On May 31, 2019, the developers of the highly profitable GandCrab 'ransomware-as-a-service' announced that they were retiring after earning over $2 billion USD since January 2018. The news was met with interest and skepticism within the security community, as multiple affiliate groups regularly conducted extremely successful GandCrab campaigns since its inception. After analyzing the threat landscape, Secureworks® Counter Threat Unit™ (CTU) researchers determined that some or all of GandCrab's developers, which the CTU™ research team refers to as GOLD GARDEN, simply shifted their focus to a different ransomware variant.
The REvil (also known as Sodinokibi) ransomware was first spotted in the wild (ITW) on April 17, when threat actors leveraged an Oracle WebLogic exploit to deliver both REvil and GandCrab. CTU analysis and tracking of REvil samples suggest that the ransomware was in development and testing between April 10 and May 7 and was not intended for public release.
Following the release of version 1.01 on May 7, the REvil developers, which CTU researchers refer to as GOLD SOUTHFIELD, began pushing a new release of the ransomware at the beginning of each month. The features and modifications of each version are listed in the Appendix of this blog post. As of this publication, August is the only skipped month. This cadence and the ransomware's capabilities indicate a structured development process by dedicated and experienced malware authors.
After GOLD GARDEN's retirement announcement, REvil activity increased with expanded delivery methods such as malicious spam campaigns and RDP attacks. This surge suggests that the ransomware operators deemed it ready for public release. On June 20, REvil was leveraged in a strategic web compromise (SWC) against the Italian WinRAR . it website, replacing the WinRAR installation executable with an instance of the malware to infect customers' systems. On the same day, threat actors breached at least three managed service providers (MSPs) and used the access to deploy REvil to the MSPs' customers. Other high-profile supply-chain attacks involving REvil have impacted 22 Texas municipalities and hundreds of dentist offices in the United States. Figure 1 shows a timeline of REvil releases and malicious activity.
Figure 1. Timeline of REvil activity before and after GOLD GARDEN's retirement announcement. (Source: Secureworks)
Connecting the dots
Numerous characteristics indicate that the same developers were involved in producing GandCrab and REvil, suggesting a connection between members of the GOLD GARDEN and GOLD SOUTHFIELD threat groups. In a technical analysis of REvil version 1.01, CTU researchers identified possible overlap between REvil and GandCrab. Even the earliest identified REvil sample (REvil Beta) included elements that appear to refer to GandCrab.
Nearly identical string decoding function
CTU researchers found that the string decoding functions employed by REvil and GandCrab are nearly identical. Because malware authors typically implement custom encoding/decoding logic in their malware, the code can be used as a fingerprint to identify other samples associated with the malware family. When analyzing REvil, CTU researchers identified and extracted a portion of the opcodes (outlined in red in Figure 2) associated with its string decoding function.
Figure 2. Opcodes for FOR-loop within REvil and GandCrab string decoder function. (Source: Secureworks)
When searching VirusTotal for samples containing this opcode pattern, 286 unique samples were identified. Further analysis of all 286 samples were confirmed to be either GandCrab or REvil (including REvil's decryptor). CTU researchers have not identified other malware families using this opcode pattern as of this publication, supporting the theory that these malware families share code.
Similar URL building logic
REvil 1.00 implements URL building functionality that produces the same command and control (C2) URL pattern as GandCrab. The C2 URLs for both families consist of two URI subpaths followed by a randomly generated resource name and an extension (see Figure 3). The subpath names and extension are retrieved from the hard-coded values listed in Table 1.
Figure 3. Example C2 server URLs. (Source: Secureworks)
|Values for first subpath||Values for second subpath||Extensions for resource|
Table 1. Hard-coded values for REvil and GandCrab C2 URLs.
While technically it would be possible for an unaffiliated threat actor to reproduce this logic within a separate malware family, doing so with such accuracy would require the threat actor to reverse engineer a GandCrab sample. Given the level of effort requires and the insignificant nature of the URI pattern, it is more likely that code originally created for GandCrab was repurposed in REvil.
Hints at GandCrab version 6
CTU analysis of the REvil Beta sample revealed two findings that are significant in proving a link between GandCrab and this first-identified version of REvil:
- gcfin and gc6 debug paths — A debug path is typically created by the integrated development environment (IDE) used by the malware author. Competent malware authors remove this information prior to distribution, as it could reveal the malware's name or details about the malware author's environment. The REvil Beta sample includes the d:\code\csrc\!1\new_a\gcfin\bin\debug\rwenc_exe_x86_debug.pdb debug path. gcfin is the malware author's name for the development project, and in context with other evidence appears to refer to “GandCrab Final”. Similarly, a discovered REvil file decryptor executable specifies the D:\\gc6\\core\\src\\common\\debug.c debug path. The reference to gc6 in the debug path could be a reference to GandCrab 6, which suggests that REvil was originally intended as GandCrab version 6.
- REvil version 6.00? — REvil populates a stat JSON data structure with information about the malware and the compromised host. Starting with REvil 1.00, the stat JSON is encrypted and sent to the attacker's C2 server. CTU researchers determined that the integer value assigned to the ver key located within the stat JSON represents the malware version. REvil interprets the value as hexadecimal. The REvil Beta sample includes the hard-coded value 1536, which converts to hexadecimal is 0x600 and indicates version 6.00. This version does not align with REvil's incremental numbering pattern as the next release is version 1.00, but it would align with the GandCrab numbering pattern given that the last observed version of GandCrab was 5.2.
Both REvil and GandCrab whitelist similar keyboard locales to prevent infection of Russia-based hosts. Malware authors commonly whitelist regions where they reside to prevent scrutiny from local law enforcement. This similarity does not establish a direct connection between REvil and GandCrab but does indicate that the malware authors likely reside in the same region.
GandCrab's 'ransomware-as-a-service model' proved to be a highly lucrative endeavor for GOLD GARDEN, so it is unlikely that the threat actors abandoned all malicious activity. Characteristics of REvil that appear to be operational security mistakes by the malware authors enabled CTU researchers to technically link the REvil and GandCrab ransomware families. This link indicates that the malware authors have shifted their focus from GandCrab to REvil.
Appendix — REvil version features and modifications