About GandCrab
GandCrab ransomware was one of the most active ransomware families up until mid-2019. Some of its recent successors include Maze, Ryuk, Conti, DoppelPaymer and others. The GandCrab ransomware-as-a-service (RaaS) operation shut down in June 2019. This page is maintained for historical reasons.
GandCrab notably used the .bit TLD for command and control. Commonly used .bit C&C domains for GandCrab include ransomware.bit, zonealarm.bit, and carder.bit.
As mentioned, the malware was known to be distributed using a ransomware-as-a-service (RaaS) model. As a result there were several distinct actors and distribution vectors, including malicious attachments in spam emails and the RIG exploit kit.
PrecisionSec no longer tracks GandCrab, and the indicators below are retained for reference only. For active malware family, C2 and ransomware coverage, see our threat intelligence feeds.