The threat group behind the Sodinokibi ransomware claimed to have recently compromised nine organizations. The REvil ransomware threat group is on a cyberattack tear, claiming over the past three weeks to have infected ten organizations across Africa, Europe, Mexico and the US. The organizations include two law firms, an insurance company, an architectural firm, a construction company and an agricultural co-op, all located in the US; as well as two large international banks (one in Mexico and one in Africa); and a European manufacturer. Researchers with eSentire, recently wrote an analysis of the threat group’s claims, said they would not name the victim companies.
“These new ransomware incidents, which the…gang is claiming, could certainly be plausible,” said their senior director of the Threat Response Unit (TRU) for eSentire. “These attacks come directly on the heels of an extensive and well-planned drive-by-download campaign, which was launched in late December. This malicious campaign’s sole purpose is to infect business professionals’ computer systems with the…ransomware, the Gootkit banking trojan or the Cobalt Strike intrusion tool.”
The threat group is also known as the Sodinokibi ransomware gang, and is called “Sodin” by eSentire. The malware, which first surfaced in 2019, has since proliferated to hit an array of victims, including New York-based celebrity law firm Grubman Shire Meiselas & Sacks, Travelex and Brown-Forman Corporation (the maker of Jack Daniels). This group gained some national attention during June 2020, when they threatened to auction the singer Madonna’s legal documents. They use exploits in network appliances to breach enterprise networks, where they encrypt the victim's files and ask for astronomical extortion fees (with their average demand being US$260,000, as estimated in 2020).
Researchers stated that REvil cybercriminals posted documents on underground forums that purported to be from the victims’ systems including company computer file directories, partial customer lists, customer quotes and copies of contracts. Researchers said they also posted what appears to be several official IDs, either belonging to an employee or a customer of the victim companies.
While researchers cannot be 100 percent sure the claims are accurate, “in reviewing several of the documents that the Sodin gang claims are from their new victims, many of them appear to be authentic,” said eSentire. For one, the documents appear to relate to the business of each victim, they said. The documents also include dated timestamps that show that the attacks may have occurred not too long ago.
For one of the victims, the manufacturing company researchers found news reports that the manufacturer had been hit by ransomware and had to stop production for a day or two.
There is a warning, a few documents relating to a bank in Africa and an insurance firm have older date stamps listed. This made researchers question whether these two firms were actually victims of the REvil gang or instead if somehow the threat actors gained access to some old files belonging to the organizations. Regardless, “Sodin gang has been very successful in compromising large organizations, as we have seen, and they have resources and the techniques to carry these ransomware attacks so it is extremely plausible these are real,” said researchers.
Analysist said one puzzle piece to REvil’s recent success with ransomware attacks may be the Gootloader malware loader, which they said is “designed to seed the ransomware.” This loader previously used for distributing the REvil ransomware as well as the Gootkit malware family, and has evolved into an increasingly sophisticated loader framework. It now also expanded the number of payloads its delivers to include the Kronos trojan and the Cobalt Strike commodity malware.
Researchers said they have seen REvil expanding its extortion tricks tactics and procedures (TTPs) to now contact victims’ business associates and the media to put on the maximum amount of pressure on the victim to pay. They noted recently, the threat group also appears to be updating its website to make it easier to browse their victim list.
On 27 March 2021, the company Acer has been a victim of a type attack ransomware released by the REvil group, that request payment of 50 million dollars (about 42 million euros) to free up encrypted systems, the largest sum of money required for a ransom in these types of attacks. The group of cyber attackers reported through its page on the dark web that had accessed Acer systems and obtained company information, such as bank balances and financial sheets. To prove its authenticity, they shared images with the stolen information, as reported through Bleeping Computer. The same media found the sample of ‘ramsonware’ that was used in the attack, after first detecting it Valèry Marchive of LegMagIT. The ransom note and the subsequent conversation between the cyber attackers and the company shows that negotiations between the two parties began on 14 March and that Revil was requesting $ 50 million to purchase the software that would allow the systems to be decrypted. Acer told Bleeping Computer that it has an ongoing investigation, of which it cannot comment on the details, into recent abnormal situations, without confirming the REvil cyberattack.
Red Sky Alliance has been has analyzing and documenting these type of cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge. Many past tactics are often dusted off and reused in current malicious campaigns – like REvil.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings