New Threat Research: MalSync Teardown: From DLL Hijacking to PHP Malware for Windows  

Read Threat Research

Search

GandCrab Authors are Back With a New Malware After Retirement

GandCrab Authors: Researchers have been able to identify a new type of ransomware which shares code properties with the notorious GandCrab ransomware, which was retired in June. The new financially motivated group, being called GOLD SOUTHFIELD, has been distributing the new malware via backdoors, scan-and-exploit techniques, and exploit kits. The new ransomware is being called REvil. GandCrab, which was associated with the GOLD GARDEN group went away at the same time that the REvil started being active. REvil performs the following tasks, most of which are configurable: Allows an attacker to customize the payload being delivered, exploits the CVE-2018-8453 vulnerability to elevate privileges, terminates blacklisted processes prior to encryption to eliminate resource conflicts, wipes the blacklisted file contents, encrypts non-whitelisted files on local storage and network shares, and exfiltrates basic host information. After the encryption occurs, the ransomware will change the desktop background to a note informing the users of the encryption and a URL to an attacker-run website which includes the instruction for payment, amount of payment, timeline that the payment is due, and even a trial run box that allows a victim to upload a file to see if the files can actually be decrypted.

Analyst Notes

Based on code similarities, researchers believe that is is possible that the same authors are behind REvil as GandCrab. It is likely that this ransomware will take the place of GandCrab in terms of how widespread it will become. At this point, there is no indication that REvil has worm-like capabilities which would allow it to spread laterally, but that does not mean it could not have that feature in the future. Users should always maintain up-to-date off-site backups in case of a successful ransomware attack on their machines.