Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/15/2019
05:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Sodinokibi Ransomware: Where Attackers' Money Goes

Researchers following the ransomware variant uncover new data on how much its affiliates earn and where they spend it.

Ransomware generates massive profits for its operators. How much do they make, and how do their spend their illicit earnings? Newly published research on Sodinokibi ransomware sheds some light on this.

The McAfee Advanced Threat Research (ATR) team has been investigating ransomware-as-a-service (RaaS) Sodinokibi, also known as Sodin or REvil, since it was spotted in the wild back in April. Around the same time, GandCrab's operators announced their retirement. Secureworks analysis showed Gold Garden, the group behind GandCrab, is also behind REvil ransomware.

From the start, it was clear Sodinokibi was a serious threat. It was first seen propagating by exploiting a vulnerability in Oracle's WebLogic server; however, its affiliates have several tactics. Some attackers exploited a Windows privilege escalation bug, Kaspersky Lab researchers found.

Given the severity of Sodinokibi's attacks, in particular those targeting US managed services providers, McAfee's team wanted to take a deeper dive, says John Fokker, head of cyber investigations. ATR researchers are now publishing a series of blog posts to detail their findings on Sodinokibi and its connections to GandCrab. The first in the series digs into the code and inner workings of the ransomware; the second analyzes affiliate structures in RaaS campaigns. Affiliates are the attackers who buy ransomware from Sodinokibi's operators and deploy it.

Part three uncovers new information on the size and associated revenue of the Sodinokibi campaign. Researchers linked underground forum posts with Bitcoin transfer traces to learn more about how the threat has grown and what affiliates do with the money they generate.

Sodinokibi generates a unique Bitcoin wallet for each victim, a tactic Fokker says is "quite similar" to other types of ransomware he's studied. He also points to attackers' heavy reliance on a prominent Bitcoin mixing service called Bitmix.biz, which obfuscates the origins of transactions so it's difficult to connect funds from an infection to a final wallet or cashout.

"We see it pop up quite regularly in the payments we've been tracking," he says of the mixer.

But some attackers were confident enough to share information that helped the researchers. One underground forum post discussed attackers' success and offered a 60% cut to Sodinokibi affiliates. After three successful payments, the affiliate would receive 70% of the ransom. This is a common strategy, also seen in GandCrab and Cryptowall, Fokker explains in a blog post.

An attacker, operating under the alias "Lalartu," commented on this post. A look back in the archives revealed additional comments from Lalartu, one of which included partial transaction IDs on the Bitcoin ledger, along with transfer amounts. With some help from Chainanalysis software, researchers used this information to retrieve the full transaction IDs and map them.

Following the Money

Analysis revealed a "very, very profitable business – and a big business too," Fokker says. Sodinkibi's tendency to target MSPs enables affiliates to infect thousands of victims with little activity and a relatively small number of samples and versions, which he calls "a game changer."

Various samples showed around 0.44-0.45 Bitcoin, or $4,000 USD, in payment; however, researchers note the average ransom ask is $2,500-$5,000 USD. When a victim pays an affiliate's wallet, it takes an average of two to three transactions before it reaches its final destination. From there, researchers saw the split between affiliates and Sodinokibi operators: 60-70% stays with the attacker, and the remaining 40-30% is forwarded along to the operators.

Considering the split between affiliates and operators, this gives the former an average of $700-$1,500 per paid infection. Some of these funds are transferred from a victim's wallet; other Bitcoins are bought at an exchange and transferred to an affiliate's wallet. Based on the list Lalartu shared, and the average value in Bitcoin at the time, an average of $287,499 was transferred within 72 hours – generating $86,000 in profit for the operators from one affiliate.

Based on analysis of the samples and amount of transaction ID numbers, researchers counted more than 41 active Sodinokibi affiliates and report a high number of infections in a short period of time. "Taken this velocity combined with a few payments per day, we can imagine that the actors behind Sodinokibi are making a fortune," Fokker points out in the blog.

What do the affiliates do with their cut? To find out, researchers chose a wallet and followed its transactions. Most have money transferred through an exchange; some goes to services and some to Bitmix.biz to conceal activity. In some instances, affiliates paid for services bought on Hydra Market, a Russian underground market for services and illicit products paid for in Bitcoin. Fokker doesn't believe they're shopping for malware, as they have more sophisticated means, but this does demonstrate how ransomware is supporting ongoing criminal activity.

It's unclear where Sodinokibi's operators may be from, but Fokker notes there is a strong affiliation with the former Soviet Union. This doesn't necessarily mean the actors are Russian – they could be from any nation – though he points to the tendency of Sodinokibi to work with Russian-speaking individuals and avoid encryption of any former Soviet-affiliated countries. This could indicate affiliates are of that nationality and trying to avoid prosecution of their country.

Related Content:

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crypt0L0cker
50%
50%
Crypt0L0cker,
User Rank: Strategist
10/5/2020 | 12:43:44 PM
RE:Sodinokibi Ransomware: Where Attackers' Money Goes
Looks like this threat is still alive
Crypt0L0cker
50%
50%
Crypt0L0cker,
User Rank: Strategist
10/17/2019 | 10:52:21 AM
RE:Sodinokibi Ransomware: Where Attackers' Money Goes
Kind of surprised, I was pretty sure that this is Chinese hacker group... What are the names of those underground forums, which are talked about in the article?
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31547
PUBLISHED: 2021-04-22
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. Its AbuseFilterCheckMatch API reveals suppressed edits and usernames to unprivileged users through the iteration of crafted AbuseFilter rules.
CVE-2021-31548
PUBLISHED: 2021-04-22
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. A MediaWiki user who is partially blocked or was unsuccessfully blocked could bypass AbuseFilter and have their edits completed.
CVE-2021-31549
PUBLISHED: 2021-04-22
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. The Special:AbuseFilter/examine form allowed for the disclosure of suppressed MediaWiki usernames to unprivileged users.
CVE-2021-31550
PUBLISHED: 2021-04-22
An issue was discovered in the CommentBox extension for MediaWiki through 1.35.2. Via crafted configuration variables, a malicious actor could introduce XSS payloads into various layers.
CVE-2021-31551
PUBLISHED: 2021-04-22
An issue was discovered in the PageForms extension for MediaWiki through 1.35.2. Crafted payloads for Token-related query parameters allowed for XSS on certain PageForms-managed MediaWiki pages.