GandCrab ransomware writers still active despite ‘retirement’

The authors of the GandCrab ransomware-as-a-service appear to be continuing to develop new ransomware tools, despite saying they had retired at the end of May 2019, according to new research by Secureworks Counter Threat Unit (CTU).

In a farewell message, the creators of GandCrab said they were stepping down to enjoy a “well-deserved retirement” on their multimillion-dollar earnings, shortly before a fourth decryption tool – enabling victims to recover their files without paying the ransom – was released. The group said they were proof that “you can do evil and get off scot-free”.

However, Secureworks CTU researchers have now determined that either some, or possibly all, of the GandCrab group – known by Secureworks as Gold Garden – have shifted their focus to a new ransomware threat, REvil – also known as Sodinokibi – which was first identified on 17 April 2019 by Cisco Talos.

Speaking at a roundtable event in London, Secureworks CTU head Don Smith said: “They [the GandCrab authors] very publicly announced that they were retiring, said they had made their money and gave some very precise cash statements about how much they had made and how much their affiliates had earned.

“REvil, or Sodinokibi, has appeared on the scene. It’s a different type of ransomware, so GandCrab was single host ransomware – Sodinokibi is post-intrusion ransomware where a guy logs into your network, spends three to five days working out how to get stuff deployed in your network, and then knocks the entire enterprise over, NotPetya or WannaCry-style.”

Smith said Secureworks had GandCrab’s creators “pretty much bang to rights” as the creators of REvil, and that this fit with the underlying narrative about cyber criminals being more usually organised criminal groups, not hackers in hoodies.

“They are constantly looking for how to get a better return on investment and return on their assets per investment,” he said. “This is a good example of someone who is getting – I don’t know how much GandCrab decryption was, but not very much because you were encrypting one person’s machine – shifting to total enterprise encryption, where the ransoms can range from $50,000 to not much shy of $10m.”

Secureworks’ assessment appears to confirm investigations by cyber security expert Brian Krebs, who first posited links between the two on 15 June 2019.

The REvil family appears to have been developed and tested between April and May this year. After it was properly released on 7 May, its developers – referred to by Secureworks as Gold Southfield – have pushed new releases at the start of each month, apart from August. According to the researchers, both this schedule and the capabilities of REvil suggests “a structured development process by dedicated and experienced malware authors”.

Following the supposed retirement of the Gold Garden group, REvil activity ramped up with expanded delivery methods, targeting the WinRAR.it website, where it replaced the WinRAR installation executable with an instance of the malware, as well as three managed service providers (MSPs). Other supply-chain attacks followed, targeting 22 municipalities in the state of Texas, and possibly hundreds of dental surgeries across the US.

Secureworks researchers identified a number of other indicative links between the two groups, including clear similarities between the code used in GandCrab and REvil, which contain, among other things, a nearly identical string decoding function; malware writers typically implement custom encoding and decoding logic, so this can be a fingerprint. Researchers also saw suspiciously similar URL-building logic – and although this is not necessarily proof, to reproduce this logic accurately would require the writer to reverse-engineer GandCrab code.

The two ransomware families also whitelist similar keyboard locales to stop them infecting hosts based in Russia – a frequent tactic designed to stop scrutiny by local law enforcement. This is not necessarily concrete proof of a link either, but would strongly suggest that both groups are based in the same region.

“GandCrab’s ransomware-as-a-service model proved to be a highly lucrative endeavour for Gold Garden, so it is unlikely that the threat actors abandoned all malicious activity,” said the CTU team. “Characteristics of REvil that appear to be operational security mistakes by the malware authors enabled CTU researchers to technically link the REvil and GandCrab ransomware families. This link indicates that the malware authors have shifted their focus from GandCrab to REvil.”