Last month, GandCrab’s developers publicly disclosed that they were retiring after raking in roughly $2 billion in extortion payments. But this announcement may have been misleading at best, according to security researcher Brian Krebs, who says in a July 15 blog post that GandCrab’s developers may have merely reorganized.
“My guess is the GandCrab team has not retired, and has simply regrouped and re-branded due to the significant amount of attention from security researchers and law enforcement investigators,” Krebs states in his report. “It seems highly unlikely that such a successful group of cybercriminals would just walk away from such an insanely profitable enterprise.”
Also known as Sodin and REvil, Sodinokibi first came to light in April 2019. Like GandCrab, Sodinokibi has been made available on dark web forums to cybercriminal “affiliates” as a ransomware-as-a-service offering. Affiliates are guaranteed $10,000, with an initial cut of 60 percent, and then 70 percent after the first three payments are made, Krebs has reported. The remainder goes to the developers themselves.
However, with Sodinokibi, the developers are trying to keep their circle of affiliates smaller and more professional in nature. “We are not going to hire as many people as possible,” said one dark web forum message advertising Sodinokibi, according to Krebs.
But it’s not just their similar RaaS models that suggests GandCrab and Sodinokibi are linked to the same actor. In an April 30 blog post, researchers from Cisco’s Talos division recounted observing one Sodinokibi attack that later attempted to distribute GandCrab v5.2.
“We find it strange the attackers would choose to distribute additional, different ransomware on the same target,” the researchers wrote at the time. “Sodinokibi being a new flavor of ransomware, perhaps the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing GandCrab.”
“In my opinion, this only shows that whoever owns the infection vector might be an affiliate of both threat actor groups that owns the ransomware,” added Christopher Elisan, director of threat intelligence at Flashpoint, in an interview with SC Media. “In RaaS, the threat actor groups that owns the ransomware usually do not have access to infection vectors. The infection vectors are owned by other threat actor groups. This is the reason why ransomware threat actor groups partner with them so their ransomware can be spread. It’s just like a delivery truck that went to the house of GandCrab and then went to the house of Sodinokibi and delivered both packages into the same house (the target) to reap more rewards.”
But there are other clues that also suggest a connection between the two ransomwares. Citing research from Kaspersky, Krebs noted how Sodinokobi’s developers took a page from GandCrab by warning potential affiliates that they should avoid infecting people based in Syria.
Back in 2018, GandCrab’s developers released decryption keys for all Syrian victims after one infected individual tweeted that he had lost access to pictures of his deceased children. By sparing Syrians in this manner, the attackers may have inadvertently aided researchers and law enforcement authorities in developing a decryptor tool — one of several that have been released to counter GandCrab’s multiple versions.
Additionally, Dutch security firm Tesorion noted in a recent report that GandCrab and Sodinokibi are similar in the ways they use strings to generate URLs that are incorporated into the infection process.
“Even though the code bases differ significantly, the lists of strings that are used to generate the URLs are very similar (although not identical), and there are some striking similarities in how this specific part of the code works, e.g., in the somewhat far-fetched way that the random length of the filename is repeatedly recalculated,” Tesorion states in its blog post.
Tesorion additionally reported that the number of new GandCrab binaries it has observed has “decreased significantly” following the appearance of Sodinokibi.
For now, Elisan from Flashpoint believes it’s difficult to assess whether the actors behind GandCrab are truly responsible for Sodinokibi. Nevertheless, he took note of yet one more trait shared between Sodin and later versions of GandCrab: the presence of a .lock file in infected machines.
“The purpose of this file is to tell GandCrab not to infect the machine where this file is located. The name of the .lock file is a hexadecimal value computed from the host’s root drive volume information using a custom algorithm in the ransomware code,” Elisan explained. “But with this similarity, it is possible that the threat actor group behind Sodinokibi just copied this feature by GandCrab. After all, most malware writers throw in features from different malware that are available in the wild or [that have their] source code leaked.”