GandCrab Authors: Researchers have been able to identify a new type of ransomware which shares code properties with the notorious GandCrab ransomware, which was retired in June. The new financially motivated group, being called GOLD SOUTHFIELD, has been distributing the new malware via backdoors, scan-and-exploit techniques, and exploit kits. The new ransomware is being called REvil. GandCrab, which was associated with the GOLD GARDEN group went away at the same time that the REvil started being active. REvil performs the following tasks, most of which are configurable: Allows an attacker to customize the payload being delivered, exploits the CVE-2018-8453 vulnerability to elevate privileges, terminates blacklisted processes prior to encryption to eliminate resource conflicts, wipes the blacklisted file contents, encrypts non-whitelisted files on local storage and network shares, and exfiltrates basic host information. After the encryption occurs, the ransomware will change the desktop background to a note informing the users of the encryption and a URL to an attacker-run website which includes the instruction for payment, amount of payment, timeline that the payment is due, and even a trial run box that allows a victim to upload a file to see if the files can actually be decrypted.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is