Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/15/2019
05:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Sodinokibi Ransomware: Where Attackers' Money Goes

Researchers following the ransomware variant uncover new data on how much its affiliates earn and where they spend it.

Ransomware generates massive profits for its operators. How much do they make, and how do their spend their illicit earnings? Newly published research on Sodinokibi ransomware sheds some light on this.

The McAfee Advanced Threat Research (ATR) team has been investigating ransomware-as-a-service (RaaS) Sodinokibi, also known as Sodin or REvil, since it was spotted in the wild back in April. Around the same time, GandCrab's operators announced their retirement. Secureworks analysis showed Gold Garden, the group behind GandCrab, is also behind REvil ransomware.

From the start, it was clear Sodinokibi was a serious threat. It was first seen propagating by exploiting a vulnerability in Oracle's WebLogic server; however, its affiliates have several tactics. Some attackers exploited a Windows privilege escalation bug, Kaspersky Lab researchers found.

Given the severity of Sodinokibi's attacks, in particular those targeting US managed services providers, McAfee's team wanted to take a deeper dive, says John Fokker, head of cyber investigations. ATR researchers are now publishing a series of blog posts to detail their findings on Sodinokibi and its connections to GandCrab. The first in the series digs into the code and inner workings of the ransomware; the second analyzes affiliate structures in RaaS campaigns. Affiliates are the attackers who buy ransomware from Sodinokibi's operators and deploy it.

Part three uncovers new information on the size and associated revenue of the Sodinokibi campaign. Researchers linked underground forum posts with Bitcoin transfer traces to learn more about how the threat has grown and what affiliates do with the money they generate.

Sodinokibi generates a unique Bitcoin wallet for each victim, a tactic Fokker says is "quite similar" to other types of ransomware he's studied. He also points to attackers' heavy reliance on a prominent Bitcoin mixing service called Bitmix.biz, which obfuscates the origins of transactions so it's difficult to connect funds from an infection to a final wallet or cashout.

"We see it pop up quite regularly in the payments we've been tracking," he says of the mixer.

But some attackers were confident enough to share information that helped the researchers. One underground forum post discussed attackers' success and offered a 60% cut to Sodinokibi affiliates. After three successful payments, the affiliate would receive 70% of the ransom. This is a common strategy, also seen in GandCrab and Cryptowall, Fokker explains in a blog post.

An attacker, operating under the alias "Lalartu," commented on this post. A look back in the archives revealed additional comments from Lalartu, one of which included partial transaction IDs on the Bitcoin ledger, along with transfer amounts. With some help from Chainanalysis software, researchers used this information to retrieve the full transaction IDs and map them.

Following the Money

Analysis revealed a "very, very profitable business – and a big business too," Fokker says. Sodinkibi's tendency to target MSPs enables affiliates to infect thousands of victims with little activity and a relatively small number of samples and versions, which he calls "a game changer."

Various samples showed around 0.44-0.45 Bitcoin, or $4,000 USD, in payment; however, researchers note the average ransom ask is $2,500-$5,000 USD. When a victim pays an affiliate's wallet, it takes an average of two to three transactions before it reaches its final destination. From there, researchers saw the split between affiliates and Sodinokibi operators: 60-70% stays with the attacker, and the remaining 40-30% is forwarded along to the operators.

Considering the split between affiliates and operators, this gives the former an average of $700-$1,500 per paid infection. Some of these funds are transferred from a victim's wallet; other Bitcoins are bought at an exchange and transferred to an affiliate's wallet. Based on the list Lalartu shared, and the average value in Bitcoin at the time, an average of $287,499 was transferred within 72 hours – generating $86,000 in profit for the operators from one affiliate.

Based on analysis of the samples and amount of transaction ID numbers, researchers counted more than 41 active Sodinokibi affiliates and report a high number of infections in a short period of time. "Taken this velocity combined with a few payments per day, we can imagine that the actors behind Sodinokibi are making a fortune," Fokker points out in the blog.

What do the affiliates do with their cut? To find out, researchers chose a wallet and followed its transactions. Most have money transferred through an exchange; some goes to services and some to Bitmix.biz to conceal activity. In some instances, affiliates paid for services bought on Hydra Market, a Russian underground market for services and illicit products paid for in Bitcoin. Fokker doesn't believe they're shopping for malware, as they have more sophisticated means, but this does demonstrate how ransomware is supporting ongoing criminal activity.

It's unclear where Sodinokibi's operators may be from, but Fokker notes there is a strong affiliation with the former Soviet Union. This doesn't necessarily mean the actors are Russian – they could be from any nation – though he points to the tendency of Sodinokibi to work with Russian-speaking individuals and avoid encryption of any former Soviet-affiliated countries. This could indicate affiliates are of that nationality and trying to avoid prosecution of their country.

Related Content:

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crypt0L0cker
50%
50%
Crypt0L0cker,
User Rank: Strategist
10/17/2019 | 10:52:21 AM
RE:Sodinokibi Ransomware: Where Attackers' Money Goes
Kind of surprised, I was pretty sure that this is Chinese hacker group... What are the names of those underground forums, which are talked about in the article?
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20391
PUBLISHED: 2020-01-22
An invalid memory access flaw is present in libyang before v1.0-r3 in the function resolve_feature_value() when an if-feature statement is used inside a bit. Applications that use libyang to parse untrusted input yang files may crash.
CVE-2019-20392
PUBLISHED: 2020-01-22
An invalid memory access flaw is present in libyang before v1.0-r1 in the function resolve_feature_value() when an if-feature statement is used inside a list key node, and the feature used is not defined. Applications that use libyang to parse untrusted input yang files may crash.
CVE-2019-20393
PUBLISHED: 2020-01-22
A double-free is present in libyang before v1.0-r1 in the function yyparse() when an empty description is used. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.
CVE-2019-20394
PUBLISHED: 2020-01-22
A double-free is present in libyang before v1.0-r3 in the function yyparse() when a type statement in used in a notification statement. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.
CVE-2019-20395
PUBLISHED: 2020-01-22
A stack consumption issue is present in libyang before v1.0-r1 due to the self-referential union type containing leafrefs. Applications that use libyang to parse untrusted input yang files may crash.