[BreachExchange] Report suggests GandCrab’s developers may have created Sodinokibi ransomware

Destry Winant destry at riskbasedsecurity.com
Thu Jul 18 10:19:48 EDT 2019


https://www.scmagazine.com/home/security-news/report-suggests-gandcrabs-developers-may-have-created-sodinokibi-ransomware/

Evidence is reportedly mounting that the recently discovered
ransomware program known as Sodinokibiwas created by the same
developers who introduced GandCrab ransomware.

Last month, GandCrab’s developers publicly disclosed that they were
retiring after raking in roughly $2 billion in extortion payments. But
this announcement may have been misleading at best, according to
security researcher Brian Krebs, who says in a July 15 blog post that
GandCrab’s developers may have merely reorganized.

“My guess is the GandCrab team has not retired, and has simply
regrouped and re-branded due to the significant amount of attention
from security researchers and law enforcement investigators,” Krebs
states in his report. “It seems highly unlikely that such a successful
group of cybercriminals would just walk away from such an insanely
profitable enterprise.”

Also known as Sodin and REvil, Sodinokibi first came to light in April
2019. Like GandCrab, Sodinokibi has been made available on dark web
forums to cybercriminal “affiliates” as a ransomware-as-a-service
offering. Affiliate are guaranteed $10,000, with an initial cut of 60
percent, and then 70 percent after the first three payments are made,
Krebs has reported. The remainder goes to the developers themselves.

However, with Sodinokibi, the developers are trying to keep their
circle of affiliates smaller and more professional in nature. “We are
not going to hire as many people as possible,” said one dark web forum
message advertising Sodinokibi, according to Krebs.

But it’s not just their similar RaaS models that suggests GandCrab and
Sodinokibi are linked to the same actor. In an April 30 blog post,
researchers from Cisco’s Talos division recounted observing one
Sodinokibi attack that later attempted to distribute GandCrab v5.2.

“We find it strange the attackers would choose to distribute
additional, different ransomware on the same target,” the researchers
wrote at the time. “Sodinokibi being a new flavor of ransomware,
perhaps the attackers felt their earlier attempts had been
unsuccessful and were still looking to cash in by distributing
GandCrab.”

“In my opinion, this only shows that whoever owns the infection vector
might be an affiliate of both threat actor groups that owns the
ransomware,” added Christopher Elisan, director of threat intelligence
at Flashpoint, in an interview with SC Media. “In RaaS, the threat
actor groups that owns the ransomware usually do not have access to
infection vectors. The infection vectors are owned by other threat
actor groups. This is the reason why ransomware threat actor groups
partner with them so their ransomware can be spread. It’s just like a
delivery truck that went to the house of GandCrab and then went to the
house of Sodinokibi and delivered both packages into the same house
(the target) to reap more rewards.”

But there are other clues that also suggest a connection between the
two ransomwares. Citing research from Kaspersky, Krebs noted how
Sodinokobi’s developers took a page from GandCrab by warning potential
affiliates that they should avoid infecting people based in Syria.

Back in 2018, GandCrab’s developers released decryption keys for all
Syrian victims after one infected individual tweeted that he had lost
access to pictures of his deceased children. By sparing Syrians in
this manner, the attackers may have inadvertently aided researchers
and law enforcement authorities in developing a decryptor tool — one
of several that have been released to counter GandCrab’s multiple
versions.

Additionally, Dutch security firm Tesorion noted in a recent report
that GandCrab and Sodinokibi are similar in the ways they use strings
to generate URLs that are incorporated into the infection process.

“Even though the code bases differ significantly, the lists of strings
that are used to generate the URLs are very similar (although not
identical), and there are some striking similarities in how this
specific part of the code works, e.g., in the somewhat far-fetched way
that the random length of the filename is repeatedly recalculated,”
Tesorion states in its blog post.

Tesorion additionally reported that the number of new GandCrab
binaries it has observed has “decreased significantly” following the
appearance of Sodinokibi.

For now, Elisan from Flashpoint believes it’s difficult to assess
whether the actors behind GandCrab are truly responsible for
Sodinokibi. Nevertheless, he took note of yet one more trait shared
between Sodin and later versions of GandCrab: the presence of a .lock
file in infected machines.

“The purpose of this file is to tell GandCrab not to infect the
machine where this file is located. The name of the .lock file is a
hexadecimal value computed from the host’s root drive volume
information using a custom algorithm in the ransomware code,” Elisan
explained. “But with this similarity, it is possible that the threat
actor group behind Sodinokibi just copied this feature by GandCrab.
After all, most malware writers throw in features from different
malware that are available in the wild or [that have their] source
code leaked.”


More information about the BreachExchange mailing list