Malware spotlight: Sodinokibi

Introduction

Ransomware is not new at this point in time and will be with us for the foreseeable future, as new types of ransomware are constantly emerging. And sometimes, new ransomware makes a big impact fast. 

Sodinokibi is one of these strains of malware that needs to be taken seriously. Within four months of its discovery, it had managed to become the fourth most common ransomware on the internet! 

Sponsorships Available

This article will provide you with a high-level view of the Sodinokibi ransomware. We’ll explore what it is, how it spreads, how it works and other useful information about this ransomware. 

What is Sodinokibi?

Sodinokibi was originally discovered in April 2019 by Cisco Talus and is sometimes referred to as Sodin and REvil. This ransomware-as-a-service (RaaS) targets Windows operating systems. It was originally discovered exploiting an Oracle WebLogic vulnerability and has been observed only affecting countries outside of the former states of the USSR. 

Part of what makes Sodinokibi so interesting is its origin. This goes back to the end of the GandCrab campaign, which has earned the notoriety of being responsible for 40% of all ransomware infections worldwide. This ransomware, like Sudinokibi, was a RaaS, and the cybercriminal gang behind it boasted earnings of over $2 billion dollars collected from victim ransom payments. 

Administrators of GandCrab had announced their retirement, which was apparently a retirement of GandCrab itself and not their campaigns for ill-gotten wealth. Instead, they shifted their focus to Sodinokibi, which has been described as being a “lucrative in the extreme” scheme for its authors.

It should be noted that whether Sodinokibi is the creation of the GandCrab gang is technically still not known, but there are some key indicators that it indeed is. To start, researchers have observed a clear code overlap (Read more...)