GandCrab malware authors remain active
Technical links between the REvil and GandCrab ransomware families prove that the GandCrab malware authors did not retire in June 2019 as they claimed, Secureworks® Counter Threat Unit finds
On May 31, 2019, the developers of the highly profitable GandCrab ‘ransomware-as-a-service’ announced that they were retiring after earning over $2 billion USD since January 2018. The news was met with interest and skepticism within the security community, as multiple affiliate groups regularly conducted extremely successful GandCrab campaigns since its inception. After analyzing the threat landscape, Secureworks® Counter Threat Unit™ (CTU) researchers determined that some or all of GandCrab’s developers, which the CTU™ research team refers to as GOLD GARDEN, simply shifted their focus to a different ransomware variant.
The REvil (also known as Sodinokibi) ransomware was first spotted in the wild (ITW) on April 17, when threat actors leveraged an Oracle WebLogic exploit to deliver both REvil and GandCrab. CTU analysis and tracking of REvil samples suggest that the ransomware was in development and testing between April 10 and May 7 and was not intended for public release.
Following the release of version 1.01 on May 7, the REvil developers, which CTU researchers refer to as GOLD SOUTHFIELD, began pushing a new release of the ransomware at the beginning of each month. The features and modifications of each version are listed in the Appendix of this blog post. As of this publication, August is the only skipped month. This cadence and the ransomware’s capabilities indicate a structured development process by dedicated and experienced malware authors.
After GOLD GARDEN’s retirement announcement, REvil activity increased with expanded delivery methods such as malicious spam campaigns and RDP attacks. This surge suggests that the ransomware operators deemed it ready for public release. On June 20, REvil was leveraged in a strategic web compromise (SWC) against the Italian WinRAR . it website, replacing the WinRAR installation executable with an instance of the malware to infect customers’ systems. On the same day, threat actors breached at least three managed service providers (MSPs) and used the access to deploy REvil to the MSPs’ customers. Other high-profile supply-chain attacks involving REvil have impacted 22 Texas municipalities and hundreds of dentist offices in the United States. Figure 1 shows a timeline of REvil releases and malicious activity.
GandCrab’s ‘ransomware-as-a-service model’ proved to be a highly lucrative endeavor for GOLD GARDEN, so it is unlikely that the threat actors abandoned all malicious activity. Characteristics of REvil that appear to be operational security mistakes by the malware authors enabled CTU researchers to technically link the REvil and GandCrab ransomware families. This link indicates that the malware authors have shifted their focus from GandCrab to REvil.
The full report from Secureworks® Counter Threat Unit is available here