What is the Sodinokibi Ransomware?

What is the Sodinokibi ransomware? And why should your IT security team be worried about it?

More popularly known as REvil (Ransomware Evil), Sodinokibi refers to a highly distributed ransomware and the cybercrime operation around it. The group behind Sodinokibi operates it as a ransomware-as-a-service (RaaS), where criminal affiliates deploy the malware into the network of whichever potential victim they are targeting, in exchange for a percentage of the proceeds (often 20% to 30%) charged by the malware authors/owners.

IBM Security reported that Sodinokibi was the dominant ransomware in 2021, accounting for 37% of all ransomware attacks globally. Meanwhile, U.S. officials believe that the Sodinokibi operation has received more than US$200 million in ransom payments since it started activity.   

In Australia, Sodinokibi breached the networks of UnitingCare Queensland, a non-profit healthcare services provider; and the Australian subsidiaries of JBS S.A., the world’s largest meat processing company.

Responsible for some of the most damaging cyber attacks in history, REvil/Sodinokibi has been troubling organisations across the globe and has dealt long-lasting reputational damage to a number of companies.  

Ransomware as a whole became a bigger concern for businesses due to the accelerated digitisation caused by the COVID-19 pandemic. Across the board, ransomware attack is on the uptrend as reported by key players in insurance, telecommunications, and cyber security. Australia, in particular, has been reported as the most frequently attacked country by ransomware in the Asia Pacific region.

What is Sodinokibi?

Classified as ransomware, Sodinokibi (also known as Sodin or REvil) is an intrusive and highly evasive software designed to encrypt important files on your computer and block your access to them. With built-in capabilities to escape detection, bypass some security solutions, delete backups, and even disable/uninstall many anti-malware programs, Sodinokibi also provides threat actors with access credentials and administrative control over the victim’s data. Once data control and encryption has been achieved, the criminal affiliates who deployed the malware can then demand that you pay a ransom (often via cryptocurrency) to recover your access to the compromised files via a decryption key.

Discovered in 2019, Sodinokibi originated from a Russian-speaking underground group and reportedly shares connections with GandCrab, another notorious but now retired ransomware. Following U.S. pressure and an international and inter-agency effort to neutralize the ransomware, the Sodinokibi operation was reportedly shut down by Russian authorities in early 2022. Just a few months after blinking out of the dark web and the arrest of suspected Sodinokibi gang members and criminal affiliates, however, the ransomware appeared to have re-emerged.

Sodinokibi follows the RaaS (Ransomware-as-a-Service) model. Preying on victims across industries and locations, two kinds of criminal elements operate within the RaaS model – 1) the ransomware authors/owners; and, 2) the malicious affiliates who distribute/deploy the ransomware and collect the ransom.

The RaaS model provides a number of benefits for both types of threat actors. On one hand, ransomware authors face a lower risk of prosecution because they aren’t actually the ones infecting computers and networks. On the other, affiliates get the opportunity to make money without having to write ransomware code.

Considered to be a highly targeted ransomware, Sodinokibi uses a wide range of tools that exploit high-level knowledge of victims’ systems, computing environment, and operations. Depending on their targets and prevailing scenarios, Sodinokibi operators build and deploy customized infection chains.

Sodinokibi may infiltrate your network through the following channels:

• Brute-force attacks.
• Exploitation of weaknesses in VPNs (Virtual Private Networks), RDPs (Remote Desktop Protocols) and Remote Monitoring and Management (RMM) tools.
• Drive-by compromise (via compromised website).
• Credit card or POS (Point of Sale) vulnerabilities.
• Supply chain compromise (via compromised files and/or sites from a vendor’s auto-update feature).
• Phishing, malicious advertising, or spam campaigns.

Criminal affiliates are free to choose their approach, and the fact that they themselves aren’t engaged in malware development allows them to dedicate more time and effort to polishing their attack vector techniques and toolsets. Some affiliates have even pushed the envelope to adopt the double extortion tactic, where withholding access to encrypted data is compounded by the added threat to auction and/or leak exfiltrated data to the public unless ransom is quickly settled. Such a threat is particularly intimidating when the encrypted/exfiltrated data is highly sensitive or classified information.  Sodinokibi affiliates have also been known to use a triple extortion tactic, where the extortion extends to the victim’s customers, partners, and third party contacts. Punctuating the extortion with a Distributed Denial of Service (DDoS) attack is also a variant of the technique.  

Who authored Sodinokibi?

Sodinokibi may have been authored by the same group that was behind the now-defunct GandCrab operation.

GandCrab had operated for slightly over a year before its shutdown in May 2019. Despite its short existence, the GandCrab group made quite an impact (in the negative sense, of course), claiming to have extorted two billion USD from breached organisations.

Sodinokibi aka REvil made an appearance shortly after the shutdown of GandCrab. Within months of its emergence, McAfee determined that there was a 40% code overlap between GandCrab and Sodinokibi.

Aside from that, McAfee discovered that some GandCrab affiliates had quit their activity shortly before the malware’s shutdown. One of these affiliates – seemingly a highly successful one – switched to Sodinokibi, showing the possible link between the new and old ransomware.

After the Sodinokibi group orchestrated a string of high-value attacks that impacted global supply chains and thousands of companies in 2021, the US government retaliated in force, with President Joe Biden sending Moscow a stark warning and the FBI (assisted by Cyber Command and the Secret Service) spearheading a counter attack that appeared to have successfully hacked Sodinokibi’s servers, brought down their leak site on the dark web, and retrieved a universal decryption key. Previously, the FBI had also seized US$2.3-million worth of Bitcoins from a hacked crypto wallet.  

About the same time, 17 countries and several law enforcement organisations conducted Operation GoldDust, which led to the arrest of five suspected Sodinokibi affiliates as well as two individuals linked to GandCrab. In November 2021, the US Department of Justice indicted Ukrainian national Yaroslav Vasinskyi and Russian national Yevgeniy Polyanin with conducting ransomware attacks against multiple victims. Vasinsky and Polyanin face a maximum penalty of 115 and 145 years in prison, respectively. 

It’s yet uncertain where the primary authors of Sodinokibi and GandCrab are located. McAfee has found out, however, that Sodinokibi – like GandCrab – does not infect systems containing Syriac, Arabic, and Russian languages, as well as organisations located in former Soviet-bloc countries, particularly those that are members of the Commonwealth of Independent States (CIS). The arrests so far of suspected affiliates happened in Romania, Poland, South Korea, and Kuwait.

In January 2022, Russia claimed to have “dismantled” the Sodinokibi gang through an FSB-led operation that searched 25 addresses, detained 14 suspected gang members, and confiscated a hefty plunder: 426 million roubles, 500,000 euros, 600,000 US dollars, 20 luxury vehicles, and various computer equipment.

Meanwhile, Sodinokibi’s front person whose handle is “UNKN” (Unknown) is still missing. At the same time, a core developer appeared to have relaunched the ransomware operation just several weeks after the alleged crackdown led by the Russia’s principal security agency. The apparent revival suggests that at least one former core member remains at large and has access to the ransomware gang’s resources – including the Sodinokibi source code and access keys to their (Tor) site on the dark web. As the site started listing new victims, Sodinokibi/REvil appears to be truly back in business.

How destructive is Sodinokibi?

The group behind Sodinokibi was among the most prolific ransomware gangs in the world, mainly thanks to the affiliate-driven operation model (RaaS). Even after major law enforcement crackdowns against its criminal activities, Sodinokibi and its variants remain a serious threat. The ransomware (in its future guises) could still be devastating to your business because of four factors:

1. In addition to encrypting files and demanding ransom, the ransomware performs data exfiltration. The criminal gang may steal your data and demand a much larger ransom for not publishing it. This threat becomes very serious when it involves classified or sensitive data, such as those used in the finance, health, advanced technologies, defence, and legal sectors. Organisations would rather recover encrypted files from their offline backups and wipe the infected systems to eliminate the malware. However, if the Sodinokibi gang actually has possession of your data, a leak could reveal trade secrets and patents; and/or severely impact the reputation and competitiveness of your company. Reportedly, this method is so effective that it makes more money than decryption ransoms.
2. Sodinokibi has been observed to scan victims’ networks for Point-Of-Sale systems and devices. This process is a prelude to stealing the credit/debit/bank account records and other financial information of your company AND those of your customers. Stolen financial data can be auctioned off in the dark web, used in identity theft, or used to duplicate cards for illicit purchases.
3. The ransomware can now infect Linux in addition to Windows. This is a major problem because many of the world’s servers run on Linux.
4. Signs of a reviving Sodinokibi operation – albeit at a much smaller scale — are popping up on the dark web. This is disturbing because cyber security experts know that successful ransomware doesn’t just die off – it is iterated into stronger variants and deployed all over again. Prior to their downfall in early 2022, the criminal hacker gang behind Sodinokibi branded themselves on the dark web as very successful — a marketing ploy designed to attract even more criminal affiliates, infect more victims, and extort more money. They did this by bragging about the 100 million USD they allegedly made in just one year, punctuating the claim with a one-million USD worth of Bitcoins deposited in a Russian-speaking hacker forum to prove they had the money.

Fortunately for the rest of the world, there really is no honour among thieves. The greedy gang covertly inserted a backdoor mechanism into the ransomware code that allowed them to bypass (aka cheat) affiliates and snatch the ransom themselves. Unintended discovery of this backdoor ignited the dark web, drew the ire of their co-criminals, and brought the gang’s street cred to an all-time low. Cyber security experts now believe that it is unlikely for Sodinokibi/REvil to continue operating without a major rebrand. 

Who has been victimized/affected by Sodinokibi?

Based on a forensic study by Trend Micro, the Sodinokibi/REvil operation targeted organisations and individuals around the world, but attacks in 2021 were highly concentrated in the U.S., Mexico, Germany, and Japan. The ransomware also “purposely excludes” companies that are based in countries that belong to the Commonwealth of Independent States (CIS), which are former Soviet Union republics that maintain tight diplomatic and military relations with Russia. In addition, a whitelist based on the language or keyboard layout of the affected system exempts entities that use Ukrainian, Romanian, Georgian, Turkmen, Syriac, and Arabic.

Based on incidence data, transportation was the hardest hit industry followed by the financial sector. The Sodinokibi operation appeared to have focused on critical industries, with transportation disproportionately incurring bulk of attacks, likely because of its role in logistics and the supply chain.

Sodinokibi was first discovered in April 2019 and gained prominence following its 2020 attack on the New York-based law firm Grubman Shire Meiselas & Sacks (GSMS). Primarily serving the media and entertainment sector, GSMS’ past and present clients include Lady Gaga, Nicki Minaj, Madonna, and Bruce Springsteen.

The Sodinokibi group stole nearly a terabyte of the law firm’s data and demanded 21 million USD for not publishing it. After GSMS offered to pay only US$365,000, the ransom was doubled to US$42 million. In addition to doubling the ransom demand, the Sodinokibi gang released a 2.4 GB archive containing Lady Gaga’s legal documents. The group also threatened to publish files related to former U.S. President Donald Trump, although Trump has never been a GSMS client according to some sources. Later, the gang unsuccessfully attempted to auction the files of Madonna and Bruce Springsteen.

A long list of victims before and after GSMS comprises Sodinokibi’s criminal portfolio, with many cases far surpassing the damage and extent of the GSMS data breach. Among the victimized companies known to have paid a ransom are:

1. Travelex. The UK-based foreign exchange company reportedly paid US$2.3 million to get their systems — which had been infected with ransomware – back online. The company had to shut down operations at around 1,500 stores around the world to mitigate damage. The ransomware reportedly encrypted Travelex’s entire network, deleted its backups, and copied more than 5GB of personal data that included dates of birth, social security numbers, and credit card information.
2. Albany International Airport/Logical Net. Orchestrated during the Christmas season at the peak of travel activity, the Sodinokibi attack on the New York airport reportedly infected the airport’s administrative servers but failed to access customers’ financial and personal data nor impact daily operations. Airport authorities, however, opted to pay an undisclosed amount in ransom (under six figures according to officials) because the malware also infected their backup servers. Sodinokibi was able to infiltrate the airport’s network via the third-party services of Logical Net, a NY-based data centre services and cloud solutions provider.
3. UnitingCare Queensland. The malware illegally encrypted UnitingCare’s files and attempted to delete its backups, shutting down the charity’s essential systems and forcing its operations to shift to a paper-based, manual mode. It took the non-profit and its IT security advisers two gruelling months to regain control of their systems. The attack against UnitingCare reflects government figures showing the healthcare sector as the highest reporting industry (18%) when it comes to data breaches. The Australian Cyber Security Centre (ACSC) also reported that such increasing attacks targeting the sector might be because cybercriminals view personal medical information as a very lucrative commodity.
4. JBS. Headquartered in Brazil, JBS S.A. is the world’s largest meat processing company, operating around 150 industrial plants around the world, primarily in the top four beef producing countries (Brazil, United States, Argentina, and Australia). The Sodinokibi attack in May 2021 impacted its North American and Australian IT systems, forcing operations in the U.S., Canada, and Australia to shut down. Around 47 feedlots, slaughterhouses, meat processing plants, and 7,ooo workers across Australia were affected. To regain control of its systems, JBS paid US$11 million in ransom (using Bitcoin) two months after the attack was discovered.
5. Kaseya Ltd. The July-2021 ransomware attack exploited a zero-day vulnerability in Kaseya VSA, the company’s Remote Monitoring and Management (RMM) software often used by large enterprises with extensive IT systems and by Managed Services Providers (MSPs) to administer their own customers’ networks. The Sodinokibi affiliate behind the attack acquired information about the zero-day vulnerability and exploited it before some of Kaseya’s clients could activate the patch Kaseya designed to fix the vulnerability. This resulted in a mass data breach reportedly involving 60 of Kaseya’s direct clients and up to 1,500 downstream customers (mostly small to medium-sized businesses) that were served by the direct clients. The ransomware affected hundreds of organisations including schools, hospitals, and different types of businesses. One of the hardest hit downstream customers was the Swedish supermarket chain Coop, which said it closed most of its 800 stores shortly after the ransomware hit because their cash registers/point-of-sale tills and self-service checkouts stopped working. A few weeks after the attack, Kaseya said it managed to secure a universal decryption key via a third party. It was learned months later that the FBI was that third-party source and that the law enforcement agency withheld providing other victims the decryption key for weeks because it was still closing in on the Sodinokibi gang and avoided alerting them that authorities had already secured a key. 

Other victims and entities affected by the Sodinokibi ransomware included Artech (a US staffing firm), Acer Inc. (one of the world’s largest PC vendors), Quanta (a Taiwan-based original equipment manufacturer whose clients include Apple, Dell, Amazon, and Sony), Brown-Forman (a major spirits and wine company in the U.S.), CyrusOne (a large U.S.-based data centre provider), Kenneth Cole (a global fashion brand), and UnitingCare Queensland (one of the largest Australian charities providing healthcare and community services)

Among the ransomware attacks instigated by the Sodinokibi group, the ones that targeted JBS and Kaseya arguably have had the most extensive damage, drawing the most concerted and effective retaliation from multiple governments, law enforcement agencies, and private IT security firms. However, even these costly and crippling events now pale in comparison to the potential fallout from the October 2022 cyber attack on Medibank — Australia’s largest private health insurer — that is attributed by many IT security experts to former members of the “dismantled” REvil/Sodinokibi criminal gang.

What should you do if Sodinokibi infected your IT System?

A comprehensive backup programme is the best protection against Sodinokibi. Ideally, you should create physically-separated copies of data that stretch back at least two weeks. Additionally, you should perform monthly offline backups, to limit the amount of data lost in the event that your network is compromised. Sodinokibi can encrypt local backups, which is why you should store your data in several locations.

If your network does get attacked, however, your best course of action would be to isolate the ransomware and wipe affected devices.

Don’t attempt to restore infected data – the ransomware may encrypt it even further. As much as possible, do not pay the ransom, either. There’s no guarantee that you will get your access back, recover uncorrupted data, and that exfiltrated data won’t be published or auctioned off anyway. Remember, you are dealing with criminals who deserve zero trust. If you pay the ransom, you might also be breaking current government regulations in your area. Lastly, paying the ransom only reinforces the business model of cyber criminals. That, in turn, will just incentivize the ransomware ecosystem to spread, grow, and evolve into something even more dangerous and difficult to contain.

Consider the following general steps in responding to a ransomware attack:

1. Discovery and Containment. Ransomware infection might be discovered in many ways: anomalous behaviour detection software like CrowdStrike, unresponsive apps, sudden access restrictions to files or documents, or an outright ransom note/pop-up window. Isolate the infected device or system as soon as possible (aka instantly if you can) to reduce risk to your entire network. Having done that, consider that a single infected server or end-point device doesn’t mean the ransomware hasn’t yet reached other systems or devices. (Note: all of these actions might be impaired or impossible unless IT security awareness and prompt incidence reporting is integral to your IT policy. In one industry study, 63% of respondent companies reported that the ransomware stayed in their networks for up to six months before being detected; while 16% said the ransomware stood undetected for an entire year.) Make an audit of systems and devices that have interacted with the isolated system. Quarantine those as well by shutting them down, getting them offline, or bringing them safely into hibernate mode for further analysis.
2. Diagnosis and Extermination. Call emergency meetings to make initial assessment/forensic analysis (e.g., type of ransomware, attack vectors, initial entry point/root cause, etc.). Calibrate your response template based on the scenario. Execute the appropriate malware removal process for the ransomware infection. In addition to your IT and first response teams, involve all other relevant stakeholders, seek third-party support (e.g., cyber security firms), and notify authorities. (Kaseya informed the FBI and US Cybersecurity and Infrastructure Security Agency – CISA – as soon as the data breach has been detected. The authorities published an advisory two days later.).
3. Recovery and Post-Incidence Measures. Once the root cause has been ascertained and full containment done, you can proceed to the recovery phase. Develop patches for newly discovered vulnerabilities and/or build protective screens for vulnerabilities that can’t be adequately patched. Use only secure/uncompromised backups to recover lost, corrupted, or encrypted data. Note that Sodinokibi has the capability to infect backups – an air-gapped, versioned backup strategy that gives your team time to isolate the last known good backup from the infection is an important defensive measure.

How do you address ransomware attacks?

As in most cases, prevention is better (and often a lot cheaper) than the cure. Being resilient and prepared for every type of malware or cyber crime has become the best default mode any organisation can adopt to keep its data and business as safe as possible.

Here are some security best practices your organisation can adopt:

1. Enable multifactor authentication on your system. 
2. Conduct regular IT security awareness training.
3. Engage with an MSP that is part of your government’s secure disclosure service – they’ll get early notification of attacks that may impact your organisation
4. Ensure software and system updates are always current.
5. Ensure 24/7/365 always-on accessibility to IT security principals, cross-functional incident responders, and key stakeholders.
6. Back up sensitive and/or critical data using the 3-2-1 back-up strategy.
7. Revisit and fine-tune your disaster recovery plan (DRP).
8. Use superior threat detection tools, effective threat isolation practices, and comprehensive anti-malware solutions.  Computer One can assist with a recommendation that suits your infrastructure.
9. Conduct regular vulnerability assessments and promptly deploy patches for zero-day vulnerabilities. Build strong control mechanisms for vulnerabilities that can’t be easily patched.
10. Conduct regular stress tests for your network, systems, red teams/principal responders, and staff.
11. Consider partnering with a reputable Managed Security Services Provider.

Next Steps and Action Plan for Businesses

News of Sodinokibi’s demise has been greatly exaggerated. The infamous ransomware is back in business and might someday affect a company like yours.  Ransomware attack as a whole are surging, with most businesses (73%) surveyed in one study hit by at least one ransomware attempt in 2021. Year-on-year, attack incidents jumped by 33%, making ransomware one of cyber crime’s most lucrative revenue models today.

For many organisations who opted to pay the ransom, the post-payment fallout is staggering:       

• 37% were forced to lay off employees.
• 35% reported C-level resignations following the attack.
• 33% had no choice but to temporarily suspend business. A few were forced to do so permanently, including a 157-year old university.
• 80% were victims of a second attack.
• 68% were hit again in less than a month for a higher ransom.
• 54% still reported system issues/corrupted data after decryption.
• 67% of organisations that reported losses following an attack said their total losses reached between one to ten million US dollars. Around 4% said theirs ranged from US$25 million to US$50 million.

Paying the ransom does not guarantee anything at all, apart from a dent in your bank account. Prevention remains the best cure for ransomware. And the more proactive and prepared you are at preventing and/or responding to ransomware, the less risk your company faces.  

Are your data backups secure and current? Have you tested your Disaster Recovery Plan (DRP)? Which data protection, anti-malware solutions, and IT security measures are in place?

Have you talked to cyber security experts on how to reinforce your cyber resilience and ensure business continuity?

Remember, preventive measures that neutralize and/or mitigate the impact of ransomware cost far less than the combined cost of downtimes, paying the ransom, customer attrition, reputational damage, and system recovery following a successful attack.

The business case for ransomware is obvious. But the case for upgrading your own IT security systems is much more compelling. Contact Computer One to map a cost-efficient IT security plan for your organisation.