‘GandCrab’ Ransomware Returns Despite Retirement Claim

The criminals behind the GandCrab ransomware may not be as retired as they led the world to believe in the summer, after SecureWorks analysed a new piece of ransomware.

In June the developers behind the GandCrab ransomware said they planned to retire after amassing a fortune of more than $2bn.

GandCrab had first released in January of 2018 and had grown to become the most common strain of ransomware globally, at one point accounting for some 50 percent of all infections, according to Bitdefender.

GandCrab attackers

But researchers at SecureWorks have warned that the criminals may not have retired as first thought, after they analysed a new strain of malware.

GandCrab had spread like wildfire thanks in part to its affiliate model, that allowed criminals to buy ready-made kits in exchange for returning 40 percent of their takings to the developers.

But SecureWorks said that it had identified the REvil (also known as Sodinokibi) ransomware 17 on April this year. This malware has caused major disruption to hundreds of dental practices in the US, as well as 22 Texas municipalities.

“Secureworks Counter Threat Unit (CTU) analysis suggests that REvil is likely associated with the GandCrab ransomware due to similar code and the emergence of REvil as GandCrab activity declined,” the researchers warned. “CTU researchers attribute GandCrab to the GOLD GARDEN threat group.”

“Based on several similarities between REvil and GandCrab, CTU researchers assess that the GOLD SOUTHFIELD and GOLD GARDEN threat groups overlap or are linked,” it said.

Secureworks said that circumstantial evidence also suggests that the same threat actors could be responsible for REvil and GandCrab.

“Given the diverse and advanced delivery mechanisms, code complexity, and resources utilized by REvil, CTU researchers assess that this ransomware will replace GandCrab as a widespread threat,” they warned. “As of this publication, REvil does not contain worm-like features that would enable it to spread laterally during an infection. It would need to be dropped or downloaded via malware with this capability.”

“The best way to limit the damage from ransomware is to maintain and verify current backups of valuable data,” they added. “CTU researchers recommend that organisations employ a 3-2-1 backup strategy to ensure successful restoration of data in the event of a ransomware attack.”

Bang to rights

Don Smith, director of Secureworks Counter Threat Unit, told the BBC that his team had the group “bang to rights”.

“We weren’t surprised the group resurfaced,” he reportedly said. “GandCrab offered a good return for criminal actors. It’s unlikely an existing and proficient group would just walk away from that.”

“It’s possible that they wanted to reduce the overall attention that was focused on the GandCrab ‘brand’ and have relaunched with a new product,” he concluded.

Do you know all about security? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago