New ransomware has links to GandCrab, warns SecureWorks, casting doubt on retirement claims
The criminals behind the GandCrab ransomware may not be as retired as they led the world to believe in the summer, after SecureWorks analysed a new piece of ransomware.
In June the developers behind the GandCrab ransomware said they planned to retire after amassing a fortune of more than $2bn.
GandCrab had first released in January of 2018 and had grown to become the most common strain of ransomware globally, at one point accounting for some 50 percent of all infections, according to Bitdefender.
But researchers at SecureWorks have warned that the criminals may not have retired as first thought, after they analysed a new strain of malware.
GandCrab had spread like wildfire thanks in part to its affiliate model, that allowed criminals to buy ready-made kits in exchange for returning 40 percent of their takings to the developers.
But SecureWorks said that it had identified the REvil (also known as Sodinokibi) ransomware 17 on April this year. This malware has caused major disruption to hundreds of dental practices in the US, as well as 22 Texas municipalities.
“Secureworks Counter Threat Unit (CTU) analysis suggests that REvil is likely associated with the GandCrab ransomware due to similar code and the emergence of REvil as GandCrab activity declined,” the researchers warned. “CTU researchers attribute GandCrab to the GOLD GARDEN threat group.”
“Based on several similarities between REvil and GandCrab, CTU researchers assess that the GOLD SOUTHFIELD and GOLD GARDEN threat groups overlap or are linked,” it said.
Secureworks said that circumstantial evidence also suggests that the same threat actors could be responsible for REvil and GandCrab.
“Given the diverse and advanced delivery mechanisms, code complexity, and resources utilized by REvil, CTU researchers assess that this ransomware will replace GandCrab as a widespread threat,” they warned. “As of this publication, REvil does not contain worm-like features that would enable it to spread laterally during an infection. It would need to be dropped or downloaded via malware with this capability.”
“The best way to limit the damage from ransomware is to maintain and verify current backups of valuable data,” they added. “CTU researchers recommend that organisations employ a 3-2-1 backup strategy to ensure successful restoration of data in the event of a ransomware attack.”
Bang to rights
Don Smith, director of Secureworks Counter Threat Unit, told the BBC that his team had the group “bang to rights”.
“We weren’t surprised the group resurfaced,” he reportedly said. “GandCrab offered a good return for criminal actors. It’s unlikely an existing and proficient group would just walk away from that.”
“It’s possible that they wanted to reduce the overall attention that was focused on the GandCrab ‘brand’ and have relaunched with a new product,” he concluded.
Do you know all about security? Try our quiz!