Cybersecurity In-Depth

The Edge

Threat Protection: The REvil Ransomware

What does DNS activity look like surrounding the REvil/Sodinokibi ransomware threat?

Earlier this year year in a blog series about threat trends in DNS security, Cisco Security looked at the REvil ransomware, also known as Sodinokibi or Sodin. It noted how the ransomware compromised far more endpoints than Ryuk but had far less DNS communication. However, when revisiting these metrics, Cisco Security researchers noticed this changed in the beginning of 2021. What’s interesting in revisiting this data over an 18-month span is that while the number of endpoints didn’t rise dramatically in 2021, the amount of DNS activity did when comparing each month with the overall averages. In fact, the one noticeable drop in endpoints in December appears to coincide with the beginning of a dramatic rise in DNS activity. 

Read the full blog post to learn more.