On May 31, 2019, the developers of the highly profitable GandCrab ‘ransomware-as-a-service’ announced that they were retiring after earning over $2 billion USD since January 2018. The news was met with interest and skepticism within the security community, as multiple affiliate groups regularly conducted extremely successful GandCrab campaigns since its inception. After analyzing the threat landscape, Secureworks® Counter Threat Unit™ (CTU) researchers determined that some or all of GandCrab’s developers, which the CTU™ research team refers to as GOLD GARDEN, simply shifted their focus to a different ransomware variant.
The REvil (also known as Sodinokibi) ransomware was first spotted in the wild (ITW) on April 17, when threat actors leveraged an Oracle WebLogic exploit to deliver both REvil and GandCrab. CTU analysis and tracking of REvil samples suggest that the ransomware was in development and testing between April 10 and May 7 and was not intended for public release.
Following the release of version 1.01 on May 7, the REvil developers, which CTU researchers refer to as GOLD SOUTHFIELD, began pushing a new release of the ransomware at the beginning of each month. The features and modifications of each version are listed in the Appendix of this blog post. As of this publication, August is the only skipped month. This cadence and the ransomware’s capabilities indicate a structured development process by dedicated and experienced malware authors.
After GOLD GARDEN’s retirement announcement, REvil activity increased with expanded delivery methods such as malicious spam campaigns and RDP attacks. This surge suggests that the ransomware operators deemed it ready for public release. On June 20, REvil was leveraged in a strategic web compromise (SWC) against the Italian WinRAR . it website, replacing the WinRAR installation executable with an instance of the malware to infect customers’ systems. On the same day, threat actors breached at least three managed service providers (MSPs) and used the access to deploy REvil to the MSPs’ customers. Other high-profile supply-chain attacks involving REvil have impacted 22 Texas municipalities and hundreds of dentist offices in the United States. Figure 1 shows a timeline of REvil releases and malicious activity.
Figure 1. Timeline of REvil activity before and after GOLD GARDEN’s retirement announcement. (Source: Secureworks)
Connecting the dots
Numerous characteristics indicate that the same developers were involved in producing GandCrab and REvil, suggesting a connection between members of the GOLD GARDEN and GOLD SOUTHFIELD threat groups. In a technical analysis of REvil version 1.01, CTU researchers identified possible overlap between REvil and GandCrab. Even the earliest identified REvil sample (REvil Beta) included elements that appear to refer to GandCrab.
Nearly identical string decoding function
CTU researchers found that the string decoding functions employed by REvil and GandCrab are nearly identical. Because malware authors typically implement custom encoding/decoding logic in their malware, the code can be used as a fingerprint to identify other samples associated with the malware family. When analyzing REvil, CTU researchers identified and extracted a portion of the opcodes (outlined in red in Figure 2) associated with its string decoding function.
Figure 2. Opcodes for FOR-loop within REvil and GandCrab string decoder function. (Source: Secureworks)
When searching VirusTotal for samples containing this opcode pattern, 286 unique samples were identified. Further analysis of all 286 samples were confirmed to be either GandCrab or REvil (including REvil’s decryptor). CTU researchers have not identified other malware families using this opcode pattern as of this publication, supporting the theory that these malware families share code.
Similar URL building logic
REvil 1.00 implements URL building functionality that produces the same command and control (C2) URL pattern as GandCrab. The C2 URLs for both families consist of two URI subpaths followed by a randomly generated resource name and an extension (see Figure 3). The subpath names and extension are retrieved from the hard-coded values listed in Table 1.
Figure 3. Example C2 server URLs. (Source: Secureworks)
|Values for first subpath||Values for second subpath||Extensions for resource|
Table 1. Hard-coded values for REvil and GandCrab C2 URLs.
While technically it would be possible for an unaffiliated threat actor to reproduce this logic within a separate malware family, doing so with such accuracy would require the threat actor to reverse engineer a GandCrab sample. Given the level of effort requires and the insignificant nature of the URI pattern, it is more likely that code originally created for GandCrab was repurposed in REvil.
Hints at GandCrab version 6
CTU analysis of the REvil Beta sample revealed two findings that are significant in proving a link between GandCrab and this first-identified version of REvil:
- gcfin and gc6 debug paths — A debug path is typically created by the integrated development environment (IDE) used by the malware author. Competent malware authors remove this information prior to distribution, as it could reveal the malware’s name or details about the malware author’s environment. The REvil Beta sample includes the d:codecsrc!1new_agcfinbindebugrwenc_exe_x86_debug.pdb debug path. gcfin is the malware author’s name for the development project, and in context with other evidence appears to refer to “GandCrab Final”. Similarly, a discovered REvil file decryptor executable specifies the D:\gc6\core\src\common\debug.c debug path. The reference to gc6 in the debug path could be a reference to GandCrab 6, which suggests that REvil was originally intended as GandCrab version 6.
- REvil version 6.00? — REvil populates a stat JSON data structure with information about the malware and the compromised host. Starting with REvil 1.00, the stat JSON is encrypted and sent to the attacker’s C2 server. CTU researchers determined that the integer value assigned to the ver key located within the stat JSON represents the malware version. REvil interprets the value as hexadecimal. The REvil Beta sample includes the hard-coded value 1536, which converts to hexadecimal is 0x600 and indicates version 6.00. This version does not align with REvil’s incremental numbering pattern as the next release is version 1.00, but it would align with the GandCrab numbering pattern given that the last observed version of GandCrab was 5.2.
Both REvil and GandCrab whitelist similar keyboard locales to prevent infection of Russia-based hosts. Malware authors commonly whitelist regions where they reside to prevent scrutiny from local law enforcement. This similarity does not establish a direct connection between REvil and GandCrab but does indicate that the malware authors likely reside in the same region.
GandCrab’s ‘ransomware-as-a-service model’ proved to be a highly lucrative endeavor for GOLD GARDEN, so it is unlikely that the threat actors abandoned all malicious activity. Characteristics of REvil that appear to be operational security mistakes by the malware authors enabled CTU researchers to technically link the REvil and GandCrab ransomware families. This link indicates that the malware authors have shifted their focus from GandCrab to REvil.
Appendix — REvil version features and modifications
Le 31. In May 2019, the developers of the highly profitable GandCrab ransomware-as-a-service have announced that they will take their retreat and will spend more than 2 billion dollars since January 2018. This new feature suspends the interest and scepticism of the security community, as many groups of affiliates have regularly undergone GandCrab campaigns that have been very successful since their creation. After analyzing the payment of the menaces, the researchers of Secureworks® Counter Threat Unit™ (CTU) discovered that some or all of the developers of GandCrab, that the CTU™ search team called GOLD GARDEN, simply had a change of orientation to focus on a different scenario.
REvil (also known under the name of Sodinokibi) a été relâché pour la première fois dans la nature (ITW) le 17. Avril, when the attackers used the Oracle WebLogic exploit to live at both REvil and GandCrab. The analysis of the CTU and the monitoring of REvil’s assessments suggest that the reimbursement logic may have been used between the 10th day of the refund period and the 10th day of the refund period. Le 7 avril et le 7. May has been developed and tested and was not intended for public use.
After the version 1.01 le 7. Le 1er mai, les dévelpeurs de REvil, que les chercheurs de la CTU appelent GOLD SOUTHFIELD, commente de faire publicité pour une nouvelle version de la rançon au début des each mois. The characteristics and modifications of each version are listed in the annexe of this blog. At the time of publication, the only thing missing is the mois d’août. These opportunities for cadence and repression imply a structured process of development that has been put into practice by the authors of previously experimented logics.
Following the announcement of the release of GOLD GARDEN, REvil’s activity has increased thanks to the expansion of methods of diffusion such as malicious spam campaigns and RDP attacks. This increase indique that the operators of the rançon have found it priced to be disseminated to the public. Le 20. June REvil has been used in a web strategic compromise (SWC) against the italien WinRAR site. It has replaced the file with an exécutable WinRAR installation by a logically designed instance to infect client systems. On the same day, the actors of the threat have injured at least three suppliers of generic services (MSP) and have used the access to deploy REvil to MSP clients. Other very mediatised attacks against the REVil supply chain have affected 22 communities in Texas and hundreds of Danish cabins in the United States. Figure 1 illustrates a diagram of the liberation of REvil and of the voluntary activity.
Figure 1. Durée de l’activité de REvil before and after the annonciation of GOLD GARDEN’s retirement. (Source : Secureworks)
Connexion of points
Numerous characteristics suggest that the same developers have been involved in the production of GandCrab and REvil, which suggests a link between the members of the GARDEN and GOLD SOUTHFIELD menace groups. In the technical analysis of version 1.01 of REvil, BE researchers have identified possible checks between REvil and GandCrab. Even the first échantillon identified by REvil (REvil Beta) contains elements that appear to be separate from GandCrab.
Fonction de décodage de chaîne presque identique
CTU researchers have found that the decoding functions of the colonies used by REvil and GandCrab are identical. As the authors of logiciels malveillants generally implement a personalized coding/decoding logic in their logiciels malveillants, the code can be used as a digital empire to identify other models associated with the family of logiciels malveillants. During the analysis of REvil, CTU researchers have decoded and extrapolated certain opcodes (cross-referenced in figure 2) linked to their colonial decoding function.
Figure 2. Opcodes pour la boucle FOR dans les fonctions de décodage de chaînes REvil et GandCrab. (Source : Secureworks)
Lorsque VirusTotal a recherché des échantillons contenant ce modèle d’opcode, 286 échantillons uniques ont été identifiés. A more detailed analysis of the 286 échantillons has confirmed that it is well within the GandCrab or the REvil (including the decoding of the REvil). Au moment de la publication, les chercheurs de la CTU n’ont trouvé aucune autre famille de logiciels malveillants utilisant cet échantillon d’opcode, ce qui soutient la théorie selon laquelle ces familles de logiciels malveillants partagent le code.
Logique similaire pour la structure URL
REvil 1.00 with en œuvre une fonctionnalité de construction d’URL qui crée le même modèle d’URL de commande et de contrôle (C2) que dans GandCrab. The URL C2 for the two families is made up of two sub-tubes URIs, followed by a nomination of a generic alphanumeric resource and an extension (see figure 3). The names of underperformers and extensions are extras to the values coded in table 1.
Figure 3. Exemple d’URL du serveur C2. (Source : Secureworks)
|Valeurs pour la premiere voie||Valeurs pour la deuxième piste partielle||Extensions of resources|
Tableau 1. Please note the URL C2 for REvil and GandCrab.
If it were technically possible for an agent of menace not attached to reproduce this logique au sein d’une seule famille de logiciels malveillants, l’agent de menace devrait redessiner l’échantillon de GandCrab pour le faire avec une such précision. Taking into account the effort required and the insignificance of the URI model, it is more likely that the code initially created for GandCrab has been reprofiled under the name of REvil.
Conseils in version 6 of GandCrab
BE de l’échantillon bêta de REvil has given two results which are relevant for demonstrating the relationship between GandCrab and this first identified version of REvil :
- GBfin and GB6 debugging chemicals – the debugging chemical is generally created by the Integrated Development Environment (IDE) used by the author of the malware. The authors of logiciels malveillants compétents suppriment ces informations avant la distribution, car ils peuvent révéler le nom du logiciel malveillant ou des détails sur l’environnement malveillant de l’auteur. The example REvil beta contient le chemin de débogage d:codecsrc!1new_agcfinbindebugrwenc_exe_x86_debug.pdb. gcfin is the name of the author of the malware for the development project, and in the context of other findings, it seems to refer to GandCrab Final. De même, le fichier de décryptage découvert REvil indique le chemin de débogage D:\gc6\core\src\c\common\debug.c. Een lien vers gc6 dans le chemin de débogage peut être un lien vers GandCrab 6, indiquant que REvil a été conçu à l’origine comme la version 6 de GandCrab.
- REvil version 6.00? – Review the statistics on the structure of the JSON data with information on the programme and the current compromise. From REvil 1.00, the JSON statistics are encrypted and sent to serve C2 of the attacker. CTU researchers have determined that the actual value attributed to the cloud in the JSON statics is a version of the malware. REvil interprète la valeur comme étant hexadécimale. The example REvil shows a value coded in dur 1536 which is converted into a hexadécimal value of 0x600, indiquant to the 6.00 version. This version does not correspond to the incrémentielle REvil numerérotation model, because the next version is 1.00, but it corresponds to the GandCrab numerérotation model, because the third version observed by GandCrab was 5.2.
Liste blanche régionale
REvil and GandCrab both have a list of blank cards with similar symbols to prevent the infection of Russian hotels. The authors of logiciels malveillants generally dress a blank list of regions in which they live in order to monitor the local police services of the examiner. This similitude n’établit pas de lien direct entre REvil et GandCrab, but suggests that the authors of logiciels malveillants live very probable in the same region.
The model of rançon as a GandCrab service is very profitable for GOLD GARDEN, which makes it very probable that the attackers have abandoned any action malveillante. REvil’s functionalities, which the authors of the malware consider to be operational security terrorists, have allowed CTU researchers to technically retrieve the soldier’s families from rançon REvil and GandCrab. Ce lien indique que les authors du malware ontplacé l’attention de GandCrab vers REvil.
Appendice – Caractéristiques et modifications de la REvil
|MD5 : bed6fc04aeb785815744706239a1f243
SHA1 : 3d0649b5f76dbff9f86b926afbbd18ae028946bf
SHA256 : 3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45
|MD5 : 65aa793c000762174b2f8607bdafaeaSHA1 : 95a21e764ad 8ea3d034d293aee5511e7c8457SHA256 : f0c60f62ef9ffc044d0b4aeb8cc26b971236f24a2611cb1be09ff4845c3841bc.
|MD5 : 2abff29b4d87f30f011874b6e98959e9
SHA1 : 9d1b61b1cba411ee6d4664ba2561fa59cdb0732c
SHA256 : a88e2857a2f3922b44247316642f08ba8665185297e3cd958bd22a83f380feb
|MD5 : 4af953b20f3a1f165e7cf31d6156c035SHA1 : b859de5ffcb90e4ca8e304d81a4f8 785bb299SHA256 : 89d80016ff4c660 dd8cfad1fa6912af4d21c5457b4e9866d1796939b48dc4.
|MD5 : 3cae02306a95564b1ff4ea45a7dfc00
SHA1 : 0ce2cae5287a64138d273007b34933362901783d
SHA256 : 78fa32f179224c46ae81252c841e75ee4e80b57e6b026d0a05bb07d34ec37bf
|MD5 : 6e3efb83299d800edf1624ecbc0665e7
SHA1 : 0bd22f204c5373f1a22d9a02c59f69f354a2cc0d
SHA256 : 2ca64feaaf5ab6cf9667fbc2bc0e1995b3bc93472d7af884139a757240e3f6
revil ransomware decryptor,sodinokibi ransomware symantec