The Sodinokibi Chronicles: A (R)Evil Cybercrime Gang Disrupts Organizations for Trade Secrets and Cash
It likes big game hunting, it enjoys deploying Cobalt Strike and it dabbles in critical vulnerability abuse. It’s known as Sodinokibi/REvil, a ransomware strain that emerged in 2019 as the heir to the GandCrab ransomware, a malware family that supposedly retired from the cyber crime arena in mid-2019 after reportedly amassing illicit profits of over $2 billion.
In the two years of its existence, Sodinokibi has
gained considerable momentum, having been implicated in high-profile
cyberattacks, locking up and even auctioning off data that belonged to
companies like Travelex, Gunnebo, Brown-Forman, Asian retail giant The Dairy
Farm Group and, most recently, an Apple supplier. The demand in each case is
often exorbitant, asking victims for multi-million-dollar ransoms for their
data:
- Leading cosmetics group Pierre Fabre: $25,000,000
- The Dairy Farm Group: $30,000,000
- New York-based law firm Grubman Shire Meiselas & Sacks: $42,000,000
- Apple MacBook supplier: $50,000,000
Is Sodinokibi all about the money? It’s hard to say.
In some cases, Sodinokibi actors manage to target defense contractors and
organizations in countries that rival their assumed originating state, Russia.
Robbing terabytes of data, with no way for victims to
know what they actually do with it after they receive payment, it’s very
plausible that money is just one objective, followed by espionage, both
business and nation-state driven. Not unlike other major cybercrime gangs, the
group’s access and control over major organizations’ assets can lend it the
power to collaborate on a variety of nefarious schemes, including adversarial
nation-state activity.
‘Cryptoviral Extortion’ Is the Name of the Game
Threat actors that use ransomware are taking advantage
of the inherent power of public key infrastructure cryptology to encrypt
information in a way that’s hard or impossible to break. The term “cryptoviral
extortion” was coined in 1996 in an Institute of Electrical and Electronics Engineers
(IEEE) paper. The IEEE also predicted that cryptoviral extortion would one day
demand ‘e-money,’ long before Bitcoin even existed.
For the cryptographic basis of the attack, Sodinokibi
uses a combination of elliptic curve Diffie-Hellman (ECDH), Salsa20, SHA-3 and
Advanced Encryption Standard (AES) to encrypt and decrypt both malicious
configuration data and user data (i.e., user files). It generates its
private-public key pair using Curve25519, one of the fastest elliptic-curve
cryptography (ECC) curves designed for use with the ECDH key agreement scheme.
Sodinokibi operators may steal data in advance and
then resort to extortion tactics that exceed the ability of the malware itself.
Those who refuse to pay up, relying on their ability to recover data, will then
receive threats to have that data exposed on an auction site the group calls
The Happy Blog. That’s also where it names and shames its victims, offering up
information that could be of use to other criminals or even competitors.
Additionally, in an interview given by an alleged
REvil operator, known as Unknown, the person said he/she was considering
launching distributed denial-of-service (DDoS) attacks on victim organizations
as yet another way to increase the pressure on victims to pay the ransom.
In terms of prevalence in the wild, Sodinokibi made up
22% of all X-Force incident response engagements in 2020, suggesting that those
operating this malware are more skilled at gaining access to victims’ networks
when compared to other ransomware strains. X-Force estimates that nearly 80% of
the gang’s victims are a combination of organizations from the US (58%), UK
(8%), Australia (5%) and Canada (3%).
The faces of Sodinokibi are many, as it is the sort of
malware that’s distributed by various affiliates. In 2020, this ransomware’s
originators showed off their success by depositing $1 million in Bitcoin into a
Russian-speakers’ cyber crime forum as part of a recruitment drive for more
affiliates to join its ranks.
Sodinokibi: A Head-to-Head Battle With Manual Targeted Attacks
Continue reading here.
Comments
Post a Comment