Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/15/2019
05:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Sodinokibi Ransomware: Where Attackers' Money Goes

Researchers following the ransomware variant uncover new data on how much its affiliates earn and where they spend it.

Ransomware generates massive profits for its operators. How much do they make, and how do their spend their illicit earnings? Newly published research on Sodinokibi ransomware sheds some light on this.

The McAfee Advanced Threat Research (ATR) team has been investigating ransomware-as-a-service (RaaS) Sodinokibi, also known as Sodin or REvil, since it was spotted in the wild back in April. Around the same time, GandCrab's operators announced their retirement. Secureworks analysis showed Gold Garden, the group behind GandCrab, is also behind REvil ransomware.

From the start, it was clear Sodinokibi was a serious threat. It was first seen propagating by exploiting a vulnerability in Oracle's WebLogic server; however, its affiliates have several tactics. Some attackers exploited a Windows privilege escalation bug, Kaspersky Lab researchers found.

Given the severity of Sodinokibi's attacks, in particular those targeting US managed services providers, McAfee's team wanted to take a deeper dive, says John Fokker, head of cyber investigations. ATR researchers are now publishing a series of blog posts to detail their findings on Sodinokibi and its connections to GandCrab. The first in the series digs into the code and inner workings of the ransomware; the second analyzes affiliate structures in RaaS campaigns. Affiliates are the attackers who buy ransomware from Sodinokibi's operators and deploy it.

Part three uncovers new information on the size and associated revenue of the Sodinokibi campaign. Researchers linked underground forum posts with Bitcoin transfer traces to learn more about how the threat has grown and what affiliates do with the money they generate.

Sodinokibi generates a unique Bitcoin wallet for each victim, a tactic Fokker says is "quite similar" to other types of ransomware he's studied. He also points to attackers' heavy reliance on a prominent Bitcoin mixing service called Bitmix.biz, which obfuscates the origins of transactions so it's difficult to connect funds from an infection to a final wallet or cashout.

"We see it pop up quite regularly in the payments we've been tracking," he says of the mixer.

But some attackers were confident enough to share information that helped the researchers. One underground forum post discussed attackers' success and offered a 60% cut to Sodinokibi affiliates. After three successful payments, the affiliate would receive 70% of the ransom. This is a common strategy, also seen in GandCrab and Cryptowall, Fokker explains in a blog post.

An attacker, operating under the alias "Lalartu," commented on this post. A look back in the archives revealed additional comments from Lalartu, one of which included partial transaction IDs on the Bitcoin ledger, along with transfer amounts. With some help from Chainanalysis software, researchers used this information to retrieve the full transaction IDs and map them.

Following the Money

Analysis revealed a "very, very profitable business – and a big business too," Fokker says. Sodinkibi's tendency to target MSPs enables affiliates to infect thousands of victims with little activity and a relatively small number of samples and versions, which he calls "a game changer."

Various samples showed around 0.44-0.45 Bitcoin, or $4,000 USD, in payment; however, researchers note the average ransom ask is $2,500-$5,000 USD. When a victim pays an affiliate's wallet, it takes an average of two to three transactions before it reaches its final destination. From there, researchers saw the split between affiliates and Sodinokibi operators: 60-70% stays with the attacker, and the remaining 40-30% is forwarded along to the operators.

Considering the split between affiliates and operators, this gives the former an average of $700-$1,500 per paid infection. Some of these funds are transferred from a victim's wallet; other Bitcoins are bought at an exchange and transferred to an affiliate's wallet. Based on the list Lalartu shared, and the average value in Bitcoin at the time, an average of $287,499 was transferred within 72 hours – generating $86,000 in profit for the operators from one affiliate.

Based on analysis of the samples and amount of transaction ID numbers, researchers counted more than 41 active Sodinokibi affiliates and report a high number of infections in a short period of time. "Taken this velocity combined with a few payments per day, we can imagine that the actors behind Sodinokibi are making a fortune," Fokker points out in the blog.

What do the affiliates do with their cut? To find out, researchers chose a wallet and followed its transactions. Most have money transferred through an exchange; some goes to services and some to Bitmix.biz to conceal activity. In some instances, affiliates paid for services bought on Hydra Market, a Russian underground market for services and illicit products paid for in Bitcoin. Fokker doesn't believe they're shopping for malware, as they have more sophisticated means, but this does demonstrate how ransomware is supporting ongoing criminal activity.

It's unclear where Sodinokibi's operators may be from, but Fokker notes there is a strong affiliation with the former Soviet Union. This doesn't necessarily mean the actors are Russian – they could be from any nation – though he points to the tendency of Sodinokibi to work with Russian-speaking individuals and avoid encryption of any former Soviet-affiliated countries. This could indicate affiliates are of that nationality and trying to avoid prosecution of their country.

Related Content:

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crypt0L0cker
50%
50%
Crypt0L0cker,
User Rank: Strategist
10/5/2020 | 12:43:44 PM
RE:Sodinokibi Ransomware: Where Attackers' Money Goes
Looks like this threat is still alive
Crypt0L0cker
50%
50%
Crypt0L0cker,
User Rank: Strategist
10/17/2019 | 10:52:21 AM
RE:Sodinokibi Ransomware: Where Attackers' Money Goes
Kind of surprised, I was pretty sure that this is Chinese hacker group... What are the names of those underground forums, which are talked about in the article?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27652
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27653
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27654
PUBLISHED: 2020-10-29
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
CVE-2020-27655
PUBLISHED: 2020-10-29
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
CVE-2020-27656
PUBLISHED: 2020-10-29
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.