Sodinokibi is One of the Most Sophisticated Ransomware Gangs. Here's How They Operate.

Getty Images

Sodinokibi, also known as REvil, is a sophisticated form of ransomware with an equally sophisticated criminal organization behind it. It currently represents at least a quarter of all the ransomware attacks recorded in 2020. 

This variant was first discovered in April 2019 and is considered to be an offshoot of GandCrab, a kind of ransomware that is estimated to have been behind 40 percent of ransomware incidents between 2018 and 2019 taking in a haul of more than $2 billion before it was officially “retired” by its developers, who announced that they were “getting a well-deserved retirement,” and declared themselves “living proof that you can do evil and get off scot-free.”

The retirement of the creators of GandCrab was short-lived, as they claimed responsibility for developing and releasing Sodinokibi, which first targeted two cities in Florida and then infected at least 22 separate municipal governments in Texas. Since then, it has been used in several other high-profile attacks, including Travelex, a currency exchange firm, and the celebrity law firm Grubman Shire Meiselas & Sacks.

While Sodinokibi has proven to be difficult to detect and has multiple means of infecting and encrypting systems, it also stands out due to its business model, which has come to be known as “ransomware-as-a-service,” or RaaS. Rather than deploying their own ransomware, the hacking group behind Sodinokibi leases it out to affiliates, who handle the work of infecting systems, collecting ransom and communicating with victims. The ransom is then split between both parties, with the developers receiving 40 percent of all payments received.

Another Sodinokibi tactic is to pressure victims into paying a ransom by putting the transaction on a two-day timer. If the victim doesn’t pay, the amount required doubles. Because this variant is service-oriented, most attacks provide resources and links to cryptocurrency exchanges and even online chat support. 

Although Sodinokibi has several advanced features that make it difficult to detect, many antivirus and malware programs have improved their detection rates and can often block it before it deploys on a network. Sodinkibi has also been seen to exploit known security vulnerabilities, especially on VPN services. In both cases, the best protection is to make sure systems are updated and patched regularly, especially when emergency security updates are made available.

One-Two Punch: Two crimes in one

Additionally, the hackers behind Sodinokibi have created a dark website where they auction off data from victims who refuse to pay ransoms, creating a one-two punch of disrupting businesses and organizations and then exposing them to the fallout, including major fines, from a major data breach. 

The lost productivity associated with a workforce losing access to its network can be considerable. If a company finds itself also confronted with employees who have suffered identity-related crimes as a result of an adverse cyber event like a ransomware attack, there is the potential for serious disruption. To address this scenario, human resources departments should consider offering identity theft resolution and other cyber solutions to employees as a perk. 

Identity theft victims will typically use twice as much sick time and are absent five times more than average dealing with an identity-related crime. It is avoidable.

“Adding cyber-protection to an employee benefits package or an insurance policy is a double win: It helps with retention and helps people engage in better cyber-self-protection,” says Cyberscout founder and chairman Adam Levin.  “Anyone who has been the victim of an identity-related crime will tell you that such services are a huge win for everyone involved.”

reference sources