{
	"id": "6f615299-e2ef-41d6-8722-a3bf7031cb8a",
	"created_at": "2026-04-06T00:12:42.50186Z",
	"updated_at": "2026-04-10T03:21:26.87453Z",
	"deleted_at": null,
	"sha1_hash": "e5551278641e548e3e37379b8d0e796f7424d131",
	"title": "Is ‘REvil’ the New GandCrab Ransomware?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 210553,
	"plain_text": "Is ‘REvil’ the New GandCrab Ransomware?\r\nPublished: 2019-07-15 · Archived: 2026-04-05 14:17:23 UTC\r\nThe cybercriminals behind the GandCrab ransomware-as-a-service (RaaS) offering recently announced they\r\nwere closing up shop and retiring after having allegedly earned more than $2 billion in extortion payments from\r\nvictims. But a growing body of evidence suggests the GandCrab team have instead quietly regrouped behind a\r\nmore exclusive and advanced ransomware program known variously as “REvil,” “Sodin,” and “Sodinokibi.”\r\n“We are getting a well-deserved retirement,” the GandCrab administrator(s) wrote in their farewell message on\r\nMay 31. “We are a living proof that you can do evil and get off scot-free.”\r\nHowever, it now appears the GandCrab team had already begun preparations to re-brand under a far more private\r\nransomware-as-a-service offering months before their official “retirement.”\r\nIn late April, researchers at Cisco Talos spotted a new ransomware strain dubbed Sodinokibi that was used to\r\ndeploy GandCrab, which encrypts files on infected systems unless and until the victim pays the demanded sum. A\r\nmonth later, GandCrab would announce its closure.\r\nhttps://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/\r\nPage 1 of 4\n\nA payment page for a victim of REvil, a.k.a. Sodin and Sodinokibi.\r\nMeanwhile, in the first half of May an individual using the nickname “Unknown” began making deposits totaling\r\nmore than USD $130,000 worth of virtual currencies on two top cybercrime forums. The down payments were\r\nmeant to demonstrate the actor meant business in his offer to hire just a handful of affiliates to drive a new, as-yet\r\nunnamed ransomware-as-a-service offering.\r\n“We are not going to hire as many people as possible,” Unknown told forum members in announcing the new\r\nRaaS program. “Five affiliates more can join the program and then we’ll go under the radar. Each affiliate is\r\nguaranteed USD 10,000. Your cut is 60 percent at the beginning and 70 percent after the first three payments are\r\nmade. Five affiliates are guaranteed [USD] 50,000 in total. We have been working for several years, specifically\r\nfive years in this field. We are interested in professionals.”\r\nAsked by forum members to name the ransomware service, Unknown said it had been mentioned in media reports\r\nbut that he wouldn’t be disclosing technical details of the program or its name for the time being.\r\nhttps://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/\r\nPage 2 of 4\n\nUnknown said it was forbidden to install the new ransomware strain on any computers in the Commonwealth of\r\nIndependent States (CIS), which includes Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia,\r\nTajikistan, Turkmenistan, Ukraine and Uzbekistan.\r\nThe prohibition against spreading malware in CIS countries has long been a staple of various pay-per-install\r\naffiliate programs that are operated by crooks residing in those nations. The idea here is not to attract attention\r\nfrom local law enforcement responding to victim complaints (and/or perhaps to stay off the radar of tax authorities\r\nand extortionists in their hometowns).\r\nBut Kaspersky Lab discovered that Sodinokobi/REvil also includes one other nation on its list of countries that\r\naffiliates should avoid infecting: Syria. Interestingly, latter versions of GandCrab took the same unusual step.\r\nWhat’s the significance of the Syria connection? In October 2018, a Syrian man tweeted that he had lost access to\r\nall pictures of his deceased children after his computer got infected with GandCrab.\r\n“They want 600 dollars to give me back my children, that’s what they’ve done, they’ve taken my boys away from\r\nme for a some filthy money,” the victim wrote. “How can I pay them 600 dollars if I barely have enough money to\r\nput food on the table for me and my wife?”\r\nThat heartfelt appeal apparently struck a chord with the developer(s) of GandCrab, who soon after released a\r\ndecryption key that let all GandCrab victims in Syria unlock their files for free.\r\nBut this rare display of mercy probably cost the GandCrab administrators and its affiliates a pretty penny. That’s\r\nbecause a week after GandCrab released decryption keys for all victims in Syria, the No More Ransom project\r\nhttps://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/\r\nPage 3 of 4\n\nreleased a free GandCrab decryption tool developed by Romanian police in collaboration with law enforcement\r\noffices from a number of countries and security firm Bitdefender.\r\nThe GandCrab operators later told affiliates that the release of the decryption keys for Syrian victims allowed the\r\nentropy used by the random number generator for the ransomware’s master key to be calculated. Approximately\r\n24 hours after NoMoreRansom released its free tool, the GandCrab team shipped an update that rendered it unable\r\nto decrypt files.\r\nThere are also similarities between the ways that both GandCrab and REvil generate URLs that are used as part of\r\nthe infection process, according a recent report from Dutch security firm Tesorion.\r\n“Even though the code bases differ significantly, the lists of strings that are used to generate the URLs are very\r\nsimilar (although not identical), and there are some striking similarities in how this specific part of the code\r\nworks, e.g., in the somewhat far-fetched way that the random length of the filename is repeatedly recalculated,”\r\nTesorion observed.\r\nMy guess is the GandCrab team has not retired, and has simply regrouped and re-branded due to the significant\r\namount of attention from security researchers and law enforcement investigators. It seems highly unlikely that\r\nsuch a successful group of cybercriminals would just walk away from such an insanely profitable enterprise.\r\nSource: https://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/\r\nhttps://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/"
	],
	"report_names": [
		"is-revil-the-new-gandcrab-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434362,
	"ts_updated_at": 1775791286,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e5551278641e548e3e37379b8d0e796f7424d131.pdf",
		"text": "https://archive.orkl.eu/e5551278641e548e3e37379b8d0e796f7424d131.txt",
		"img": "https://archive.orkl.eu/e5551278641e548e3e37379b8d0e796f7424d131.jpg"
	}
}