On May 31, 2019, the developers of the highly profitable GandCrab ‘ransomware-as-a-service’ announced that they were retiring after earning over $2 billion USD since January 2018. The news was met with interest and skepticism within the security community, as multiple affiliate groups regularly conducted extremely successful GandCrab campaigns since its inception. After analyzing the threat landscape, Secureworks® Counter Threat Unit™ (CTU) researchers determined that some or all of GandCrab’s developers, which the CTU™ research team refers to as GOLD GARDEN, simply shifted their focus to a different ransomware variant.

Enter REvil

The REvil (also known as Sodinokibi) ransomware was first spotted in the wild (ITW) on April 17, when threat actors leveraged an Oracle WebLogic exploit to deliver both REvil and GandCrab. CTU analysis and tracking of REvil samples suggest that the ransomware was in development and testing between April 10 and May 7 and was not intended for public release.

Following the release of version 1.01 on May 7, the REvil developers, which CTU researchers refer to as GOLD SOUTHFIELD, began pushing a new release of the ransomware at the beginning of each month. The features and modifications of each version are listed in the Appendix of this blog post. As of this publication, August is the only skipped month. This cadence and the ransomware’s capabilities indicate a structured development process by dedicated and experienced malware authors.

After GOLD GARDEN’s retirement announcement, REvil activity increased with expanded delivery methods such as malicious spam campaigns and RDP attacks. This surge suggests that the ransomware operators deemed it ready for public release. On June 20, REvil was leveraged in a strategic web compromise (SWC) against the Italian WinRAR . it website, replacing the WinRAR installation executable with an instance of the malware to infect customers’ systems. On the same day, threat actors breached at least three managed service providers (MSPs) and used the access to deploy REvil to the MSPs’ customers. Other high-profile supply-chain attacks involving REvil have impacted 22 Texas municipalities and hundreds of dentist offices in the United States. Figure 1 shows a timeline of REvil releases and malicious activity.

Ransomware: The GandCrab Connection
Figure 1. Timeline of REvil activity before and after GOLD GARDEN’s retirement announcement. (Source: Secureworks)

Connecting the dots

Numerous characteristics indicate that the same developers were involved in producing GandCrab and REvil, suggesting a connection between members of the GOLD GARDEN and GOLD SOUTHFIELD threat groups. In a technical analysis of REvil version 1.01, CTU researchers identified possible overlap between REvil and GandCrab. Even the earliest identified REvil sample (REvil Beta) included elements that appear to refer to GandCrab.

Nearly identical string decoding function

CTU researchers found that the string decoding functions employed by REvil and GandCrab are nearly identical. Because malware authors typically implement custom encoding/decoding logic in their malware, the code can be used as a fingerprint to identify other samples associated with the malware family. When analyzing REvil, CTU researchers identified and extracted a portion of the opcodes (outlined in red in Figure 2) associated with its string decoding function.

Ransomware: The GandCrab Connection
Figure 2. Opcodes for FOR-loop within REvil and GandCrab string decoder function. (Source: Secureworks)

When searching VirusTotal for samples containing this opcode pattern, 286 unique samples were identified. Further analysis of all 286 samples were confirmed to be either GandCrab or REvil (including REvil’s decryptor). CTU researchers have not identified other malware families using this opcode pattern as of this publication, supporting the theory that these malware families share code.

Similar URL building logic

REvil 1.00 implements URL building functionality that produces the same command and control (C2) URL pattern as GandCrab. The C2 URLs for both families consist of two URI subpaths followed by a randomly generated resource name and an extension (see Figure 3). The subpath names and extension are retrieved from the hard-coded values listed in Table 1.

Ransomware: The GandCrab Connection
Figure 3. Example C2 server URLs. (Source: Secureworks)

Values for first subpath Values for second subpath Extensions for resource
  • wp-content
  • static
  • content
  • include
  • uploads
  • news
  • data
  • admin

 

  • images
  • pictures
  • image
  • temp
  • tmp
  • graphic
  • assets
  • pics
  • game

 

Table 1. Hard-coded values for REvil and GandCrab C2 URLs.

While technically it would be possible for an unaffiliated threat actor to reproduce this logic within a separate malware family, doing so with such accuracy would require the threat actor to reverse engineer a GandCrab sample. Given the level of effort requires and the insignificant nature of the URI pattern, it is more likely that code originally created for GandCrab was repurposed in REvil.

Hints at GandCrab version 6

CTU analysis of the REvil Beta sample revealed two findings that are significant in proving a link between GandCrab and this first-identified version of REvil:

    • gcfin and gc6 debug paths — A debug path is typically created by the integrated development environment (IDE) used by the malware author. Competent malware authors remove this information prior to distribution, as it could reveal the malware’s name or details about the malware author’s environment. The REvil Beta sample includes the d:codecsrc!1new_agcfinbindebugrwenc_exe_x86_debug.pdb debug path. gcfin is the malware author’s name for the development project, and in context with other evidence appears to refer to “GandCrab Final”. Similarly, a discovered REvil file decryptor executable specifies the D:\gc6\core\src\common\debug.c debug path. The reference to gc6 in the debug path could be a reference to GandCrab 6, which suggests that REvil was originally intended as GandCrab version 6.

 

  • REvil version 6.00? — REvil populates a stat JSON data structure with information about the malware and the compromised host. Starting with REvil 1.00, the stat JSON is encrypted and sent to the attacker’s C2 server. CTU researchers determined that the integer value assigned to the ver key located within the stat JSON represents the malware version. REvil interprets the value as hexadecimal. The REvil Beta sample includes the hard-coded value 1536, which converts to hexadecimal is 0x600 and indicates version 6.00. This version does not align with REvil’s incremental numbering pattern as the next release is version 1.00, but it would align with the GandCrab numbering pattern given that the last observed version of GandCrab was 5.2.

 

Region whitelisting

Both REvil and GandCrab whitelist similar keyboard locales to prevent infection of Russia-based hosts. Malware authors commonly whitelist regions where they reside to prevent scrutiny from local law enforcement. This similarity does not establish a direct connection between REvil and GandCrab but does indicate that the malware authors likely reside in the same region.

Conclusion

GandCrab’s ‘ransomware-as-a-service model’ proved to be a highly lucrative endeavor for GOLD GARDEN, so it is unlikely that the threat actors abandoned all malicious activity. Characteristics of REvil that appear to be operational security mistakes by the malware authors enabled CTU researchers to technically link the REvil and GandCrab ransomware families. This link indicates that the malware authors have shifted their focus from GandCrab to REvil.

Appendix — REvil version features and modifications

REvil Beta
MD5: bed6fc04aeb785815744706239a1f243
SHA1: 3d0649b5f76dbbff9f86b926afbd18ae028946bf
SHA256: 3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45
  • Privilege escalation via CVE-2018-8453 (64-bit only)
  • Rerun with RunAs to elevate privileges
  • Implements a requirement that if “exp” is set, privilege escalation must be successful for full execution to occur
  • Implements target whitelisting using GetKetboardLayoutList
  • Contains debug console logging functionality
  • Defines the REvil registry root key as SOFTWARE!test
  • Includes two variable placeholders in the ransom note: UID & KEY
  • Terminates processes specified in the “prc” configuration key prior to encryption
  • Deletes shadow copies and disables recovery
  • Wipes contents of folders specified in the “wfld” configuration key prior to encryption
  • Encrypts all non-whitelisted files on fixed drives
  • Encrypts all non-whitelisted files on network mapped drives if it is running with System-level privileges or can impersonate the security context of explorer.exe
  • Partially implements a background image setting to display a basic “Image text” message
  • Sends encrypted system data to a C2 domain via an HTTPS POST request (URI path building is not implemented.)

 

REvil 1.00
MD5: 65aa793c000762174b2f86077bdafaea
SHA1: 95a21e764ad0c98ea3d034d293aee5511e7c8457
SHA256: f0c60f62ef9ffc044d0b4aeb8cc26b971236f24a2611cb1be09ff4845c3841bc
  • Adds 32-bit implementation of CVE-2018-8453 exploit
  • Removes console debug logging
  • Changes the REvil registry root key to SOFTWARErecfg
  • Removes the System/Impersonation success requirement for encrypting network mapped drives
  • Adds a “wipe” key to the configuration for optional folder wiping
  • Fully implements the background image setting and leverages values defined in the “img” configuration key
  • Adds an EXT variable placeholder to the ransom note to support UID, KEY, and EXT
  • Implements URI path building so encrypted system data is sent to a C2 pseudo-random URL
  • Fixes the function that returns the victim’s username so the correct value is placed in the stats JSON data

 

REvil 1.01
MD5: 2abff29b4d87f30f011874b6e98959e9
SHA1: 9d1b61b1cba411ee6d4664ba2561fa59cdb0732c
SHA256: a88e2857a2f3922b44247316642f08ba8665185297e3cd958bbd22a83f380feb
  • Removes the exp/privilege escalation requirement for full execution and encrypts data regardless of privilege level
  • Makes encryption of network mapped drives optional by adding the “-nolan” argument

 

REvil 1.02
MD5: 4af953b20f3a1f165e7cf31d6156c035
SHA1: b859de5ffcb90e4ca8e304d81a4f81e8785bb299
SHA256: 89d80016ff4c6600e8dd8cfad1fa6912af4d21c5457b4e9866d1796939b48dc4
  • Enhances whitelisting validation by adding inspection of GetUserDefaultUILanguage and GetSystemDefaultUILanguage
  • Partially implements “lock file” logic by generating a lock filename based on the first four bytes of the Base64-decoded pk key, appending a .lock file extension, and adding the filename to
    the list of whitelisted files in the REvil configuration (It does not appear that this value is referenced after it is created and stored in memory. There is no evidence that a lock file is dropped to disk.)
  • Enhances folder whitelisting logic that take special considerations if the folder is associated with “program files” directories
    • Hard-codes whitelisting of all direct content within the Program Files or Program Files x86 directories
    • Hard-codes whitelisting of “sql” subfolders within program files
    • Encrypts program files sub-folders that does not contain “sql” in the path
    • Compares other folders to the list of whitelisted folders specified in the REvil configuration to determine if they are whitelisted
  • Encodes stored strings used for URI building within the binary and decodes them in memory right before use
  • Introduces a REvil registry root key “sub_key” registry value containing the attacker’s public key

 

REvil 1.03
MD5: 3cae02306a95564b1fff4ea45a7dfc00
SHA1: 0ce2cae5287a64138d273007b34933362901783d
SHA256: 78fa32f179224c46ae81252c841e75ee4e80b57e6b026d0a05bb07d34ec37bbf
  • Removes lock file logic that was partially implemented in 1.02
  • Leverages WMI to continuously monitor for and kill newly launched processes whose names are listed in the prc configuration key (Previous versions performed this action once.)
  • Encodes stored shellcode
  • Adds the -path argument:
    • Does not wipe folders (even if wipe == true)
    • Does not set desktop background
    • Does not contact the C2 server (even if net == true)
    • Encrypts files in the specified folder and drops the ransom note
  • Changes the REvil registry root key to SOFTWAREQtProjectOrganizationDefaults
  • Changes the registry key value names

 

Le 31. In May 2019, the developers of the highly profitable GandCrab ransomware-as-a-service have announced that they will take their retreat and will spend more than 2 billion dollars since January 2018. This new feature suspends the interest and scepticism of the security community, as many groups of affiliates have regularly undergone GandCrab campaigns that have been very successful since their creation. After analyzing the payment of the menaces, the researchers of Secureworks® Counter Threat Unit™ (CTU) discovered that some or all of the developers of GandCrab, that the CTU™ search team called GOLD GARDEN, simply had a change of orientation to focus on a different scenario.

Entrance REvil

REvil (also known under the name of Sodinokibi) a été relâché pour la première fois dans la nature (ITW) le 17. Avril, when the attackers used the Oracle WebLogic exploit to live at both REvil and GandCrab. The analysis of the CTU and the monitoring of REvil’s assessments suggest that the reimbursement logic may have been used between the 10th day of the refund period and the 10th day of the refund period. Le 7 avril et le 7. May has been developed and tested and was not intended for public use.

After the version 1.01 le 7. Le 1er mai, les dévelpeurs de REvil, que les chercheurs de la CTU appelent GOLD SOUTHFIELD, commente de faire publicité pour une nouvelle version de la rançon au début des each mois. The characteristics and modifications of each version are listed in the annexe of this blog. At the time of publication, the only thing missing is the mois d’août. These opportunities for cadence and repression imply a structured process of development that has been put into practice by the authors of previously experimented logics.

Following the announcement of the release of GOLD GARDEN, REvil’s activity has increased thanks to the expansion of methods of diffusion such as malicious spam campaigns and RDP attacks. This increase indique that the operators of the rançon have found it priced to be disseminated to the public. Le 20. June REvil has been used in a web strategic compromise (SWC) against the italien WinRAR site. It has replaced the file with an exécutable WinRAR installation by a logically designed instance to infect client systems. On the same day, the actors of the threat have injured at least three suppliers of generic services (MSP) and have used the access to deploy REvil to MSP clients. Other very mediatised attacks against the REVil supply chain have affected 22 communities in Texas and hundreds of Danish cabins in the United States. Figure 1 illustrates a diagram of the liberation of REvil and of the voluntary activity.

Ransomware: The GandCrab Connection
Figure 1. Durée de l’activité de REvil before and after the annonciation of GOLD GARDEN’s retirement. (Source : Secureworks)

Connexion of points

Numerous characteristics suggest that the same developers have been involved in the production of GandCrab and REvil, which suggests a link between the members of the GARDEN and GOLD SOUTHFIELD menace groups. In the technical analysis of version 1.01 of REvil, BE researchers have identified possible checks between REvil and GandCrab. Even the first échantillon identified by REvil (REvil Beta) contains elements that appear to be separate from GandCrab.

Fonction de décodage de chaîne presque identique

CTU researchers have found that the decoding functions of the colonies used by REvil and GandCrab are identical. As the authors of logiciels malveillants generally implement a personalized coding/decoding logic in their logiciels malveillants, the code can be used as a digital empire to identify other models associated with the family of logiciels malveillants. During the analysis of REvil, CTU researchers have decoded and extrapolated certain opcodes (cross-referenced in figure 2) linked to their colonial decoding function.

Ransomware: The GandCrab Connection
Figure 2. Opcodes pour la boucle FOR dans les fonctions de décodage de chaînes REvil et GandCrab. (Source : Secureworks)

Lorsque VirusTotal a recherché des échantillons contenant ce modèle d’opcode, 286 échantillons uniques ont été identifiés. A more detailed analysis of the 286 échantillons has confirmed that it is well within the GandCrab or the REvil (including the decoding of the REvil). Au moment de la publication, les chercheurs de la CTU n’ont trouvé aucune autre famille de logiciels malveillants utilisant cet échantillon d’opcode, ce qui soutient la théorie selon laquelle ces familles de logiciels malveillants partagent le code.

Logique similaire pour la structure URL

REvil 1.00 with en œuvre une fonctionnalité de construction d’URL qui crée le même modèle d’URL de commande et de contrôle (C2) que dans GandCrab. The URL C2 for the two families is made up of two sub-tubes URIs, followed by a nomination of a generic alphanumeric resource and an extension (see figure 3). The names of underperformers and extensions are extras to the values coded in table 1.

Ransomware: The GandCrab Connection
Figure 3. Exemple d’URL du serveur C2. (Source : Secureworks)

Valeurs pour la premiere voie Valeurs pour la deuxième piste partielle Extensions of resources
  • contenu du wp
  • statique
  • Contenu de
  • activer
  • telécharges.
  • Nouvelles à
  • Données
  • Administrator

 

  • photos
  • photos
  • Photo
  • Employé temporaire
  • tmp
  • site web joke
  • Actifs
  • photos
  • Jeu

 

 

Tableau 1. Please note the URL C2 for REvil and GandCrab.

If it were technically possible for an agent of menace not attached to reproduce this logique au sein d’une seule famille de logiciels malveillants, l’agent de menace devrait redessiner l’échantillon de GandCrab pour le faire avec une such précision. Taking into account the effort required and the insignificance of the URI model, it is more likely that the code initially created for GandCrab has been reprofiled under the name of REvil.

Conseils in version 6 of GandCrab

BE de l’échantillon bêta de REvil has given two results which are relevant for demonstrating the relationship between GandCrab and this first identified version of REvil :

    • GBfin and GB6 debugging chemicals – the debugging chemical is generally created by the Integrated Development Environment (IDE) used by the author of the malware. The authors of logiciels malveillants compétents suppriment ces informations avant la distribution, car ils peuvent révéler le nom du logiciel malveillant ou des détails sur l’environnement malveillant de l’auteur. The example REvil beta contient le chemin de débogage d:codecsrc!1new_agcfinbindebugrwenc_exe_x86_debug.pdb. gcfin is the name of the author of the malware for the development project, and in the context of other findings, it seems to refer to GandCrab Final. De même, le fichier de décryptage découvert REvil indique le chemin de débogage D:\gc6\core\src\c\common\debug.c. Een lien vers gc6 dans le chemin de débogage peut être un lien vers GandCrab 6, indiquant que REvil a été conçu à l’origine comme la version 6 de GandCrab.

 

  • REvil version 6.00? – Review the statistics on the structure of the JSON data with information on the programme and the current compromise. From REvil 1.00, the JSON statistics are encrypted and sent to serve C2 of the attacker. CTU researchers have determined that the actual value attributed to the cloud in the JSON statics is a version of the malware. REvil interprète la valeur comme étant hexadécimale. The example REvil shows a value coded in dur 1536 which is converted into a hexadécimal value of 0x600, indiquant to the 6.00 version. This version does not correspond to the incrémentielle REvil numerérotation model, because the next version is 1.00, but it corresponds to the GandCrab numerérotation model, because the third version observed by GandCrab was 5.2.

 

Liste blanche régionale

REvil and GandCrab both have a list of blank cards with similar symbols to prevent the infection of Russian hotels. The authors of logiciels malveillants generally dress a blank list of regions in which they live in order to monitor the local police services of the examiner. This similitude n’établit pas de lien direct entre REvil et GandCrab, but suggests that the authors of logiciels malveillants live very probable in the same region.

Conclusion

The model of rançon as a GandCrab service is very profitable for GOLD GARDEN, which makes it very probable that the attackers have abandoned any action malveillante. REvil’s functionalities, which the authors of the malware consider to be operational security terrorists, have allowed CTU researchers to technically retrieve the soldier’s families from rançon REvil and GandCrab. Ce lien indique que les authors du malware ontplacé l’attention de GandCrab vers REvil.

Appendice – Caractéristiques et modifications de la REvil

Beta Reville
MD5 : bed6fc04aeb785815744706239a1f243
SHA1 : 3d0649b5f76dbff9f86b926afbbd18ae028946bf
SHA256 : 3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45
  • Escalade des privilèges via CVE-2018-8453 (64 bits seulement)
  • Execution renewed with the RunA to increase privileges
  • This implies that if exp has been installed, the escalation of priviliges must be successful so that the complete execution has taken place.
  • Entrez dans la liste blanche cible en utilisant le GetKetboardLayoutList.
  • Includes a debogging console function for journalisation.
  • Définit la clé racine de l’enregistrement REvil comme un LOGICIEL !
  • Contient deux variables du payeur dans le bordereau de cash-on-delivery : UID & KEY
  • Arrête les procesus spécifiés dans la clé de configuration prc avant le cryptage.
  • Suppressing copies of copying and deactivating recovery
  • Suppress the content of specific files in the cloud configuration prior to cryptography
  • Crypt all the files that are not on the blank list on the fixed discs.
  • Chiffre tous les fichiers qui ne sont pas sur la liste blanche des lecteurs mappés du réseau s’il fonctionne avec des authorisations au level du système ou s’il peut incarnermt le contexte de sécurité d’explorer.exe.
  • Partially apply the regulation of the image of the fund to highlight the principal image of the message text.
  • Transmit cryptographic data in the C2 domain via an HTTPS POST request (the structure of the URI chemical is not implied).

 

REvil 1.00
MD5 : 65aa793c000762174b2f8607bdafaeaSHA1 : 95a21e764ad 8ea3d034d293aee5511e7c8457SHA256 : f0c60f62ef9ffc044d0b4aeb8cc26b971236f24a2611cb1be09ff4845c3841bc.
  • Addition of a 32-bit implementation of the CVE-2018-8453 exploit.
  • Suppress the console debogging protocole
  • Changing the racing scene of the REvil registration in SOFTWARErecfg
  • Suppressing the condition of resilience according to which the system/press must crystallise the indiqués réseau lecteurs sur la carte.
  • Add a suppression clause to the configuration for the suppression of additional files
  • Implicitly implement the regulation of the image of the foundation and use the values defined in the configuration class.
  • Ajoute la variable EXT à la note de rachat pour prendre en charge UID, KEY et EXT.
  • The structure of the URI access road is in crisis so that the data requested by the system are sent to a pseudo-aléatoire URL C2.
  • The function that changed the name of the victim in order to define the correct value in the JSON data statistics has been corrected.

 

REvil 1.01
MD5 : 2abff29b4d87f30f011874b6e98959e9
SHA1 : 9d1b61b1cba411ee6d4664ba2561fa59cdb0732c
SHA256 : a88e2857a2f3922b44247316642f08ba8665185297e3cd958bd22a83f380feb
  • Suppress the request for explicit/privileged escalation for a complete and cryptic execution of the data as far as the level of authorisation is concerned.
  • Rend lecteurs mappés op le réseau facultatif in addition to the -nolan argument.

 

REvil 1.02
MD5 : 4af953b20f3a1f165e7cf31d6156c035SHA1 : b859de5ffcb90e4ca8e304d81a4f8 785bb299SHA256 : 89d80016ff4c660 dd8cfad1fa6912af4d21c5457b4e9866d1796939b48dc4.
  • Améliore la vérification des listes blanches ajout les inspections GetUserDefaultUILanguage et GetSystemDefaultUILanguage.
  • Implicitly, partially, the logic of the exchange file by creating a name for the exchange file based on the four first octets of the horsepower code decoded at Base64, to which the extension is added.lock, and adding the name of the file to the blank list
    of files in the REvil configuration (this value does not seem to be referenced after its creation and storage in memory). There is no proof that the file has been moved on the discourse dur).
  • Improve the logic of the blank list of dossiers, which is particularly important when a dossier is associated with programme-filing responses
    • Clear list of all direct contents in the programme files or x86 repertoires.
    • Cristalline blank list of basic performances to be found in the programme files
    • Crypts the files of the programme files that are not known in the access area.
    • compare les autres dossiers avec la liste blanche des dossiers spécifiés dans la configuration de REvil pour déterminer s’il s’agit de listes blanches
  • Chiffre les chaines de caractères stockées utilisées pour la constructère un URI dans un fichier binaire et les décryptte in mémoire immédiatement avant utilisé.
  • Représente la valeur de la sous-clé racine du registre REvil qui contient la clé publique de l’attaquant

 

REvil 1.03
MD5 : 3cae02306a95564b1ff4ea45a7dfc00
SHA1 : 0ce2cae5287a64138d273007b34933362901783d
SHA256 : 78fa32f179224c46ae81252c841e75ee4e80b57e6b026d0a05bb07d34ec37bf
  • Suppresses the logic of the exchange file which was partially implemented in version 1.02.
  • Use WMI to continuously monitor and disrupt the new launches process, the names of which are reflected in the configuration prc (the previous versions execute this action once).
  • The codes stored in the scallops
  • Ajoute un argument à la voie :
    • Ne supprime pas les dossiers (même si elle supprime == true)
    • Ne fixe pas le fond d’écran du bureau
    • Ne contacte pas le serveur C2 (même si net == true)
    • Crypt the files in the specific file and reinitialise the request for rank.
  • Change the race track of the REvil registration in SOFTWAREQtProjectOrganizationDefaults
  • Modification of the value of the names of the members of the register

 

REvil 1.04
MD5 : 6e3efb83299d800edf1624ecbc0665e7
SHA1 : 0bd22f204c5373f1a22d9a02c59f69f354a2cc0d
SHA256 : 2ca64feaaf5ab6cf9667fbc2bc0e1995b3bc93472d7af884139a757240e3f6
  • Utilise PowerShell and WMI to suppress the victim’s copying when the victim’s exploitation system is more recent than Windows XP (for Windows XP or earlier, it uses the command of origin that was executed in all the earlier versions of REvil).
  • Suppressing the possibility of suppressing files
  • Changing the racing scene of the REvil register in SOFTWAREGitForWindows
  • Modification of the value of the names of the members of the register

 

revil ransomware decryptor,sodinokibi ransomware symantec

Share: