Researchers reveal code similarities between Sodinokibi/REvil and GandCrab: is the previous ransomware developer retirement fake?
In-depth code analysis of REvil or Sodinokibi malware revealed strong links to GandCrab malware. In the report, Secureworks research team stated that these families have multiple similarities – string decoding and other techniques used by both are almost identical.
The technical connection between both ransomware strings showed that threat groups behind them are either heavily overlapping or linked – Gold Garden, which is behind GandCrab and Gold Southfield, which has been actively developing REvil since April. These newly-discovered facts suggest that although GandCrab developers claimed to have retired, this infamous hacker group didn't end their malicious activities after all.
Secureworks researchers who analyzed REVil/ Sodinokibi suggested that code overlaps and other artifacts show the possibility that REvil malware was intended to be the next version of GandCrab. For some reason, however, the hacking group most likely decided to relaunch their operations after a rebrand.
Another prominent piece of evidence that shows the relation between the two is the timing. REvil was released as additional payload with GandCrab on April 17, 2019. The GandCrab ransomware creators announced their retirement on May 31, immediately after that REvil activity increased and spreading vectors became more sophisticated.
REvil may have started as a GandCrab version 6
The analysis of a beta version of REvil shows that lines in the code appear to be references to GandCrab. For example, “gcfin” is believed to stand for “GandCrab Final,” and “gc6” – for GandCrab 6. It is known that there are many versions of this virus, GandCrab 5.1.6 being the last one found in the wild, so a new version could be GandCrab v6.
Counter Threat Unit research team stated in their report on Monday:
REvil is used by the financially motivated GOLD SOUTHFIELD threat group, which distributes ransomware via exploit kits, scan-and-exploit techniques, RDP servers, and backdoored software installers. CTU analysis suggests that REvil is likely associated with the GandCrab ransomware due to similar code and the emergence of REvil as GandCrab activity declined. CTU™ researchers attribute GandCrab to the GOLD GARDEN threat group.
Besides these coding similarities, certain keyboard layouts, function to avoid Russain-based hosts suggest these malware strains are related to groups from the same region. Infosec community had speculations about GandCrab gang faking their retirement since the very beginning – a conclusion made due to immense media attention and the increased law-enforcement investigation means towards the group. By rebranding, the bad actors can start anew.
Questionable retirement might be a method to avoid unwanted attention
It is unclear why GandCrab developers suddenly decided to stop the malicious activity and retire, as many researchers in the cybersecurity world question. The activity of the cybercriminal gang awarded them with immense profits, so why would anyone kill the goose that lays golden eggs?
Rob Pantazopoulos, a researcher at Secureworks' Counter Threat Unit, suggests that the move was purely for hiding from researchers and law enforcement:
The threat actors realized that their boisterous nature and researcher-taunting caused some unwanted attention, so they evolved and rebranded under REvil, which, thus far, has been significantly lower key.
Other possible reason for backing off might be related to issues within the hacker group itself. Golden Garden members ended their activities, and GandCrab was completely ceased since then. It may lead to the creation of an entirely new threat actor group Gold Southfield with the same members from the original hacker gang.
Various researches on REvil showed that it has the same capabilities as GandCrab and can target large businesses and compromise their networks without much effort. Numerous reports about the activity of ransomware show that REvil is currently one of the most active strains around (12,5%), being only surpassed by Phobos (17%) and Ryuk ransomware (24%).