The Sodinokibi Chronicles: A (R)Evil Cybercrime Gang Disrupts Organizations for Trade Secrets and Cash

 It likes big game hunting, it enjoys deploying Cobalt Strike and it dabbles in critical vulnerability abuse. It’s known as Sodinokibi/REvil, a ransomware strain that emerged in 2019 as the heir to the GandCrab ransomware, a malware family that supposedly retired from the cyber crime arena in mid-2019 after reportedly amassing illicit profits of over $2 billion.

 

In the two years of its existence, Sodinokibi has gained considerable momentum, having been implicated in high-profile cyberattacks, locking up and even auctioning off data that belonged to companies like Travelex, Gunnebo, Brown-Forman, Asian retail giant The Dairy Farm Group and, most recently, an Apple supplier. The demand in each case is often exorbitant, asking victims for multi-million-dollar ransoms for their data:

 

• Leading cosmetics group Pierre Fabre: $25,000,000
• The Dairy Farm Group: $30,000,000
• New York-based law firm Grubman Shire Meiselas & Sacks: $42,000,000
• Apple MacBook supplier: $50,000,000

Is Sodinokibi all about the money? It’s hard to say. In some cases, Sodinokibi actors manage to target defense contractors and organizations in countries that rival their assumed originating state, Russia.

 

Robbing terabytes of data, with no way for victims to know what they actually do with it after they receive payment, it’s very plausible that money is just one objective, followed by espionage, both business and nation-state driven. Not unlike other major cybercrime gangs, the group’s access and control over major organizations’ assets can lend it the power to collaborate on a variety of nefarious schemes, including adversarial nation-state activity.

 

‘Cryptoviral Extortion’ Is the Name of the Game

Threat actors that use ransomware are taking advantage of the inherent power of public key infrastructure cryptology to encrypt information in a way that’s hard or impossible to break. The term “cryptoviral extortion” was coined in 1996 in an Institute of Electrical and Electronics Engineers (IEEE) paper. The IEEE also predicted that cryptoviral extortion would one day demand ‘e-money,’ long before Bitcoin even existed.

 

For the cryptographic basis of the attack, Sodinokibi uses a combination of elliptic curve Diffie-Hellman (ECDH), Salsa20, SHA-3 and Advanced Encryption Standard (AES) to encrypt and decrypt both malicious configuration data and user data (i.e., user files). It generates its private-public key pair using Curve25519, one of the fastest elliptic-curve cryptography (ECC) curves designed for use with the ECDH key agreement scheme.

 

Sodinokibi operators may steal data in advance and then resort to extortion tactics that exceed the ability of the malware itself. Those who refuse to pay up, relying on their ability to recover data, will then receive threats to have that data exposed on an auction site the group calls The Happy Blog. That’s also where it names and shames its victims, offering up information that could be of use to other criminals or even competitors.

 

Additionally, in an interview given by an alleged REvil operator, known as Unknown, the person said he/she was considering launching distributed denial-of-service (DDoS) attacks on victim organizations as yet another way to increase the pressure on victims to pay the ransom.

 

In terms of prevalence in the wild, Sodinokibi made up 22% of all X-Force incident response engagements in 2020, suggesting that those operating this malware are more skilled at gaining access to victims’ networks when compared to other ransomware strains. X-Force estimates that nearly 80% of the gang’s victims are a combination of organizations from the US (58%), UK (8%), Australia (5%) and Canada (3%).

 

The faces of Sodinokibi are many, as it is the sort of malware that’s distributed by various affiliates. In 2020, this ransomware’s originators showed off their success by depositing $1 million in Bitcoin into a Russian-speakers’ cyber crime forum as part of a recruitment drive for more affiliates to join its ranks.

 

Sodinokibi: A Head-to-Head Battle With Manual Targeted Attacks

Continue reading here.