Arsgera - Fotolia
In the wake of GandCrab shutting down and master decryption keys being released, a new ransomware threat is emerging.
The GandCrab ransomware had been one of the more dangerous threats since its first appearance in early 2018, but the group behind the ransomware as a service (RaaS) announced its retirement last month. On Monday, the FBI, in cooperation with No More Ransom, announced the release of the master keys and universal decryption tool for GandCrab. The FBI said in its alert that it was "releasing the master keys in order to facilitate the development of additional decryption tools."
Craig Young, computer security researcher on the vulnerability and exposure research team at Tripwire, based in Portland, Ore., praised the decision to release the keys directly.
"This is important, because some affected users may not be comfortable with running the published decryptor," Young said. "It also could be that some environments need better scalability in a decryption tool so that many systems can be recovered at once."
A new ransomware threat
Separately, on Monday, cybersecurity investigative journalist Brian Krebs laid out a case claiming the GandCrab group might not be in retirement, but it may be behind a new, "more exclusive and advanced ransomware" threat known as REvil, Sodin or Sodinokibi.
This new ransomware was first seen by researchers at Cisco Talos in April. The researchers named it Sodinokibi and noted a "strange" action: After successfully infecting a victim, the attackers would also infect the target with GandCrab, in addition to Sodinokibi.
In July, Kaspersky researchers -- who called the new ransomware Sodin -- found the attackers had begun using a "rare" tactic of exploiting a Windows zero-day vulnerability to elevate privileges when infecting a target.
Craig YoungComputer security researcher, Tripwire
Although Kaspersky did not mention GandCrab in its research, Krebs noted that Sodin and GandCrab shared the same list of regions in which it was forbidden to infect systems, including Syria, Ukraine and Russia. Syria was banned late in GandCrab's life, and the group behind the threat released a decryption key for that region.
Krebs also pointed out that recent research by Tesorion, a security firm based in the Netherlands, found similarities in the ways GandCrab and Sodin generate URLs.
Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, said Krebs raised some "valid points," but added that if the GandCrab group was also behind this new ransomware, they must have "decided to reboot this RaaS and rewrite the code from scratch."
"If we are talking about the GandCrab and Sodin Trojans themselves, they are undoubtedly different. From the analysis of the executable binaries of GandCrab and Sodin, we can conclude that there is no direct code reuse or inheritance in this case. These two Trojans seem to have been developed either by different programmers, or at least Sodin was developed from scratch without borrowing any existing code base," Sinitsyn said. "The code is just different, and the encryption scheme is more sophisticated in Sodin. But we cannot state that it is necessarily a developer learning from GandCrab mistakes, as we don't have enough data for that kind of assumption. It might just be another approach by another developer."
Young could not evaluate the technical merits of Krebs' case, but said he would be very surprised if the GandCrab group was truly retiring.
"As long as ransomware is paying dividends for criminals, there will always be a continuous stream of new threat actors and tools. [But] I don't think there is any sense in worrying about one particular ransomware threat actor versus another," Young said. "The mitigation and remediation strategies are largely unaffected by the specific ransomware suite. Organizations need to maintain current data backups, patches and endpoint protections. In the end, though, employees and the risk that an employee may be duped is the greatest risk to most organizations."