Last month, GandCrab’s developers publicly disclosed that they were retiring after raking in roughly £1.6 billion in extortion payments. But this announcement may have been misleading at best, according to security researcher Brian Krebs, who says in a blog post that GandCrab’s developers may have merely reorganised.
"My guess is the GandCrab team has not retired, and has simply regrouped and re-branded due to the significant amount of attention from security researchers and law enforcement investigators," Krebs states in his report. "It seems highly unlikely that such a successful group of cybercriminals would just walk away from such an insanely profitable enterprise."
Also known as Sodin and REvil, Sodinokibi first came to light in April 2019. Like GandCrab, Sodinokibi has been made available on dark web forums to cybercriminal "affiliates" as a ransomware-as-a-service offering. Affiliate are guaranteed $10,000 (£8,000), with an initial cut of 60 percent, and then 70 percent after the first three payments are made, Krebs has reported. The remainder goes to the developers themselves.
However, with Sodinokibi, the developers are trying to keep their circle of affiliates smaller and more professional in nature. "We are not going to hire as many people as possible," said one dark web forum message advertising Sodinokibi, according to Krebs.
But it’s not just their similar RaaS models that suggests GandCrab and Sodinokibi are linked to the same actor. In a blog post on 30 April, researchers from Cisco’s Talos division recounted observing one Sodinokibi attack that later attempted to distribute GandCrab v5.2.
"We find it strange the attackers would choose to distribute additional, different ransomware on the same target," the researchers wrote at the time. "Sodinokibi being a new flavor of ransomware, perhaps the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing GandCrab."
Citing research from Kaspersky, Krebs also noted how Sodinokobi’s developers took a page from GandCrab by warning potential affiliates that they should avoid infecting people based in Syria.
Back in 2018, GandCrab’s developers released decryption keys for all Syrian victims after one infected individual tweeted that he had lost access to pictures of his deceased children. By sparing Syrians in this manner, the attackers may have inadvertently aided researchers and law enforcement authorities in developing a decryptor tool — one of several that have been released to counter GandCrab’s multiple versions.
Additionally, Dutch security firm Tesorion noted in a recent report that GandCrab and Sodinokibi are similar in the ways they use strings to generate URLs that are incorporated into the infection process.
"Even though the code bases differ significantly, the lists of strings that are used to generate the URLs are very similar (although not identical), and there are some striking similarities in how this specific part of the code works, e.g., in the somewhat far-fetched way that the random length of the filename is repeatedly recalculated," Tesorion states in its blog post.
Tesorion additionally reported that the number of new GandCrab binaries it has observed has "decreased significantly" following the appearance of Sodinokibi.
This article was originally published on SC Media US.