GandCrab Ransomware IOC Feed

GandCrab ransomware was one of the most active ransomware families up until mid-2019. Some of its recent successors include Maze, Ryuk, Conti, DoppelPaymer and others. The GandCrab ransomware-as-a-service (RaaS) operation shut down in June 2019. This page is being maintained for historical reasons.

GandCrab notably used the .bit TLD for Command & Control. Commonly used .bit C&C’s for GandCrab include ransomware.bit, zonealarm.bit, and carder.bit.

As mentioned, the malware was known to be distributed using a Ransomware as a Service (RaaS) model. As a result there were several distinct actors and distribution vectors including malicious attachments in spam emails and the RIG exploit kit.

Below you will find historical GandCrab Ransomware Indicators of Compromise (IOC’s) from our Threat Intelligence feed. All of these indicators were internally verified using custom YARA rules and behavioural signatures. For live threat intelligence data including ransomware IOC’s from currently active families, please sign up for a free trial.

Historical GandCrab Ransomware IOCs

URL / IP / MD5 Date Added
http://172.96.14.134:5471/3306.exe 2019-05-25 07:30:05
https://camputononaunerytyre.info/vcword6.tmp 2019-05-20 16:20:05
http://13.76.158.123/Malware/ALY/Windows6.1-KB3102810-x86.exe 2019-05-04 05:10:05
http://13.76.158.123/Malware/KS/GandCrab.exe 2019-05-04 05:00:12
http://13.76.158.123/Malware/SL/GandCrab.exe 2019-05-04 04:50:11
http://13.76.158.123/Malware/ALF/GandCrab.exe 2019-05-04 04:40:07
http://13.76.158.123/Malware/GandCrab.exe 2019-05-04 04:40:04
http://13.76.158.123/Malware/CT/GandCrab.exe 2019-05-04 04:30:05
http://talsasd.ru/r78hjsd.exe 2019-04-30 14:10:17
http://sdfsd14as2334d.ru/rhjg345kj.exe 2019-04-26 11:40:07

Ready to see all of our data?

If you’re ready to take a look at our full set of data, click below to start your 15-day Free Trial.

Sign Up for a Free Trial