• GandCrab actors are pushing a new, more private, more powerful RaaS tool.
  • Using three names right now, the new ransomware strain has not stabilized its infection route yet.
  • The actors are calling for a few affiliates who are professionals, cutting them 60% and guaranteeing $10k.

Called “REvil”, or “Sodin”, or “Sodinokibi”, researchers from multiple cybersecurity firms agree that there’s new ransomware as a service (RaaS) out there created by the same person or group behind GandCrab, after just a month since the actors announced their “well-deserved retirement”. As we had warned back in June when BitDefender released a decryption tool that would defeat all versions of GandCrab, the success of the tool that established the whole concept of RaaS guaranteed that we would keep on seeing products that are based on the affiliation model.

While GandCrab was widespread trouble that made its creators and affiliates a total of $2 billion in extortion payments, the new ransomware strain is meant to be much more private, calling for a small number of affiliates that are serious about the prospect of propagating the new strain. Each affiliate is offered a cut of 60%, and $10k. For five of them, there’s a total guarantee of $50k. The user who has promoted this new RaaS on darknet forums is nicknamed “Unknown” and claims to have five years in the field, calling only professionals to join them, saying that they are not going to hire as many people as possible.

The connection of the Sodin ransomware with GandCrab comes from the fact that in recent infections, researchers have noticed an exchange between strains that included the GandGrab 5.2 as well. Moreover, the exclusion of Syria from the infection target countries is notable, as this was what eventually ended GandCrab after the RaaS actors decided to release the decryption keys for them. Commonwealth of Independent States including Russia, Ukraine, Armenia, and Belarus, are also forbidden from getting targeted.

From a technical perspective, the first infections of Sodinokibi exploited the CVE-2018-8453 vulnerability that is a Windows zero-day, and also the CVE-2019-2725 that is a flaw in the Oracle WebLogic Server. Both of these problems have been patched now, but systems that aren’t updated will remain vulnerable. Moreover, and in order to avoid detection and analysis in these early stages, REvil is deploying the Heaven’s Gate loader that we discussed a couple of weeks back, which allows a malicious software tool to execute 64-bit code from a 32-bit running process.

As always, if you want to stay safe against ransomware, the best way to do it is by taking regular backups and storing them in an offline location/media. In addition to this, you should keep all your tools, OS, and AV updated, and avoid downloading and executing email attachments and torrent files.

Have you had an adverse experience in Sodin already? Share the details with us in the comments down below, or on our socials, on Facebook and Twitter.