A new campaign using the REvil ransomware (also known as Sodinokibi) linked and has similarities with the GandCrab malware.
According to researchers from the Secureworks Counter Counter Unit team, both malware can be the work of the same author.“Analysis suggests that REvil is likely associated with the GandCrab ransomware due to similar code and the emergence of REvil as GandCrab activity declined”, — report in Secureworks® Counter Threat Unit™.
GandCrab was one of the most successful ransomware families in 2018 and 2019. In June, malware developers said they were able to earn $2 billion since the advent of GandCrab and decided to curtail their business.
Read also: Users are afraid to talk about the “STOP” — one of the most active ransomwares of this year
REvil first appeared shortly before the termination of GandCrab and became one of the most famous ransomware families in 2019.
“REvil certainly has some code match with GandCrab, and there are even artifacts that suggest it was supposed to be an evolution of GandCrab, and the attackers decided that GandCrab was ripe for reuse and restart”, — said researcher Rafe Pilling Pilling.
According to the analysis of REvil, the string decoding functions used by REvil and GandCrab are almost identical and indicate a connection between the two types of ransomware. Malicious users also use URL-building functionality that creates the same URL patterns for C&C servers.
Presumably, REvil was originally supposed to be a new version of GandCrab, as there are lines in the code that appear to be references to GandCrab. These include “gcfin,” which researchers believe means “GandCrab Final,” and “gc6,” presumably meaning “GandCrab 6.”
In addition to the similarities in the code, REvil and GandCrab whitelist certain keyboard layouts so as not to infect, for example, the hosts of the countries of the former USSR.
Although this fact does not directly connect the two campaigns, it does suggest that their authors are located in the same region.
How to protect yourself from infection?
As of this publication, REvil does not contain worm-like features that would enable it to spread laterally during an infection. It would need to be dropped or downloaded via malware with this capability.
The best way to limit the damage from ransomware is to maintain and verify current backups of valuable data. CTU researchers recommend that organizations employ a 3-2-1 backup strategy to ensure successful restoration of data in the event of a ransomware attack.