Ransomware generates massive profits for its operators. How much do they make, and how do their spend their illicit earnings? Newly published research on Sodinokibi ransomware sheds some light on this.
The McAfee Advanced Threat Research (ATR) team has been investigating ransomware-as-a-service (RaaS) Sodinokibi, also known as Sodin or REvil, since it was spotted in the wild back in April. Around the same time, GandCrab's operators announced their retirement. Secureworks analysis showed Gold Garden, the group behind GandCrab, is also behind REvil ransomware.
From the start, it was clear Sodinokibi was a serious threat. It was first seen propagating by exploiting a vulnerability in Oracle's WebLogic server; however, its affiliates have several tactics. Some attackers exploited a Windows privilege escalation bug, Kaspersky Lab researchers found.
Given the severity of Sodinokibi's attacks, in particular those targeting US managed services providers, McAfee's team wanted to take a deeper dive, says John Fokker, head of cyber investigations. ATR researchers are now publishing a series of blog posts to detail their findings on Sodinokibi and its connections to GandCrab. The first in the series digs into the code and inner workings of the ransomware; the second analyzes affiliate structures in RaaS campaigns. Affiliates are the attackers who buy ransomware from Sodinokibi's operators and deploy it.
Part three uncovers new information on the size and associated revenue of the Sodinokibi campaign. Researchers linked underground forum posts with Bitcoin transfer traces to learn more about how the threat has grown and what affiliates do with the money they generate.
Sodinokibi generates a unique Bitcoin wallet for each victim, a tactic Fokker says is "quite similar" to other types of ransomware he's studied. He also points to attackers' heavy reliance on a prominent Bitcoin mixing service called Bitmix.biz, which obfuscates the origins of transactions so it's difficult to connect funds from an infection to a final wallet or cashout.
"We see it pop up quite regularly in the payments we've been tracking," he says of the mixer.
But some attackers were confident enough to share information that helped the researchers. One underground forum post discussed attackers' success and offered a 60% cut to Sodinokibi affiliates. After three successful payments, the affiliate would receive 70% of the ransom. This is a common strategy, also seen in GandCrab and Cryptowall, Fokker explains in a blog post.
An attacker, operating under the alias "Lalartu," commented on this post. A look back in the archives revealed additional comments from Lalartu, one of which included partial transaction IDs on the Bitcoin ledger, along with transfer amounts. With some help from Chainanalysis software, researchers used this information to retrieve the full transaction IDs and map them.
Following the Money
Analysis revealed a "very, very profitable business – and a big business too," Fokker says. Sodinkibi's tendency to target MSPs enables affiliates to infect thousands of victims with little activity and a relatively small number of samples and versions, which he calls "a game changer."
Various samples showed around 0.44-0.45 Bitcoin, or $4,000 USD, in payment; however, researchers note the average ransom ask is $2,500-$5,000 USD. When a victim pays an affiliate's wallet, it takes an average of two to three transactions before it reaches its final destination. From there, researchers saw the split between affiliates and Sodinokibi operators: 60-70% stays with the attacker, and the remaining 40-30% is forwarded along to the operators.
Considering the split between affiliates and operators, this gives the former an average of $700-$1,500 per paid infection. Some of these funds are transferred from a victim's wallet; other Bitcoins are bought at an exchange and transferred to an affiliate's wallet. Based on the list Lalartu shared, and the average value in Bitcoin at the time, an average of $287,499 was transferred within 72 hours – generating $86,000 in profit for the operators from one affiliate.
Based on analysis of the samples and amount of transaction ID numbers, researchers counted more than 41 active Sodinokibi affiliates and report a high number of infections in a short period of time. "Taken this velocity combined with a few payments per day, we can imagine that the actors behind Sodinokibi are making a fortune," Fokker points out in the blog.
What do the affiliates do with their cut? To find out, researchers chose a wallet and followed its transactions. Most have money transferred through an exchange; some goes to services and some to Bitmix.biz to conceal activity. In some instances, affiliates paid for services bought on Hydra Market, a Russian underground market for services and illicit products paid for in Bitcoin. Fokker doesn't believe they're shopping for malware, as they have more sophisticated means, but this does demonstrate how ransomware is supporting ongoing criminal activity.
It's unclear where Sodinokibi's operators may be from, but Fokker notes there is a strong affiliation with the former Soviet Union. This doesn't necessarily mean the actors are Russian – they could be from any nation – though he points to the tendency of Sodinokibi to work with Russian-speaking individuals and avoid encryption of any former Soviet-affiliated countries. This could indicate affiliates are of that nationality and trying to avoid prosecution of their country.