A new form of ransomware shares a number of links with GandCrab malware according to security company researchers, even though the developers of that infamous piece of ransomware earlier this year claimed to have retired.
GandCrab was one of the most successful families of ransomware during 2018 and 2019, with its authors offering it out 'as-as-service' in exchange for a cut for the profits. In June, they suddenly announced they were retiring, claiming to have earned over $2 billion since GandCrab first emerged in January 2018.
Many were sceptical as to whether the GandCrab crew had really ceased operations and now researchers have uncovered technical links between GandCrab and another form of ransomware – REvil – which suggests that the two forms of malware have the same authors.
Now security researchers in the Secureworks Counter Threat Unit have detailed what they believe to be links that demonstrate that the developers of GandCrab – who they refer to as Gold Garden – are also responsible for REvil, which could have started life as a new version of GandCrab.
"It certainly shares some code overlap with GandCrab and there are even artefacts in there which suggest that it was intended to be an evolution of GandCrab and they decided that GandCrab was ripe for a reband and relaunch," Rafe Pilling, information security researcher at Secureworks told ZDNet.
Analysis of REvil found that the string decoding functions employed by REvil and GandCrab are nearly identical, suggesting a strong link between the two forms of ransomware. REvil and GandCrab also share URL building functionality which produces the same URL patterns for command and control servers.
"When we see things like that, it's a tell-tale which suggests the code has been shared," said Pilling.
There's also evidence that REvil was initially just intended to be a new version of GandCrab ransomware, as analysis of a beta version of REvil reveals that there are lines in the code that appear to be references to GandCrab. These include 'gcfin', which researchers believe stands for 'GandCrab Final', and 'gc6', which is believed to stand for GandCrab 6.
With those behind GandCrab famous for running a slick operation, it's likely that these references to their original ransomware are a mistake – but it has enabled researchers to directly link REvil to the same group.
In addition to the similarities in the code, both REvil and GandCrab whitelist certain keyboard layouts so as to not infect Russian-based hosts. While this doesn't directly link the two operations, it does suggest they are based in the same region.
When Gold Garden pulled GandCrab it was still running a successful operation, with a new build of the ransomware having only recently been released to counter a free decryption tool. However, it's possible that the attackers introduced REvil to refresh their operations in an effort to keep one step ahead of law enforcement and security professionals.
REvil has already become one of the most high-profile forms of ransomware and researchers warn that it's set to replace GandCrab as the most widespread ransomware threat.
To limit the damage of ransomware attacks, it's recommended that organisations regularly backup their data and to patch systems to protect against cyberattacks that spread by exploiting old vulnerabilities.
MORE ON CYBERCRIME
- The ransomware crisis is going to get a lot worse
- Ransomware attacks on businesses up 365% this year TechRepublic
- Ransomware: Cyber-insurance payouts are adding to the problem, warn security experts
- States brace for ransomware assaults on voter registries CNET
- Ransomware: Why cities have become such a big target for cyberattacks - and why it'll get worse