GandCrab Threat Actors Possibly Behind Sodinokibi Ransomware

Back in June, the ransomware-as-a-service (RaaS) threat actors behind GandCrab, a versatile ransomware that often required advanced machine learning-powered security solutions to combat, announced their retirement after hauling over US$2 billion in ransom payments. However, the GandCrab gang might be back to their old tricks. Various security researchers reported that the group might be responsible for releasing a more advanced ransomware variant called Sodinokibi (detected by Trend Micro as Ransom.Win32.SODINOKIBI.A).

[Read: GandCrab Expands Lists of Victims by Targeting MySQL Databases]

Sodinokibi was first spotted in April 2019, a few months before the GandCrab “retirement,” when Talos researchers discovered the ransomware infecting machines by exploiting the Oracle WebLogic Server vulnerabilityCVE-2019-2725. The blog post on the attack first brought up the possibility of a GandCrab connection, citing how other attempts exploiting the vulnerability were made, but installed GandCrab instead of Sodinokibi.

Researcher Brian Krebs pointed out in a blog post that in May, an unknown individual deposited over US$130,000 in cryptocurrencies to underground forums as part of an advertisement inviting affiliates to join a new RaaS program. The advertiser promised at least US$10,000 for each affiliate, with a 60% cut at the beginning that increases to 70% after the first three payments. The threat actors behind the RaaS also wanted a small but professional team, mentioning that they weren’t looking to hire as many people as possible.

The advertisement also asked that the affiliates avoid operating in Syria — a curious request that makes more sense when considering the fact that the group behind GandCrab released decryption keys for Syrian victims in 2018, after a Twitter plea from a father who lost his sons’ photos to encryption.

Tesorion security researchers also revealed more potential connections between the two malware families, including similarities in the random URLs used as C&C servers as well as the inverse proportionality of GandCrab detections (decreased) and Sodinokibi detections (increased).

[READ: Ransomware in 2019 – and security solutions with machine learning]

Malware families never really retire

Despite — or because of — the massive amounts of money the threat actors behind GandCrab made before announcing their retirement, it could be that the temptations of the cybercrime life is too strong. 

Malware families, even old ones, are also never truly gone. In fact, the trend seems to point towards threat actors consistently refining their tools, tactics, and procedures to make their attacks more effective. It’s possible that the GandCrab group wanted to start fresh by building a new operation without the notoriety attached to the GandCrab name or new developers are merely using similar methods for their purposes. Whatever the case, the impact of ransomware on organizations — losing important data as well as suffering monetary loss and reputational damage — remain the same.

Fortunately, implementing the following best practices go a long way towards combating ransomware:

  • Both GandCrab and Sodinokibi exploit vulnerabilities to infect their victims. Thus, organizations should make it a priority to update their machines at the soonest possible time.
  • Businesses should always back up their data using the 3-2-1 rule: at least three copies in two different storage formats with at least one copy located offsite.
  • Given that spam is a common infection vector for ransomware, users should be wary of suspicious emails and avoid clicking on unknown links or downloading unfamiliar attachments.

Organizations should also consider implementing a multilayered approach to security to mitigate the risks brought by ransomware. This includes using security technology such as Trend Micro™ Smart Protection Suites, which delivers several capabilities like high-fidelity machine learning, behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. 

These solutions are powered by Trend Micro XGen security, which provides a cross-generational blend of threat defense techniques against a full range of threats for data centerscloud environmentsnetworks, and endpoints. Smart, optimized, and connected, XGen powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense. 


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.