Are the REvil, GandCrab Ransomware Families Related?
The REvil and GandCrab ransomware families have technical links, according to Counter Threat Unit (CTU) researchers at Secureworks, a Top 200 MSSP for 2019. The finding suggests that GandCrab’s authors haven’t retired from their hacker activities.
The string decoding functions employed by REvil and GandCrab are nearly identical, Secureworks said. Furthermore, REvil produces the same command-and-control URL pattern as GandCrab, and both ransomware families whitelist similar keyboard locales to prevent infection of Russia-based hosts.
REvil, also referred to as Sodinokibi, was first discovered in the wild on April 17. It was leveraged in a strategic web compromise (SWC) attack against the Italian WinRAR archiver tool on June 20, along with attacks against three MSPs that were identified the same day. In addition, REvil may have been used during a ransomware attack against PerCSoft, a Wisconsin company that provides an online data backup service for dental offices.
Cybercriminals use REvil to exploit the CVE-2018-8453 security vulnerability to elevate end user privileges, Secureworks stated. They also leverage REvil to terminate blacklisted processes, wipe the contents of blacklisted folders, encrypt non-whitelisted files and folders on local storage devices and network shares and exfiltrate basic host information.
What Is GandCrab?
GandCrab uses a ransomware-as-a-service (RaaS) model that enables cybercriminals to pay to get access to custom ransomware builds, Secureworks noted. In doing so, cybercriminals can buy ransomware and use it to launch cyberattacks.
GandCrab was launched in January 2018 but shut down earlier this year. To date, GandCrab’s authors have earned over $2 billion in ransom payments, Secureworks indicated.