GandCrab was one of the most popular ransomware families in 2018 and 2019. The ransomware encrypted all the files on the target computer and demanded as much as $2,000 in Bitcoin or Dash for the decryption key. The authors behind GandCrab malware announced in June that they are scrapping the operations of the malware as they have made enough money from it. According to the authors, they earned $2 billion from ransomware payments.
Now, the security researchers at Secureworks Counter Threat Unit have spotted new ransomware that shares the same code as GandCrab and it is seen as an evolved version of Gandcrab.
REvil, which is also known as Sodinokibi, has been linked to GandCrab malware.
Speaking to ZDNet, a security researcher said, “It certainly shares some code overlap with GandCrab and there are even artefacts in there which suggest that it was intended to be an evolution of GandCrab and they decided that GandCrab was ripe for a reband and relaunch.”
Why are researchers linking REvil to GandCrab?
Researchers have come up with the following reasons why they believe that GandCrab is resurfacing again in the form of REvil:
- String decoding functions of REvil and GandCrab share similarities.
- The two ransomware also share the URL binding functionality which produces similar URL patters for control servers and commands
- Terms like ‘gcfin’ and ‘gc6’ in the code of REvil suggests a relation between GandCrab and REvil. Researchers believe that ‘gcfin’ stands for ‘GandCrab Final’ and ‘gc6’ denotes GandCrab 6.
- Both REvil and GandCrab have whitelisted certain keyboard layouts as a measure to not infect Russian-based hosts.
Despite the similarities in the code, there are some differences as well which suggests that REvil could be the work of another bad actor who might be trying to imitate GandCrab.
While the operators of GandCrab often displayed an amicable relation with security researchers by often mentioning the researchers’ names in their command and control domains, actors behind REvil have a strict business approach.
REvil could be on its way to becoming of the most high profile ransomware. We recommend that users keep their system updated as and when updates arrive to safeguard themselves against cyber attacks.