GandCrab ransomware team may have rebranded, not retired, to push more advanced 'REvil' ransomware

GandCrab gang not retiring, but rebranding to offer a more exclusive, lower profile 'service'

The gang behind the GandCrab ransowmare may not be retiring, but instead rebranding to offer a more exclusive ransomware service with more advanced 'REvil' ransomware.

That's according to researchers from various cybersecurity firms believe, talking to security journalist Brian Krebs.

In May, cybercriminals offering GandCrab ransomware-as-a-service (RaaS) said that they had decided to retire after earning over $2 billion in ransom from victims.

We are a living proof that you can do evil and get off scot-free

"We are getting a well-deserved retirement," the GandCrab administrators wrote in their farewell message. "We are a living proof that you can do evil and get off scot-free," they added.

Now, researchers from various cybersecurity firms believe that there is enough evidence to suggest that the actors behind GandCrab haven't retired, but instead quietly rebranded to propagate a more sophisticated range of ransomware, called 'REvil,' 'Sodinokibi,' and 'Sodin.'

The REvil ransomware was first spotted in April by Cisco Talos researchers, who found that it was used to deploy GandCrab in various systems.

Later, in the first half of May, a user with nickname "Unknown" announced on two darknet forums that he was looking to hire a few affiliates to drive a new RaaS offering. The person offered affiliates a cut of 60 per cent, and guaranteed $10,000 to each hired affiliate (maximum five affiliates).

"Your cut is 60 per cent at the beginning and 70 per cent after the first three payments are made," 'Unknown' told forum members.

The person also revealed that the team behind the new RaaS offering had been working for many years in this field.

'Unknown' refused to reveal the name of the new ransomware service on those forums and added that affiliates won't be allowed to instal their ransomware in member countries of the Commonwealth of Independent States. These include Armenia, Belarus, Moldova, Kazakhstan, Kyrgyzstan, Turkmenistan, Tajikistan, Uzbekistan, Ukraine and, of course, Russia.

Researchers also noticed that Syria is excluded from the 'REvil' target list. It is interesting to note here that GandCrab eventually came to an end after the RaaS actors decided to release the decryption keys for ransomware victims based in Syria.

Following the release of decryption key, the No More Ransom project rolled out a free GandCrab decryption tool that was developed by security firm Bitdefender in partnership with the Romanian police and law enforcement agencies from various countries.

In its recent report, Dutch security firm Tesorion also said that it has found many similarities between the ways in which both REvil and GandCrab ransomware generate URLs to infect systems.

Earlier this month, security researchers from Kaspersky warned that Sodinokibi ransomware had started exploiting zero-day Windows vulnerability to infect systems. Prior to that, the attackers were exploiting a flaw in Oracle Weblogic to spread the ransomware.