Ransomware Threat Assessments: A Companion to the 2021 Unit 42 Ransomware Threat Report

A conceptual image representing ransomware, such as the families covered in this package of ransomware threat assessments.

This post is also available in: 日本語 (Japanese)

Threat Assessment: GandCrab and REvil Ransomware

Executive Summary

GandCrab ransomware was a short-lived but prolific ransomware family in its time. It was first observed in January 2018 and was a prevalent threat until May 2019. During that time, it went through a number of different versions. GandCrab infections were most commonly observed as payloads in malvertising, spam and exploit kit attacks. Malvertising attacks are malicious advertisements that are used to infect victims via a drive-by download. Exploit kits have routinely been used in a similar manner, with a multitude of them dropping GandCrab on a victim’s computer. The most common exploit kits used to distribute GandCrab were Rig and Grandsoft.

In early 2019, the authors behind GandCrab announced that they were retiring as they had made enough money and done enough damage. However, around the same time, a new ransomware threat called REvil was emerging (also known as Sodinokibi). There were strong similarities between the two ransomware families, which have led security researchers to believe that REvil was an evolution of GandCrab. The victims and tactics employed by affiliate attackers had changed. REvil was still an affiliate ransomware like GandCrab, but the affiliates used were more skilled at targeted attacks as opposed to the commodity attacks employed by GandCrab.

GandCrab Ransomware Overview

What made GandCrab unique was the affiliate program that was used to propagate the malware. This left the distribution of the ransomware to partners who would gather victims and would in turn receive a portion of the profits from ransoms paid. It's been reported that affiliates would receive 30 to 40 percent.

This left the distribution logistics to other attackers, which explains the wide array of attacks used, leaving the authors of GandCrab free to further develop and harden the malware. This was necessary for the authors, as there had been instances in which decryptors were released by researchers that would allow victims to decrypt their files after infection without needing to pay ransom. It's also suspected that the authors may be Russian, as the malware had been known to check victim keyboard layout and ignore a Russian layout. It's been suspected that this was to avoid prosecution in that country.

Figure 1. GandCrab affiliate announcement (source: Krebs on Security).
Figure 1. GandCrab affiliate announcement (source: Krebs on Security).

GandCrab is often easily identifiable by the file extension appended to the end of ransomed files – .KRAB and .CRAB

In May 2019, the developers of GandCrab famously announced that they were no longer going to develop the ransomware. Their reasoning was that they had made enough money in over a year to retire and prove that they could do evil and get away with it. The developers also claimed that they had made over $150 million in over a year and that they had dispersed their profits into other legal projects. Since this announcement, there have been other ransomware samples observed with similar indicators, so it's thought that some of the authors continued with the development of ransomware.

Figure 2. GandCrab infection on the endpoint (source: Any.Run).
Figure 2. GandCrab infection on the endpoint (source: Any.Run).

REvil Ransomware Overview

Conceptual image representing REvil ransomware as part of the ransomware threat assessments companion to the 2021 Unit 42 Ransomware Threat Report.

In April 2019, another ransomware called REvil appeared (also known as Sodinokibi). There were immediate similarities between GandCrab and REvil, which caused early samples of REvil to be identified as GandCrab. REvil is also a Ransomware-as-a-Service (RaaS), which uses affiliates to distribute infections of the malware. The affiliates would then get a percentage of the ransoms paid after developers of the ransomware got their cut.

The distribution methods for REvil differed from those of GandCrab because affiliates were more skilled and actively attacked victims to compromise enterprise networks via exploits such as Oracle WebLogic CVE-2019-2725 or brute-forcing Remote Desktop Protocol (RDP) passwords to drop REvil. There would also be usage of red team tools, techniques and procedures (TTP) as opposed to the malicious spam, exploit kits and malvertising vectors of GandCrab. This also meant that victims would be more targeted for the intent of higher ransoms to be paid.

Analysis of GandCrab has shown that there are strong similarities between REvil and GandCrab ransomware samples. Based on the similarities between the two, it's widely believed that REvil is just a rebrand and evolution of GandCrab. This in turn leads to the conclusion that not all of the developers of GandCrab were done creating such malware. The tactics for infection by affiliates also shows an evolution of the malware by moving on from commodity-based attacks to attacks using more skilled affiliates with familiarity of red team TTP. Targeted users also changed from anyone who may have clicked on a link in a malicious email to companies with exterior-facing vulnerabilities that allowed attackers in to drop REvil.

In 2020, the average ransom payment was $508,523, with REvil threat actors targeting victims in the professional and legal services, manufacturing, media and communication, wholesale and retail, construction and engineering, and energy sectors in the US, Australia, Canada, Finland, and Hong Kong.

More information on REvil victimology can be found in the 2021 Unit 42 Ransomware Threat Report.

Courses of Action

This section documents relevant tactics, techniques and procedures (TTPs) used with GandCrab and REvil, and maps them directly to Palo Alto Networks product(s) and service(s). It also further instructs customers on how to ensure their devices are configured correctly.

Product / Service Courses of Action
Command And Control
Application Layer Protocol [T1071.001], Non-Application Layer Protocol [T1095]
NGFW Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone
Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist
Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists
Threat Prevention Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'
Ensure a secure antivirus profile is applied to all relevant security policies
Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories and threats
Ensure DNS sinkholing is configured on all anti-spyware profiles in use
Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in use
Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the internet
DNS Security Enable DNS Security in Anti-Spyware profile
URL Filtering Ensure that URL Filtering is used
Ensure that URL Filtering uses the action of ‘block’ or ‘override on the <enterprise approved value> URL categories
Ensure that access to every URL is logged
Ensure all HTTP Header Logging options are enabled
Ensure secure URL filtering is enabled for all security policies allowing traffic to the internet
Cortex XSOAR Deploy XSOAR Playbook - Block IP
Deploy XSOAR Playbook - Block URL
Deploy XSOAR Playbook - Palo Alto Networks - Hunting And Threat Detection
Defense Evasion, Persistence, Discovery
Exploitation for Defense Evasion [T1211], Registry Run Keys / Startup Folder [T1547.001], Masquerading [T1036.005], Modify Registry [T1112], Process Discovery [T1057]
Threat Prevention Ensure a Vulnerability Protection Profile is set to block attacks against critical and high vulnerabilities, and set to default on medium, low and informational vulnerabilities
Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic
Cortex XDR Enable Anti-Exploit Protection
Enable Anti-Malware Protection
Configure Behavioral Threat Protection under the Malware Security Profile
Configure Restrictions Security Profile
Data Encrypted for Impact [T1486], Inhibit System Recovery [T1490]
Cortex XSOAR Deploy XSOAR Playbook - Ransomware Manual for incident response.
Deploy XSOAR Playbook - Palo Alto Networks Endpoint Malware Investigation

Table 1. Courses of Action for GandCrab and REvilransomware.
†These capabilities are part of the NGFW security subscriptions service.


While the concept of an attacker leveraging ransomware affiliate programs is not new, GandCrab proved just how easy and successful these programs can be in practice. Key to this success is creating a low barrier for entry into the cybercrime ecosystem, while also distributing funds across affiliate program members. GandCrab helped establish itself as a power player in the affiliate market schemes common in underground forums and social networks.

The actors behind GandCrab would have had people believe in 2019 that they were done with ransomware, but there were similarities in an emerging threat called REvil. The similarities observed became so strong that the security community believes that REvil is an evolution of Gandcrab. The evolution was not only in the malware, but in the affiliates used to distribute and their TTP to compromise enterprise victims. This led to more targeted victims and unfortunately higher ransoms. To top this all off, there is also an extortion angle that REvil employs. If victims would not pay by a deadline, their data stolen during encryption would be auctioned off in underground forums. It’s this direction of targeted attacks for affiliate ransomware that makes REvil so dangerous to enterprises.

Palo Alto Networks detects and prevents GandCrab in the following ways:

  • WildFire: All known samples are identified as malware.
  • Cortex XDR with:
    • indicators for GandCrab.
    • Anti-Ransomware Module to detect GandCrab encryption behaviors.
    • Local Analysis detection to detect GandCrab binaries.
  • Next-Generation Firewalls: DNS Signatures detect the known command and control (C2) domains, which are also categorized as malware in URL Filtering.
  • AutoFocus: Tracking related activity using the GandCrab tag.
  • AutoFocus: Tracking related activity using the REvil AKA Sodinokibi tag

Additionally, Indicators of Compromise (IoCs) associated with GandCrab are available on GitHub, and have been published to the Unit 42 TAXII feed.

Continue Reading: Defray777

Back to Top