Ransomware: New file-encrypting attack has links to GandCrab malware, say security researchers

Analysis of the REvil code reveals strong links to GandCrab - and researchers suggest that REevil even started life as a version of GandCrab.
Written by Danny Palmer, Senior Writer

A new form of ransomware shares a number of links with GandCrab malware according to security company researchers, even though the developers of that infamous piece of ransomware earlier this year claimed to have retired.

GandCrab was one of the most successful families of ransomware during 2018 and 2019, with its authors offering it out 'as-as-service' in exchange for a cut for the profits. In June, they suddenly announced they were retiring, claiming to have earned over $2 billion since GandCrab first emerged in January 2018.

Many were sceptical as to whether the GandCrab crew had really ceased operations and now researchers have uncovered technical links between GandCrab and another form of ransomware – REvil – which suggests that the two forms of malware have the same authors.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

REvil – also known as Sodinokibi – first emerged shortly before GandCrab ceased operation and has gone onto become one of the most prominent families of ransomware of 2019.

Now security researchers in the Secureworks Counter Threat Unit have detailed what they believe to be links that demonstrate that the developers of GandCrab – who they refer to as Gold Garden – are also responsible for REvil, which could have started life as a new version of GandCrab.

"It certainly shares some code overlap with GandCrab and there are even artefacts in there which suggest that it was intended to be an evolution of GandCrab and they decided that GandCrab was ripe for a reband and relaunch," Rafe Pilling, information security researcher at Secureworks told ZDNet.

Analysis of REvil found that the string decoding functions employed by REvil and GandCrab are nearly identical, suggesting a strong link between the two forms of ransomware. REvil and GandCrab also share URL building functionality which produces the same URL patterns for command and control servers.

"When we see things like that, it's a tell-tale which suggests the code has been shared," said Pilling.

There's also evidence that REvil was initially just intended to be a new version of GandCrab ransomware, as analysis of a beta version of REvil reveals that there are lines in the code that appear to be references to GandCrab. These include 'gcfin', which researchers believe stands for 'GandCrab Final', and 'gc6', which is believed to stand for GandCrab 6.

With those behind GandCrab famous for running a slick operation, it's likely that these references to their original ransomware are a mistake – but it has enabled researchers to directly link REvil to the same group.

In addition to the similarities in the code, both REvil and GandCrab whitelist certain keyboard layouts so as to not infect Russian-based hosts. While this doesn't directly link the two operations, it does suggest they are based in the same region.

SEE: The ransomware crisis is going to get a lot worse

When Gold Garden pulled GandCrab it was still running a successful operation, with a new build of the ransomware having only recently been released to counter a free decryption tool. However, it's possible that the attackers introduced REvil to refresh their operations in an effort to keep one step ahead of law enforcement and security professionals.

REvil has already become one of the most high-profile forms of ransomware and researchers warn that it's set to replace GandCrab as the most widespread ransomware threat.

To limit the damage of ransomware attacks, it's recommended that organisations regularly backup their data and to patch systems to protect against cyberattacks that spread by exploiting old vulnerabilities.


Editorial standards