Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime

Sodinokibi Ransomware Gang Appears to Be Making a Killing

Researchers Traces Bitcoins Paid to Ransomware-as-a-Service Operation Affiliates
Sodinokibi Ransomware Gang Appears to Be Making a Killing
Source: McAfee

The Sodinokibi ransomware-as-a-service operation appears to be making a killing, with proceeds flowing both to the gang behind the malware as well as dozens of affiliates.

See Also: Webinar | Passwords: Here Today, Gone Tomorrow? Be Careful What You Wish For.

Also known as REvil and Sodin, Sodinokibi has lately seized the RaaS mantle from GandCrab, after the administrators of that criminal scheme announced their retirement on May 31, boasting that their affiliates had earned more than $2 billion (see Ransomware: As GandCrab Retires, Sodinokibi Rises).

Security firm McAfee has been tracing where Sodinokibi payments go, aided in part by each infection generating its own, unique bitcoin wallet if victims pay, with the average ransom demand working out to about 0.45 bitcoin, worth $4,000.

Based on following the money, McAfee researchers have found that the RaaS operation appears lucrative in the extreme.

Advertisement for Sodinokibi (Source: McAfee)

"We all knew that ransomware was big business for cybercriminals and in our past several research blogs speculated about projected criminal profits, but seeing it firsthand by following the money trail gives a different level of realization that we are dealing with adversaries with very deep pockets, literally having millions of dollars as a budget," John Fokker, McAfee's head of cyber investigations, tells Information Security Media Group.

Average Ransom Payment: $4,000

McAfee's Fokker and Christiaan Beek, the company's lead scientist, report in a recently published blog post that every such attack stands to enrich not only the affiliates but also the gang providing the ransomware.

"We are dealing with adversaries with very deep pockets, literally having millions of dollars as a budget"
—John Fokker, McAfee

In particular, Sodinokibi affiliates keep 60 percent of every ransom payment, rising to 70 percent after they book three successful ransom payments. The remaining 30 or 40 percent gets remitted to the actor or actors behind Sodinokibi. With the average ransom amount paid being $2,500 to $5,000, the Sodinokibi actor would typically receive $700 to $1,500 every time a victim pays a ransom.

Following the money - or in this case cryptocurrency - from when a victim pays until when it ends up in an attacker's bitcoin wallet or gets cashed out can be difficult. McAfee says victims are advised to pay their ransom via an exchange; Coinbase.com appears to be commonly used. Tracing the flow of bitcoins, researchers said many of them get routed to Bitmix.biz, "a popular underground bitcoin mixer that is obfuscating the next transactions to make it difficult to link the transactions back to the 'final' wallet or cash-out in a (crypto) currency."

Working with the blockchain analysis firm Chainalysis, the researchers said they were able to trace numerous payments that appeared to be getting routed from victims, to two or three intermediate wallets, before going to an 'affiliate' or 'distribution' wallet, with a split then being routed through multiple wallets to the Sodinokibi actor.

"We can't say it with 100 percent certainty, but some of the larger BTC chunks seem to be moved manually up until it is transferred into a bitcoin mixing service to be laundered," Fokker says. "From our experience with those services, and our assistance with Bestmixer, we know these services are heavily automated." (See Bestmixer Cryptocurrency Laundering Site Shuttered.)

Ransomware-as-a-Service Crossover

The group behind Sodinokibi appears to have had a head start on its success. While it's not clear what relationship the GandCrab and Sodinokibi gangs might have, researchers report seeing a clear code overlap in their malware. Security firm Secureworks says that based on multiple clues it believes that the threat groups behind GandCrab and Sodinokibi - aka Sodin and REvil - "overlap or are linked."

In other words, one or more developers may not have retired with GandCrab, but helped set up a new operation (see Did GandCrab Gang Fake Its Ransomware Retirement?).

Like GandCrab, a customized version of Sodinokibi gets supplied to each individual affiliate, who infects systems with the malware and then shares a cut of the proceeds with organizers. Some affiliates appear to be more technically skilled than others. Coveware, a Connecticut-based ransomware incident response firm, says that at least one affiliate group specializes in hacking IT service providers as well as managed security service providers. Doing so enables the affiliate to distribute the ransomware to hundreds or thousands of endpoints managed by the service provider.

"It's been devastating, because when they do get into an MSP, they hit hundreds of companies, sometimes simultaneously, [generating] very high return on the attack, rather than just hitting the MSP, which is also a small business," Coveware CEO Bill Siegel has told ISMG. "They're hitting hundreds of small organizations at a time."

Such tactics were seen in the August crypto-locking malware attack that hit 22 Texas municipalities, which security experts have confirmed to ISMG began with an attacker first hacking into an IT service provider (see Texas Ransomware Responders Urge Remote Access Lockdown).

"Most likely there is one ransomware affiliate responsible for a large number of MSP-based attacks," Fabian Wosar, CTO at New Zealand-based anti-virus firm Emsisoft, tells ISMG. "That affiliate made their first attempts with GandCrab earlier this year. The whole experiment can only be described as a disaster as GandCrab simply wasn't built and didn't support the feature set required to pull off a successful MSP-based attack without having to deal with thousands of single victims, bitcoin transactions, and ultimately even decryptors that need to be generated."

REvil/Sodinokibi/Sodin self-service decryptor page, reachable for the anonymzing Tor browser. (Source: Secureworks)

Fixing such challenges appears to be one of the core new features contained in Sodinokibi, aka REvil. "It appears likely that the affiliate did approach the GandCrab group with certain revisions in mind to make these types of attacks more practicable. The result of these efforts is REvil," Wosar says.

Dozens of Affiliates

McAfee says it's counted at least 41 active Sodinokibi affiliates - each affiliate's version of Sodinokibi gets customized with a unique ID so that they can receive payments - and found that one affiliate, "Lalartu," which is the name of a ghostly, vampiric spirit in Sumerian legend, claimed to have made $287,000 in just 72 hours.

Post to an underground forum made by Lalartu. (Source: McAfee)

Previously, Lalartu claimed to have been a GandCrab affiliate, and also sold access to hacked sites via cybercrime site Exploit.in, according to New York-based cyber intelligence firm Advanced Intelligence. Yelisey Boguslavskiy, director of research at AdvIntel, says Lalartu's specialty was using Metasploit or Cobalt Strike penetration frameworks, sometimes backed by remote desktop protocol credentials, to breach sites and gain persistent, remote access to admin panels and Active Domain controllers. Such services were also being offered via Exploit.in by a hacker called "-TMT-" who appears to have been a long-time Lalartu collaborator, and who in August also began working with the Sodinokibi gang, Boguslavskiy tells ISMG (see Why Hackers Abuse Active Directory).

The hacker known as "-TMT-" has advertised on the Russian-language cybercrime underground and specializes in exploiting corporate networks, and has been selling remote access or offering a service that installs malware or ransomware onto breached sites. (Source: AdvIntel)

"In 2019, both Lalartu and -TMT- started to offer their services to the ransomware collectives," according to a report from AdvIntel, which notes that instead of selling access to hacked sites, the hackers offered to preload ransomware onto the sites for the collectives. "When this strategy proved its efficiency, they started to approach high-profile syndicates offering their service. ... Eventually, Lalartu facilitated the connection between -TMT- and REvil, as -TMT-'s attack skills were in high demand by such collectives."

Working with REvil appears to have led to a boom in business, which may explain why both hackers deserted the Exploit.in site, AdvIntel says. "The data breach community has been constantly sharing their concerns regarding the inefficiency of direct breach monetization via underground forums," it reports. "Indeed, many high-profile breaches were compromised by inexperienced buyers, or law enforcement, during the initial examination of the admin panel access. These concerns were only exacerbated by rumors of a potential compromise of Exploit's leadership account by Russian law enforcement." (See Stung by Takedowns, Criminals Tap Distributed Dark Markets).

Affiliates Shop at Hydra

McAfee says that many GandCrab affiliates appear to have jumped ship to Sodinokibi.

The security firm says it's also traced multiple affiliates using their bitcoins to buy goods and services from Hydra Market, a long-running Russian cybercrime marketplace that sells illicit goods and services in exchange for bitcoins (see Authorities Seize 'Darknet' Drug Sites).

"It was interesting to see the cybercriminal financial economy unfold in front of our eyes, for instance the role certain bitcoin mixing services play in laundering the profits, and purchases linking back to a Russian underground market selling illicit goods and drugs," Fokker says.

"Hydra Market is a Russian underground marketplace where many services and illegal products are offered with payment in bitcoins," McAfee says.

Sodinokibi appears to be posting healthy returns. The wallet for another affiliate McAfee identified, for example, contained 443 bitcoins, worth about $4.5 million.

With each affiliate likely seeing payment via at least a few infections daily, "we can imagine that the actors behind Sodinokibi are making a fortune," the McAfee researchers say.

Victims: Some Help Available

While the public/private No More Ransom project includes free decryptors for a number of different strains of ransomware, and is an excellent starting point for ransomware victims looking for recovery options, no free decryptors are yet available for Sodinokibi.

Likewise, ransomware victims can also upload their ransom note or an encrypted file to ID Ransomware a free service run by Michael Gillespie (@demonslay335), a security researcher at the firm. The service can be used to help identify the strain of ransomware - it currently recognizes 772 different strains - as well as to provide potential decryption or mitigation options.

ID Ransomware has no pointers to Sodinokibi decryptors. But both Coveware and Emsisoft have separately told ISMG that they can help at least some Sodinokibi victims.

"We developed an imperfect solution for Sodinokibi," Emsisoft says in a blog post. "It doesn't completely eliminate the need to pay the ransom, but it can significantly reduce the amount victims have to pay. We used this workaround in a case involving a managed service provider and 1,200 endpoints, and were able to recover the affected systems for approximately 90 percent less than the initial ransom demand."

REvil's decoded ransom note template with variable placeholders that can be customized by affiliates. (Source: Secureworks)

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.