By; Nelly ALI
the developers of the highly profitable GandCrab ‘ransomware-as-a-service’ announced that they were retiring after earning over $2 billion USD since January 2018. The news was met with interest and skepticism within the security community, as multiple affiliate groups regularly conducted extremely successful GandCrab campaigns since its inception. After analyzing the threat landscape, Secureworks® Counter Threat Unit™ (CTU) researchers determined that some or all of GandCrab’s developers, which the CTU™ research team refers to as GOLD GARDEN, simply shifted their focus to a different ransomware variant.
The REvil (also known as Sodinokibi) ransomware was first spotted in the wild (ITW) on April 17, when threat actors leveraged an Oracle WebLogic exploit to deliver both REvil and GandCrab. CTU analysis and tracking of REvil samples suggest that the ransomware was in development and testing between April 10 and May 7 and was not intended for public release.
Following the release of version 1.01 on May 7, the REvil developers, which CTU researchers refer to as GOLD SOUTHFIELD, began pushing a new release of the ransomware at the beginning of each month. The features and modifications of each version are listed in the Appendix of this blog post. As of this publication, August is the only skipped month. This cadence and the ransomware’s capabilities indicate a structured development process by dedicated and experienced malware authors.
After GOLD GARDEN’s retirement announcement, REvil activity increased with expanded delivery methods such as malicious spam campaigns and RDP attacks. This surge suggests that the ransomware operators deemed it ready for public release. On June 20, REvil was leveraged in a strategic web compromise (SWC) against the Italian WinRAR . it website, replacing the WinRAR installation executable with an instance of the malware to infect customers’ systems. On the same day, threat actors breached at least three managed service providers (MSPs) and used the access to deploy REvil to the MSPs’ customers. Other high-profile supply-chain attacks involving REvil have impacted 22 Texas municipalities and hundreds of dentist offices in the United States. Figure 1 shows a timeline of REvil releases and malicious activity.