GandCrab was one of the most popular ransomware families in 2018 and 2019. The ransomware encrypted all the files on the target computer and demanded as much as $2,000 in Bitcoin or Dash for the decryption key. The authors behind GandCrab malware announced in June that they are scrapping the operations of the malware as they have made enough money from it. According to the authors, they earned $2 billion from ransomware payments.
Now, the security researchers at Secureworks Counter Threat Unit have spotted new ransomware that shares the same code as GandCrab and it is seen as an evolved version of Gandcrab.
REvil, which is also known as Sodinokibi, has been linked to GandCrab malware.
Speaking to ZDNet, a security researcher said, “It certainly shares some code overlap with GandCrab and there are even artefacts in there which suggest that it was intended to be an evolution of GandCrab and they decided that GandCrab was ripe for a reband and relaunch.”
Why are researchers linking REvil to GandCrab?
Researchers have come up with the following reasons why they believe that GandCrab is resurfacing again in the form of REvil:
String decoding functions of REvil and GandCrab share similarities.
The two ransomware also share the URL binding functionality which produces similar URL patters for control servers and commands
Terms like ‘gcfin’ and ‘gc6’ in the code of REvil suggests a relation between GandCrab and REvil. Researchers believe that ‘gcfin’ stands for ‘GandCrab Final’ and ‘gc6’ denotes GandCrab 6.
Both REvil and GandCrab have whitelisted certain keyboard layouts as a measure to not infect Russian-based hosts.
Despite the similarities in the ..
Support the originator by clicking the read the rest link below.
