Did GandCrab Gang Fake Its Ransomware Retirement?Evidence Mounts That Sodinokibi Ransomware Is GandCrab Gang's 'Retirement' Plan
Did the gang behind GandCrab fake its retirement?
Evidence is mounting that the operators of the notorious ransomware-as-a-service operation called GandCrab announced their retirement only after they ramped up an apparent rival called Sodinokibi.
Security firm Secureworks says that, based on multiple clues, it believes that the threat groups behind GandCrab and Sodinokibi - aka Sodin and REvil - "overlap or are linked."
The timing of the two groups' activities bolsters that theory, as do their tools. For example, Secureworks researchers say there's "similar URL-building logic" in how the two types of ransomware generate ransom notes, and also that code logic they've extracted from REvil matches code logic that has only previously been seen in GandCrab.
Circumstantial evidence also abounds, Secureworks says, including both types of ransomware whitelisting endpoints in Russia so systems from that region will not get crypto-locked. While that's not uncommon, what is unusual is that on April 17, attackers dropped both GandCrab and Sodinokibi on some endpoints.
Researcher Eric Klonowski, meanwhile, found that a debug path in REvil's code - left by whoever developed the malware - sported a top-level folder named "gc6."
"Some researchers view 'gc6' to be a reference to GandCrab v6, which could indicate that REvil is GandCrab v6," Secureworks says. Then again, maybe not, since for the gang itself, "at least internally, their project and decryptor is called 'REvil,'" says malware researcher Vitali Kremez via Twitter.
Secureworks isn't the only security firm to notice glaring similarities between GandCrab and Sodinokibi.
"From the first time we saw Sodinokibi, you could immediately see the parallels," Bill Siegel, CEO of ransomware response firm Coveware, tells Information Security Media Group. "Everything from the way the TOR sites work, down to the personality of the staff that manages the chat window for victims on the TOR site. It felt very much like the same group that has made some incremental upgrades to how their operation worked. It is clear to us that there is overlap."
So Sodinokibi appears to stand as just the latest chapter in the saga of GandCrab, which was first spotted crypto-locking South Korean companies in January 2018. Quickly, GandCrab became one of the most insidious ransomware threats, amassing victims in the U.S. and beyond.
"GandCrab rapidly rose to become the most prominent affiliate-based ransomware and was estimated to hold 50 percent of the ransomware market share by mid-2018," the FBI says. "Experts estimate GandCrab infected over 500,000 victims worldwide, causing losses in excess of $300 million."
Key to the operation's success was its use of "affiliates," who signed up to use GandCrab under terms and conditions that included the GandCrab gang getting a 40 percent cut of all ransoms paid by victims.
On May 31, however, the GandCrab gang announced that "we are leaving for a well-deserved retirement," claiming that their affiliates had earned $2 billion.
Subsequently, the group behind Sodinokibi rapidly moved to become the most sophisticated and dominant operator in the RaaS world (see: Ransomware: As GandCrab Retires, Sodinokibi Rises).
Sodinokibi includes the ability to not just crypto-lock files but also to deactivate the recovery mode in Windows, as well as delete shadow copies, in an attempt to ensure that "the compromised system is unable to restore from backup," Secureworks says. In addition, the ransomware can be set by the attacker to infect all mapped network shares connected to the infected endpoint.
If the ransomware successfully encrypts files, it changes the wallpaper to tell the victim how to pay, which requires visiting a unique URL.
"The site provides instructions for how to purchase bitcoin and chat with support. It also offers a trial decryption to prove that the victim can decrypt the files," Secureworks says.
Secureworks says that currently, "REvil does not contain worm-like features that would enable it to spread laterally during an infection," meaning it either needs to be manually placed or by an attacker - for example, by accessing a targeted organization's unsecured RDP servers - or "dropped" using another type of malware to first infect the system (see: Cybercrime Black Markets: RDP Access Remains Cheap and Easy).
Like GandCrab, some Sodinokibi attackers now have methods for hacking into an MSP and then using the MSP's own software to distribute ransomware code to many different managed endpoints, as happened in a recent attack against a cloud service provider that crypto-locked hundreds of dental practices. And while Texas officials have declined to specify what type of ransomware was used against 22 municipalities in a recent attack, Coveware's Siegel says it has all the hallmarks of a Sodinokibi hit (see: Texas Ransomware Responders Urge Remote Access Lockdown).
Sodinokibi Optimized for Targeting MSPs
Siegel says Sodinokibi's developers appear to have applied lessons learned from GandCrab MSP-infection pain points.
"Attacking MSPs in order to magnify the impact of an attack is a technique that we first saw in GandCrab," he says. "But there were several limitations to the way the GandCrab payload worked in MSP attacks, that Sodinokibi fixed in order to make the attacks more profitable."
For example, GandCrab created unique file extension for every systems it crypto-locked, he says. But if an attacker hit an MSP with 100 end clients, each of which had 100 computers, that meant 10,000 systems with unique extensions, which created a management challenge for the cybercrime gang if one organization wanted to pay a ransom to decrypt all of its crypto-locked systems.
"With GandCrab, they would have to manually create each decryption tool," Siegel says. "This created a huge operational burden on the threat actors, as manually creating all these decryptors was time consuming - i.e. increased costs, decreased profits. In fact, in negotiating with GandCrab via chat, the support operators would openly complain about this and mentioned several times that they were going to fix this issue in an upcoming GandCrab release. They never did, and GandCrab retired."
Siegel says Sodinokibi, by default, behaves the same way, except that developers have added a new option for affiliates. "Sodinokibi has a feature that allows the attackers to issue a single master decryptor for the entire attack," he says. "They even have a partial feature that opens a dialogue box on the TOR page and allows the victim to create a multi-extension decryptor by manually typing in the extensions they need."
Doing so, he says, enables victims to self-service, thus decreasing support costs for attackers and increasing their profits.
"When we saw this, it was clear that the very specific pain points of running GandCrab had been solved in Sodinokibi," Siegel says. "That was a sign of a connection at the personnel level between the two variants."
Did an Affiliate Take Over?
Still, there's no smoking gun that the GandCrab group simply rebranded. "Whether REvil is operated by the GandCrab group is hard to say for sure," Fabian Wosar, CTO at anti-virus firm Emsisoft, tells ISMG.
"It seems impractical for a group that already had the most successful ransomware operation in town at that time to just completely abandon the operation in favor of something that probably won't be as profitable as what they had already going," he says. "Therefore it is probably more likely that since the GandCrab group probably already knew that they wanted to exit soon at that point and refused to make the required changes, the affiliate obtained development talent themselves and had REvil tailored to their specific requirements."
In that scenario, Wosar says whoever is running REvil may have even hired the same developers. "For a true successor however, you would expect a lot more code to be shared, though," he says.
Malware researcher Kremez, meanwhile, tells ISMG that "it would not be a surprise if GandCrab and REvil are linked," although he notes that the two ransomware strains are marketed in very different ways.
"REvil prefers to work only with trusted members, without the open, underground advertisements and brand marketing like GandCrab did," he says. Linked or not, it appears that REvil's operators may have learned this lesson from GandCrab. "It is likely that the increased attention paid to the underground by law enforcement over the years inevitably forces RaaS operators to adopt their own, trusted communities, and to vet every affiliate more carefully," Kremez says.