Historical threat intelligence feed

GandCrab Ransomware IOC Feed

Historical IOC feed for the GandCrab ransomware-as-a-service operation, maintained for reference.

This malware family is no longer active and PrecisionSec no longer tracks new GandCrab indicators. This page is kept online for historical reference.

About GandCrab

GandCrab ransomware was one of the most active ransomware families up until mid-2019. Some of its recent successors include Maze, Ryuk, Conti, DoppelPaymer and others. The GandCrab ransomware-as-a-service (RaaS) operation shut down in June 2019. This page is maintained for historical reasons.

GandCrab notably used the .bit TLD for command and control. Commonly used .bit C&C domains for GandCrab include ransomware.bit, zonealarm.bit, and carder.bit.

As mentioned, the malware was known to be distributed using a ransomware-as-a-service (RaaS) model. As a result there were several distinct actors and distribution vectors, including malicious attachments in spam emails and the RIG exploit kit.

PrecisionSec no longer tracks GandCrab, and the indicators below are retained for reference only. For active malware family, C2 and ransomware coverage, see our threat intelligence feeds.

Looking for active threat coverage?

Start your 15-day free trial and get our active malware family, C2 and ransomware feeds.

Start a free trial