New REvil ransomware attributed to GandCrab Developers

Back in May this year, the developers behind GandCrab Ransomware as a Service (RaaS) announced their “retirement”, after claims they profited more than $2bn since January 2018.

But recently, security researchers at Secureworks say they have discovered links between the thought-to-be-disbanded group and a strain of ransomware dubbed REvil, or Sodinokibi.

Researchers have noted “numerous characteristics” that would suggest the same developers were involved in the production of both GandCrab and REvil, including “nearly identical” coding.

The REvil (also known as Sodinokibi) ransomware was first spotted in the wild (ITW) on April 17, when threat actors leveraged an Oracle WebLogic exploit to deliver both REvil and GandCrab. CTU analysis and tracking of REvil samples suggest that the ransomware was in development and testing between April 10 and May 7 and was not intended for public release.

Ransomware attacks are continuing to rise in number and sophistication.

Indicators of compromise (IOCs)

File hashes:

  • e713658b666ff04c9863ebecb458f174
  • bf9359046c4f5c24de0a9de28bbabd14
  • 177a571d7c6a6e4592c60a78b574fe0e

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: