Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/25/2019
05:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

GandCrab Developers Behind Destructive REvil Ransomware

Code similarities show a definite technical link between the malware strains, Secureworks says.

The decision by the developers of GandCrab ransomware to "retire" earlier this year after raking in an estimated $2 billion in less than 18 months may have more to do with a shift in focus than a desire to fade away into obscurity.

A new Secureworks analysis of recent ransomware activity has confirmed earlier suspicions that "Gold Garden," the group behind GandCrab, is actively involved in another ransomware variant named REvil that has been wreaking havoc in recent months.

REvil first emerged in mid-April, about a month before Gold Garden announced its retirement from the ransomware scene. Since then the ransomware has been linked to numerous attacks, most notably on nearly two dozen Texas municipalities and hundreds of dentist offices around the country. The malware has been especially notable for its use in so-called "compromise-once-infect-many" attacks on targets with many customers, such as managed service providers (MSPs), Secureworks said.

In the months since GandCrab disappeared, REvil has quickly established itself as one of the most dangerous and prolific ransomware threats in the wild. The group behind it — who Secureworks has dubbed "Gold Southfield" — has been employing the same ransomware-as-a service model that GandCrab employed. Threat actors have used a variety of techniques to distribute REvil, including via an Oracle WebLogic exploit, malicious spam and phishing emails, and through compromised managed service providers.

According to Secureworks, its technical analysis of some early REvil samples uncovered several similarities in code with GandCrab that cannot be explained away by happenstance.

For example, the string decoding function in REvil is nearly identical to the one used in GandCrab. It also uses nearly the same logic and functionality for building command-and-control URLs as GandCrab. There are other artifacts in REvil's code — such as certain debug paths and version numbering patterns — that suggest the first version of REvil might at least have been intended to be the next version of GandCrab, Secureworks said.

Both GandCrab and REvil also have code that prevents the malware from infecting systems based in Russia. While that by itself is not indicative of a link, it does suggest the authors behind both malware strains are from the same region, Secureworks said.

Phony Retirement
Rob Pantazopoulos, a researcher at Secureworks' Counter Threat Unit (CTU), says it's unclear why GandCrab's developers might have suddenly decided to stop further use of that malware.

One reason could be to evade law enforcement. "The threat actors realized that their boisterous nature and researcher-taunting caused some unwanted attention, so they evolved and rebranded under REvil, which, thus far, has been significantly lower key," Pantazopoulos says.

Or it is likely an internal rift occurred among Gold Garden members, resulting in the creation of Gold Southfield with many of the same members from the original group. Regardless of the reasons, since the threat group announced its retirement, GandCrab activity appears to have completely ceased.

Technically, REvil appears to be on par with GandCrab and has more or less the same capabilities. "In my opinion, the significant difference with REvil is the targeting methodologies employed by REvil partners and distributors," Pantazopoulos says.

Since REvil first surfaced, there have been numerous reports of attackers leveraging compromised managed service providers and strategic Web compromises to essentially compromise once and infect many. "For a highly skilled threat actor, this is a low-effort, high-reward scenario," he says.

In a report last month, Fidelis, which has been tracking REvil, described the malware as one of the most active strains during the second quarter of this year. The security vendor estimated REvil as accounting for 12.5% of the ransomware market share compared with about 24% for Ryuk and 17% for the Phobos ransomware strain.

"[REvil] operations have spread wide in the last few months, thanks to different methods, such as malspam, exploit kits, RDP brute-forcing, hacks of MSP, and zero-day exploits," says a spokeswoman from Malwarebytes, another security vendor that has been tracking the malware. The malware has essentially filled the hole created by GandCrab's exit.

"GandCrab was extremely successful, but perhaps its operators decided to refocus their business in ways where they can run operations by focusing on bigger targets," the spokeswoman notes.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Beginner's Guide to Denial-of-Service Attacks: A Breakdown of Shutdowns."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27652
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27653
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27654
PUBLISHED: 2020-10-29
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
CVE-2020-27655
PUBLISHED: 2020-10-29
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
CVE-2020-27656
PUBLISHED: 2020-10-29
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.