Hints of a connection between the defunct GandCrab and the Sodinokibi ransomware get stronger as researchers find code-level similarities and artifacts suggesting continued operations.
At the end of May this year, GandCrab operators announced that they had made enough money to quit the ransomware business. Right before their retirement, Sodinokibi, also referred to as REvil, came out strong in mid-April while targeting WebLogic servers by exploiting a critical vulnerability.
Surprisingly, eight hours after deploying Sodinokibi on the compromised hosts, the attackers also dropped GandCrab 5.2, researchers at Cisco Talos noted, and indicating that the affiliate was playing for both teams.
The overlap between one ransomware ending its activity and the other starting did not go unnoticed and many speculated that the new malware is, in fact, the successor of the old one. In terms of profitability, they were not wrong.
Full Article.