Gold Garden Group Comes Back With REvil Malware
The author of GandCrab, Gold Garden Group, have returned to the malware scene. GandCrab authors have been linked to REvil ransomware according to a technical analysis. The malware that hit 22 Texas municipalities recently is likely to be by the same authors as the GandCrab ransomware. This is despite the group's claim that they were retired.
In May, Gold Garden claimed that they were retiring with the earnings from their ransomware as a service, which earned them at least $2 billion since January 2018. But Secureworks Counter Threat Unit researchers said that the group just moved onto a different ransomware, known as Sodinokibi or REvil.
CTU analysis and tracking of REvil samples suggest that the ransomware was in development and testing between April 10 and May 7 and was not intended for public release. Following the release of version 1.01 on May 7, the REvil developers…began pushing a new release of the ransomware at the beginning of each month. This cadence and the ransomware’s capabilities indicate a structured development process by dedicated and experienced malware authors.
REvil uses email spam and remote desktop exploit attacks. According to a technical analysis of REvil, the string decoding functions employed by REvil and GandCrab are nearly identical. Because malware authors usually implement custom encoding/decoding logic in their malware, the code can be used as a fingerprint to identify other samples associated with the malware family. When analyzing REvil, researchers identified a portion of the opcodes associated with it's string decoding function. The two ransomwares also share similar URL building logic, which also suggests that code originally created for GandCrab was repurposed in REvil.
GandCrab came on the scene in 2018 and quickly became the biggest threat worldwide. GandCrab’s ransomware-as-a-service model proved to be extremely profitable for Gold Garden. It looks like Gold Garden simply regrouped and re-branded due to the attention they were receiving from security researchers and law enforcement investigators. It seems highly unlikely that such a successful group of hackers would just walk away from such a profitable enterprise.