New Links Between Sodinokibi and GandCrab Ransomware Discovered

The threat actors behind the infamous and highly successful GandCrab ransomware operation announced their retirement earlier this year and shut down their operation. The gang was known for taunting researchers and claimed in May that they had made so much money from their operation – $2 billion – that they could afford to retire. That announcement was taken with a large pinch of salt by many security researchers, both in terms of their stated earnings and the decision to retire.

Shortly before their announced retirement, a new ransomware variant appeared on the scene – Sodinokibi aka REvil. The new ransomware was also being used under the ransomware-as-a-service model, although the threat actors behind Sodinokibi have been more selective with their choice of affiliates and are only using a select few with experience of conducting ransomware campaigns.

Sodinokibi, like GandCrab, has proven to be extremely profitable and the timing of the release of the new ransomware variant led some researchers to believe Sodinokibi is the GandCrab group’s new venture. Evidence has been mounting which suggests that is the case.

Security researchers have found several similarities in the source code of both ransomware variants which strongly suggest the two have been created by the same developers. Prior to morphing into Sodinokibi, the ransomware variant was known as REvil, and the string decoding functions of REvil were virtually identical to GandCrab according to SecureWorks. SecureWorks researchers also note that both use similar URL-building logic for generating the ransom notes and the code logic used in REvil had only previously been seen in GandCrab.

Reverse malware engineer Eric Klonowski also discovered a debug path in REvil that used a folder named GC6, suggesting GandCrab 6. The last used variant was GandCrab 5.2. Several other links have been found in the way that the TOR sites work for the payments and how the attackers communicate with the victims.

According to Cisco Talos, at least one of the affiliates for the Sodinokibi operation is known to have also signed up for the GandCrab operation as he/she delivered both ransomware variants in the same attack. While this is perhaps not unusual given the experience required by the threat actors behind Sodinokibi, it is yet another link that suggests the two operations are closely linked.

GandCrab may be dead and buried, but it appears that Sodinokibi is just the next step in the evolution of the ransomware. GandCrab had a ransomware market share of around 50% prior to it being decommissioned and is estimated to have caused losses in excess of $300 million. Sodinokibi looks set to take its place.

The threat actors behind both ransomware variants are unknown and it is unclear whether the gang have just switched ransomware variants, if some members have ‘retired’, or if the developers remain active. What is certain is the threat posed by the new ransomware variant is just as severe as GandCrab and it is likely that the operation will prove to be just as profitable for the attackers and just as damaging for victims of the attacks.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of