GandCrab Ransomware: Is it Back Under a New ‘REvil’ Guise?

advanced-penetration-testing-red-team

Remember GandCrab ransomware?

It was a popular strain of ransomware sold as something like ‘crimeware-as-a-service’ (CaaS).

 Caas – What Is It?

The cloud computing models and outsourcing techniques that are used by businesses are the inspiration behind the concept of CaaS. Let’s say, for example, consider publishing a video. For that, you don’t have to know anything about video compression, pixel formats, how to run a live streaming server or any of that stuff. Instead, press the RECORD option on your phone, CAPTURE the video footage in the desired manner, and then SHARE the video directly to any video hosting networks like YouTube.

CaaS works similarly; if you would like to make money out of ransomware, you don’t need to be an avid connoisseur of ransomware, develop perfect ransomware virus code, or run an anonymous web server for managing the loot. Instead, you have to sign up, download your malware samples, and victimize people or businesses with the ready-made ransomware.

While you take the front-line risk of getting caught red-handed for using the malware, the crooks behind the systems collect ransoms, share the decryptors, and indeed offer online ‘tech support’ to educate victims on buying bitcoins, making payments, and so on, in return for a cut of the takings.

From GandCrab To REvil

The GandCrab ransomware had been one of the most formidable threats since its introduction in early 2018, but the team behind the ransomware declared its retirement in May 2019 after ostensibly collecting over $2 billion in theft payments from the victims. However, a growing body of evidence insinuates that the GandCrab crooks have now quietly regrouped after a more advanced ransomware program, which is variously known as “REvil,” “Sodin,” or “Sodinokibi.”

What A REvil Attack Looks Like?REvil Attack

REvil ransomware is a data-locking virus that lets attackers connect remotely to the host machine and inject the malware manually. When reached inside, this encryption virus encrypts all data on the hard drive and connected networks using the Salsa20 encryption algorithm. It annexes a newly generated extension to the databases, doc files, pictures, etc. Then, it drops a HOW-TO-DECRYPT.txt file and replaces the wallpaper on your desktop. 

The ransom note displays a message asking the victim to install the TOR web browser and visit a given link. Hackers then demand some dollars ransom in bitcoin; if not paid within five days, the amount will be doubled.

How To Protect Yourself Against Ransomware?

The majority of the users believe they are safe since they have popular anti-malware software installed on their systems. Of course, it is one of the most relevant malware restraint techniques; however, it is by far not enough alone. As already mentioned, REvil developers use the CaaS scheme, which means, various hacking groups can engage in the campaign, making it more prevalent.

Also, be aware, such malware is advanced enough to make use of code injections that bypass any of your ransomware fix tools. So, just employing the security software and affirming that you are safe is merely ridiculous. To keep yourself away from any future threats, cybersecurity experts recommend using the following malware prevention techniques:

  • Make sure to update all installed software and operating system whenever new patches are released.
  • Try ad-blockers. Such tools could guarantee that an ad won’t insert a drive-by a download that would automatically install the malicious payload.
  • Equip your accounts with two-factor authentication. No matter what techniques hackers would bring up, two-factor authentication would prevent unauthorized access to your accounts to an extent.
  • Be vigilant while using remote desktop – avoid using a default port; also make sure to protect it with a complicated password.
  • Avoid visiting any suspicious websites or clicking on any phishing links on social media. We recommend you not to pirate or download software from any unknown sources.
  • Regularly backup your data. This will help to negate the most damaging outcome of a ransomware infection.
  • Don’t forget to disable macro on the Microsoft Office products.
  • Apply attachment filtering to emails.

To mitigate ransomware attacks on the business side and protect your computer from REvil and other possible ransomware, we recommend you to take advice from an expert cybersecurity company.

As ransomware attacks are at its peak, it’s time that we stay safe!

Post a Comment