Has GandCrab Resurfaced as Another Ransomware-as-a-Service?
"We are a living proof that you can do evil and get off scot-free."
This was part of the farewell from the cybercrime gang responsible for the GandCrab ransomware-as-a-service (RaaS), when they announced their intention to retire in late May. They also said "we are getting a well-deserved retirement" after they stated their intention to call a halt to the RaaS that, they claim, netted in excess of $2 billion from victims of their extortion.
"It is astonishing to read that a cybergang has made so much money they are retiring, and they are publicly announcing it. They are thumbing their noses at all of us. I wouldn’t believe a word of it, though – I would imagine it would be hard to stop, and they will likely resurface soon in another form, helping crooks damage unprotected businesses," said Dan Tuchler, CMO at SecurityFirst, voicing the opinion of many in the cyber security business who were surprised at the announcement.
And resurface they have, or so it seems according to Krebs on Security, which reports that those behind GandCrab may have put their retirement on hold with the appearance of a new RaaS known as Sodinokibi ... or Sodin .... or REvil.
Researchers first came across Sodinokibi - used to deploy GandCrab - in late April, a month before GandCrab announced it would be shutting up shop. Then, in early May, someone referring to themselves as 'Unknown' started making deposits of more than US$130,000 on two cybercrime forums. The payments, in virtual currency, were made in order to hire new 'affiliates' for a new RaaS, name unknown.
Unknown wrote on the forums: "We are not going to hire as many people as possible. Five affiliates more can join the program and then we’ll go under the radar. Each affiliate is guaranteed US$10,000. Your cut is 60% at the beginning and 70% after the first three payments are made. Five affiliates are guaranteed US$50,000 in total. We have been working for several years, specifically five years in this field. We are interested in professionals."
When forum members asked about the name the ransomware service, Unknown said it "had been mentioned in media reports but that he wouldn’t be disclosing technical details of the program or its name for the time being."
Unknown stated that "it was forbidden to install the new ransomware strain on any computers in the Commonwealth of Independent States (CIS), which includes Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine and Uzbekistan". The fact these States were singled out implies that Unknown possibly resides in one of them.
Unknown's identity is a mystery. However, in November 2018, a GandCrab affiliate posted on a forum a private message between himself and a forum member known as, among others, 'oneiilk2', who was identified as a fellow GandCrab affiliate and "in charge of recruiting new members to the ransomware earnings program."
A search on Oneiilk2’s registration email address showed that one password was used across multiple accounts. That password - 16061991 - matches the birthday - June 16, 1991 - of one Igor Vladimirovich Prokopenko from Magnitogorsk in Chelyabinsk Oblast, Russia.
When KrebsOnSecurity tracked down Mr. Prokopenko and queried him about this, and other findings, he responded, "Hey. You’re wrong. I’m not doing this."