GandCrab Developers Behind Destructive REvil Ransomware (Sep 25, 2019)
Secureworks research team have assessed that the GandCrab group “Gold Garden” is still active and that they are probably behind a new ransomware variant called “REvil”. REvil first appeared in April 2019, and has been targeting Texas municipalities and dentist offices. There are code similarities between GandCrab and REvil, and they both contain code that prevents the malware from infecting machines in Russia. REvil has quickly become one of the most dangerous ransomwares in the wild.
Recommendation: Your company should have policies in place in regards to maintaining server software in such a way that new security updates are applied as soon as possible. Threat actors will often use vulnerabilities that have already been issued patches because information and proof-of-concept code of an exploit sometimes become available on public sources once a patch has been issued. Actors of all levels of sophistication are known to exploit such vulnerabilities because as this story shows, many users and administrators do not apply security updates.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.