Shared Code Links Sodinokibi to GandCrab, Minus the Fun & Games
New research by SecureWorks suggests that Sodinokibi (aka REvil) ransomware may be linked to the infamous GandCrab ransomware whose operators announced their retirement earlier this summer after allegedly earning around $150 million from the file-encrypting malware since the beginning of 2018.
Security researchers have since found source code and other similarities between the two ransomware strains. For instance, the string decoding functions used by the two ransomware strains are an almost perfect match, and the malware families also build URLs for their command and control (C2) servers in similar ways. However, the behavior of the operators is fundamentally different. While the crooks behind GandCrab displayed a sense of humor and even interacted with the infosec community to a certain degree, the Sodinokibi operators are all business. The promote their ransomware-as-a-service offering on underground forums, but never publish anything else. Sodinokibi was first detected in April of this year.