Back in May this year, the developers behind GandCrab Ransomware as a Service (RaaS) announced their “retirement”, after claims they profited more than $2bn since January 2018.
But recently, security researchers at Secureworks say they have discovered links between the thought-to-be-disbanded group and a strain of ransomware dubbed REvil, or Sodinokibi.
Researchers have noted “numerous characteristics” that would suggest the same developers were involved in the production of both GandCrab and REvil, including “nearly identical” coding.
The REvil (also known as Sodinokibi) ransomware was first spotted in the wild (ITW) on April 17, when threat actors leveraged an Oracle WebLogic exploit to deliver both REvil and GandCrab. CTU analysis and tracking of REvil samples suggest that the ransomware was in development and testing between April 10 and May 7 and was not intended for public release.
Ransomware attacks are continuing to rise in number and sophistication.
Indicators of compromise (IOCs)