<\/p>\n\n\n\n
Sodinokibi, though, was somewhat unique because of its Ransomware-as-a-Service model (RaaS): the core developers, the ones controlling the source code, \u2018rented out\u2019 the program to lower-level criminals called affiliates, who actually performed attacks.
<\/p>\n\n\n\n
Affiliates agreed to share 40% of profits with the core gang to access the ransomware itself and tech support. Funny enough, many of them were also cheated because of a backdoor left in several versions of REvil.
<\/p>\n\n\n\n
The ransomware is believed to have originated in the former Soviet Union, and like many families from that region, REvil did not target companies in the former Soviet-bloc. The researchers also found many similarities with the DarkSide ransomware in its source code and ransom note composition. This may indicate that the two crews are connected in some way or that both strains were operated by the same crew.
<\/p>\n\n\n\n
Analysts note that Sodinokibi\u2019s code was skilfully written: this malware was characterized by rapid execution and encryption, leaving little chance for victims to respond to attacks.
<\/p>\n\n\n\n
The distribution channels of Sodinokibi were as varied as its affiliates: spam phishing, spear phishing, and APTs.
<\/p>\n\n\n\n
But it was the targeted attacks and excessively large demands that first drew attention to this ransomware.<\/p>\n\n\n\n
High-profile Sodinokibi hacks<\/h2>\n\n\n\n
Sodinokibi activity began shortly after GandCrab<\/a> disappeared from the wild. The attackers wasted no time in staging a series of major hacks that occurred in quick succession: May 2020<\/strong>. The group behind Sodikokibi hacks Grubman Shire Meiselas & Sacks, a law firm representing Donald Trump. They demand $42 million in ransom before bragging about it in a press interview and, allegedly, selling the data. March 2021<\/strong>. The ransomware breaches Acer, encrypts an undisclosed amount of files, and the gang puts out a $50 million request which grows to $100 million if not paid in time. May 2021<\/strong>. An attack hits JBS S.A., the largest meat processor in the world, its plants in the US are all shutdown, and the company pays $11 million. July 2021<\/strong>. The breach of Kaseya cripples hundreds of managed service providers. One store chain in Sweden temporarily closes 800 locations. The extortion amount starts at $70 million. July 2021.<\/strong> A US-based weapon developer HX5 gets breached, and the gang steals and leaks sensitive documents. Besides all of that, Sodinokibi was used in countless smaller attacks and wide-hitting phishing campaigns carried out by less prominent affiliates. All and all, the whole operation has generated around $200 million, 10% of what the REvil gang had publicly declared they would steal. In the end, the sheer audacity of these hacks attracted the closest attention of law enforcement. During Operation GoldDust, 17 countries coordinated their efforts to find and capture the criminals behind Sodinokibi. They arrested 7 suspects responsible for 5,000 attacks. In fall of 2021, C2 locations associated with REvil began to go dark after the US found out the whereabouts of several gang members. In October 2201, Yaroslav Vasinskyi \u2014 one of the most active Sodinokibi affiliates \u2014 was arrested<\/a> in Poland while trying to flee, and extradited to the US. He is responsible for the Kaseya hack, and many more, and faces up to 115 years in prison if found guilty on all counts. That same month, the FBI, the Secret Service, and several other law enforcement agencies launched a wave of counter-hacks that breached Sodinokibi servers right back and destroyed the remaining infrastructure. From that moment on, REvil members were practically paralyzed. Finally, in January 2022, multiple Sodinokibi members were arrested<\/a> and the gang had “ceased to exist.\u2019\u2019<\/p>\n\n\n\n Ransomware attacks, in general, are extremely hard to mitigate \u2014 once the malware is downloaded, it executes quickly and locks you out or encrypts your files. Unless a public decryptor is available for that exact strain and version \u2014 which it usually isn\u2019t \u2014 there is nothing you can do. Sometimes, even backups get corrupted as the program propagates laterally and roots itself deep in your network. So the strategy is to avoid getting infected in the first place. And one great way to do that is with ANY.RUN online malware sandbox<\/a>. It uses Suricata rulesets to identify malicious programs \u2014 even those that successfully evade detection by various AV software. The service can scan both files and links for signs of malicious activity. And analysis results are available in less than 2 minutes, with MITRE ATT&CK and IOC indicators displayed on a visual process graph. For a while, Sodinokibi could be detected using the changes it made in the registry. It wrote keys such as HKEY_CURRENT_USER\\SOFTWARE\\RECFG with the name PK_KEY and others. Also, it created a ransom note with a consistent copy.<\/p>\n\n\n\n Interestingly, malware authors created a Sodinokibi sample<\/a> with a polished website available at the domain decryptor[.]top, where victims could decrypt three images for free. A trial of sorts. Also, the website provided a countdown (\u201cafter the time runs out, the ransom amount will be set to 5 000 dollars\u201d), payment instructions in bitcoins, as well as information about the decryption process. If decryptor[.[top wasn\u2019t available, the victims could visit its [.]onion clone through the Tor web browser.<\/p>\n\n\n\n This story teaches us 3 things: Jokes aside, taking down Sodinokibi was a huge win in the war against ransomware. It was an enormous effort requiring unprecedented coordination between countries, and it paid off, this time at least. But squashing cyberthreats is a bit like playing Whac-A-Mole: bop one on the head, and another is already poking out somewhere else. The dismantlement of REvil left a void in the market, which other, more low-key ransomware crews are already filling in \u2014 like Donut, which is definitely worth keeping an eye on. If you want to read more stories like this, check out our recount of the rise and fall of Emotet<\/a>, the omnipresent trojan of 2019 and 2020. Or read about the history of MyDoom<\/a>, the most damaging computer worm of its time that \u2014 excuse the terrible pun \u2014 doomed countless computers in the aughts.
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\nThe downfall of Sodinokibi<\/h2>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\nRecognizing REvil ransomware with ANY.RUN<\/h2>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n![\"Sodinokibi](\"https:\/\/lh4.googleusercontent.com\/XAc2NJnXvxc-oR3gtx5qu5GEwNdrNmjakUaqtinybTZLf9f-MKx850QXtSPWRnrT72_aJyCBfUjq0X5nzfhuHWxBhcBqFaIwZ1z1bgNGb85GjIVhfco_pTW5BB5zXSMe6EyIN4ViqVfKF_8HY0tA5pgJGh5qPbfMyzorqimsbQzLUzCKESq3PIdit0ZiQw\")
Conclusion<\/h2>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n