best ones don’t make the equivalent of a skilled IT professional would. They only do it because it is so easy, it takes no skill.

      Ransomware doesn’t have nearly the wide distribution of common spam. And even getting an infection, yields such a low probability of payout. The money is made from the very few that do pay out. Not pennies, but thousands of dollars each. And not to mention that since payment is in cryptocurrency, they can benefit in the speculation and get a huge bump in their revenue.

      And GandCrab is special case, with about half of the entire share of the Ransomware market at one point… and several million dollars… yes, retirement is a real possibility.

      If they were in it for the thrill, or lacked the discipline to not be too greedy,… retirement is a smart move.
      Once you have millions of dollars, it become far easier and safer to make millions more through legitimate means.

      • That’s not entirely true. I used to love watching “Scamming scammers” videos a few years back. There are people that still do it and it’s hilarious. Basically, they’ll call the fake tech support lines and infect the scammers with malware, destroy their files, take down their operations, etc. Anyways, one of them infected a scammer with a RAT and showed a spreadsheet of how much all of their scammers at that particular site made. It most certainly was not “pennies”. Some made much more than a “skilled IT professional” makes.

        Most of them made at least $100k a year. There are tons of stories where people call into “tech support”, give up their credit card information, and then the scammers will basically clean them out and take several thousand dollars. That’s just one person they did that to. They’re hitting multiple people a day. Heck, Scam Watch has statistics showing that in 2019 alone, scammers made over $46M (https://www.scamwatch.gov.au/about-scamwatch/scam-statistics). Those are strictly cases that are reported. There are many more that go unreported. Of course, that’s pennies compared to GandCrab, but, considering the complete lack of skill like you mentioned, it’s no wonder why it continues.

        • Ummm… Scammers != Spammers

          Scammers are fraudsters that, yes, put in a lot more work for larger payouts. Similar to ransomware in that regard, cast a wide net for big whale or lots of tuna.

          S(P)ammers, are just marketers. They are generally middlemen and get pennies. Many are legal, but the majority are in that grey space where they don’t care about what they are sending out and won’t honor requests to opt out.

          • Joe-descending

            “Ummm…” no need to be condescending lol.

            • Didn’t mean to be. The “Ummm…” was me looking back at the original comment to make sure I got it right myself. Should I have not capitalized the “U”? Fewer dots? What would fix the tone?

  5. Very interesting. Thanks for reporting it, Brian.

    I was about to ask if this malware affected Russian users but your last paragraph explains it. In that case, why would Russian government bother? With the rampant anti-Western propaganda broadcast daily on Russian TV why would they care? To match the Magnitsky crimes, I would bet that this guy will receive the “model of honor” from Mr. Putin.

  6. Charles Corfield

    It is a dog-eat-dog world: My local fortune teller, Madame Woozle, has looked into her crystal ball, and sees the subject of this article parting with his ill gotten gains under duress. The sums involved make it too tempting for the folks who specialize in cruder extortion techniques to pass up.

  7. re: that might attract attention from local law enforcement.

    I tend to think that this is to prevent them angering any of the groups that wouldn’t hesitate to put out a contract on them because law enforcement isn’t likely to grind them, and their families, up into mincemeat for their pets.

  8. Great piece of detective work Brian. Must reading for anyone in the IT Security business.

  9. Can we assume that the two billions came from people and companies that failed to backup files and or systems?

    I suppose an individual has an easier job to backup than do companies of small and medium size.

    • The ransomware can sit dormant for months, before it’s activated, as the thief waits for your backups to be so outdated, you’ll be forced to pay ransom.

      Think of the cost of restoring your six month old backup out of remote storage, then manually updating every file to bring it current. That labor-intensive process will make a ransom payment very attractive, as a quick, less costly fix.

      There is nothing to mock in a situation where ransomware is involved. It’s been carefully planned so one is left with no choice but to pay.

      • I’ve scanned backup files for the attack packages after waiting 24 hours for the zero day to expire, and had success. It won’t help businesses that use optical storage though. Some businesses probably don’t want to wait a day, but if they are lucky the malware wasn’t updated lately.

  10. Just a friendly reminder to back up. That is the easiest antidote to ransomware. I’m imaging right now!

    Dedserver (from memory) is in my firewall block list. I block based on detected hacking activity, so there you go.

  11. I don’t understand how they’ve cashed out already…

    Couldn’t cryptocurrency exchanges prevent criminals from cashing out? Wouldn’t it be simple to trace and freeze the accounts associated with the Ransomware payment addresses?

    • Once money reaches the ransomware address, it will be filtered through a laundering process, probably a “mixer” service, which makes it nearly impossible to trace where the money goes next. Because of this there is no way for the exchanges to know whether they’re cashing out dirty money, but it is possible for them to refuse to cash out coins that originate from these services.

  12. Great read, thanks again for the work you do.
    Guess those databases of hacked accounts do provide something useful after all. Ironic that the information helps connect the dots on computer criminals!

  13. These people should be lined up, and made an example of.

  14. Excellent article -thank you for your insight Brian and for your continued hard work reporting!

    Scott
    http://www.ScottSchober.com

  15. Would using a program called “Sandboxie” protect your computer from getting infected?
    When using sandboxie with your browser, it keeps everything in sandboxie and does not allow any virus to spread to anything located outside of sandboxie.

    • Robert Scroggins

      I used to prepare malware signatures for one of the AVs and used SandboxIE sometimes. It can help you avoid many infections if you use it per the instructions. I think it is a good program for the average user. One problem with it, however, is that some malware can detect when it is in a sandbox or virtual environment and will not infect then. SandboxIe has some limitations also, as explained in the instructions.

      I eventually started using disk image programs when I had to execute malwareso that I could revert my computer back to a “clean” state. A problem with that, however, is that, at that time anyway, some disk imagers were unable to revert after a rootkit infection.

      Regards,

      • ” One problem with it, however, is that some malware can detect when it is in a sandbox or virtual environment and will not infect then. ”

        That sounds like another check in Sandboxie’s favor. No shield is absolute, but I’d almost count on Sandboxie over AntiVirus in the face of a web infection attempt. That is because no malware is released until it can first be shown to sneak by all AntiVirus packages.

    • Yes, Sandboxie can prevent the installation of many malwares, so long as your default settings are to sandbox your browsers and email clients.
      Sandboxie can not prevent the ex-filtration of data, unless you force the sandbox to block internet traffic. This could be a problem depending on the software you are running in a sandbox (Ie, web browsers / email clients).
      Remember, you can create many sandboxes. I have one for email, one for browsers, one for Photoshop, one for Acrobat, etc. Each allow me to control the nuances of computer, network, and printer activity.

    • Sandboxie is great, I’ve used it going on about 15 years.
      It’s also great for doing forensics. You can run malware in it (unless its VM aware) then pull the sudo reg file, and check created files to see what it did, and use that as an IOC to check other systems.
      Remember to empty/delete the boxes after such instances.

    • The free version of “Sandboxie” will not protect your computer from getting infected via MS Office malware, which is a common ransomware tactic. The paid Sandboxie version offers Office365 support, Office 2016 support and Office 2013 (Click2Run) support.

    • And if you are really paranoid and willing…
      Qubes OS!

  16. Robert Scroggins

    Great work, Brian! Stay safe and take care, however.

    Regards,

  17. Brian, thanks a lot mate. Keep doing this please!

  18. Great Article, thanks Brian.

  19. Brian, Great reporting. I wonder if his circumstances have changed? i.e. did he, like Vladimir Putin, go from a person earning a modest salary of ~$30K, to a person of comparitively immense wealth? Do you have any way of seeing where he lives now? does he still drive a Lada…or has it become a lamborghini? And speaking of the Crime-boss Vladimir Putin who stole his way to the richest man in the world, is it possible that these guys are working for him? any breadcrumbs?

    • Much better.
      The guys are betting on the best of the best.
      NSA Tools and other US-NO-Spy Tools.
      Unfortunately, not everyone has the opportunity to live in the civil rights friendly, non-supervisory USA .

      If you find irony, keep it.
      All I’m saying is glass house and stones.

  20. Again we end up in Russia.

  21. It’s war time with Russia.
    When will we realize. We need to put an end to this.
    Military. Physical.
    But no one in the world has the balls, spine, or fortitude to just nuke the f—k out of the Russians.
    Just wait until suicide bombing tourism becomes a thing.

    • That’s so brave of you, to offer hundreds of thousands of lives to snuff out a handful of computer criminals.
      You think nobody has the balls, it’s more like nobody is that stupid.

    • Russia Inside Her

      What happened. Y’all thought it was great in 1919.

    • Trump has got the balls. Let Putin creep a little more like he did into Ukraine and let Putin keep fondling Bashar al-Assad’s tender bits, and soon Russia will get smacked. Their economy over there is ridiculous. They’re no “super power” these days, and haven’t been since pre Ronald Reagan days. We have them outmatched militarily by a tremendous ratio.

      • Trump talks… no follow through.
        Especially not going to stand up to his friends, or any other strong man that he “admires”.

        Russia has a significant cyber capability, and probably personal dirt on Trump. Putin is an FSB intelligence officer (no former in that line of work). They dug up dirt on Clinton, and it would have been incompetent to not do the same on Trump.

        The question becomes, is Trump behaving so friendly because he knows what they have on him… or because he really is that incompetent?

      • Trump Got Small Balls

        “Trump has got the balls.”

        yeah right. small hands. small balls. everything else is fat asre lard on that obese loudmouth idiot. it is sickening that there are so many fools worshiping that gruntbrain.

      • No he doesn’t.

      • “Trump has the balls..”

        No. No he doesn’t.

  22. Aha! Very good article. Now my poses to the others. Since this is a call home later, did you put this in your backup? Would that run have a different decryption factor?
    Sandboxing? I don’t remember when it was, but sandboxes have been breached also. I don’t remember, if it was Krebs or a research paper, but it has been done.
    And if win,apple, Linux, have you updated lately? If so, go back and resecure your settings. Make sure none of them have changed. Even the non security programs overflow into your secure settings without notice.

    • Thanks for sharing that history. Sad that every life there is just a disposable sliver of meat for the sake of industry, for the last 90 years.

  23. Always fascinating to see the amount and nature of coverage to this and who is concerned contrasted with coverage and concerned parties on issues involving far more “evil”

    Compared to what is “legal” these evil criminals are harmless flies.

    And if we’re being honest, were the funds spent surveilling the entire world by a certain evil empire instead spent on fixing and finding exploits these evil ransomware bandits likely would not be in business.

    But they certainly make a good distraction despite not being more sophisticated than jangling keys at a baby.

  24. probably the NSA with their surveillance tools

  25. English was clearly not the native language of the many miscreants involved (certainly those quoted), and if the perps have now ‘retired’ by having laundered their extorted “earnings” into legitimate assets they would be very smart to maintain a very low profile — not doing so has been the downfall of far too many crooks in the past, so I’ll cross my fingers and hope they get outed for too much media flash and then prosecuted (or whatever).

  26. Love these elaborate takedown posts – fair play on the hard work involved!

  27. Funny reference to old Russian folk tale
    https://en.wikipedia.org/wiki/Old_Khottabych

    Igor definitely ransomwares

  28. Tired of these attacks

    “We are getting a well-deserved retirement.”

    When you are in jail, that will be a very well deserved vacation. Seems from this story and many others that many of these problems are imported from Russia (North Korea, China). Indeed, many times the actual identity of the dim wit is known. “Russian malefactors to do little to hide their true identities” and indeed this is true.

    So why can’t white hats do some serious damage to Russia? Attack the infrastructure, finance, hospitals, schools, military. The dim wits may be able (maybe not) to protect their little fiefdom but Russia is too large for them to protect. A massive hack attack on Russia causing serious grief and economic loss aimed at putting the dim wits into the Russian spotlight might be just what the doctor ordered. At the very least it will cause Russia grief.

  29. And here we go, my suspicions confirmed. GandBitches didn’t retire out of having earned enough, they realized the trail had become far too hot. Think about it for a moment: one last hurrah in which they boast about grand earnings… then urge victims to pay?
    They disappear in a hurry, then LEAs seize control of C2 servers and decryption keys are widely available.
    And now this, one of their members busted by Krebs.

    My suspicion still stands. the crabbies ran off. Good job! Now to find out the devs and actual operators…