{
	"id": "2147d18b-3f08-4c44-8e8a-e7538fb5f842",
	"created_at": "2026-04-06T00:22:23.096227Z",
	"updated_at": "2026-04-10T03:20:49.092302Z",
	"deleted_at": null,
	"sha1_hash": "5857332e6120f9cf7bea2ee13d89a7299fd4354a",
	"title": "A Look Inside the Highly Profitable Sodinokibi Ransomware Business",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1937537,
	"plain_text": "A Look Inside the Highly Profitable Sodinokibi Ransomware Business\r\nBy Ionut Ilascu\r\nPublished: 2019-08-30 · Archived: 2026-04-05 17:25:06 UTC\r\nRelatively new on the ransomware scene, Sodinokibi has already made impressive profits for its administrators and\r\naffiliates, some victims paying as much as $240,000, while a network infection netted $150,000 on average.\r\nThese figures are not surprising when you look at the malware's recent activity. On August 16, Sodinokibi hit 22 local\r\nadministrations in Texas and demanded a collective ransom of $2.5 million. It compromised multiple MSPs (managed\r\nservice providers) spreading the malware to their customers.\r\nThe latest victim is another MSP that offers data backup service to dental practices. The ransom in this case is allegedly\r\n$5,000 per client; hundreds were impacted.\r\nhttps://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nSetting the rules of the game\r\nSince its discovery in April, Sodinokibi (a.k.a. REvil) has become prolific and quickly gained a reputation among\r\ncybercriminals in the ransomware business and security researchers.\r\nIn mid-May, a Sodinokibi advertiser using the forum name UNKN deposited over $100,000 on underground forums to show\r\nthat they meant serious business.\r\nAdvertisements for the new file-encrypting malware started in early July on at least two forums. UNKN said that they were\r\nlooking to expand their activity and that it was a private operation with \"limited number of seats\" available for experienced\r\nindividuals.\r\nA screenshot of the announcement, provided to BleepingComputer by malware researcher Damian shows that UNKN\r\ndescribes the malware as being a \"private ransomware\" flexible enough to adapt to the RaaS business model.\r\nPost promoting REvil or Sodinokibi RaaS\r\nUNKN offered affiliates 60% of the payments at the beginning and a 10% increase after the first three transactions. The\r\nactor also made it clear that they would not be working with English-speaking affiliates as part of this private program.\r\nRansom payments flooding in\r\nThe name of the ransomware is not disclosed in the forum posts but the researcher told us that he saw screenshots of the\r\nmalware's administrative panel showing bot IDs that look the same as those for Sodinokibi.\r\nAs seen in the screenshot below, one victim paid 27.7 bitcoins, which converted to more than $220,000 at the time of the\r\ntransaction.\r\nAnother capture from Damian makes it clear that this particular ransomware program is highly profitable with some victims\r\npaying as little as .4 bitcoins (~$4,000) while others shelling out 26 bitcoins or approximately $240,000 at the moment of\r\nhttps://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/\r\nPage 3 of 6\n\nthe conversion.\r\nFor those affiliates who can infect an entire network, the REvil/Sodinokibi developers allow a victim to purchase a\r\ndecryption tool for the entire fleet of affected computers. According to forum post shared with BleepingComputer, these\r\nnetwork-wide decryptors have an average cost of $150,000.\r\nForum post about average network-wide decryptor costs\r\nWith the revenue flooding in, other malware distributors are trying to gain access to the program, but UNKN has stated\r\nyesterday that there are no available openings for affiliates at this time.\r\nRaaS is closed to new members\r\nSerious players in the game\r\nhttps://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/\r\nPage 4 of 6\n\nWhen they started advertising, the threat actor already had the support of respected members of the underground\r\nransomware community.\r\nYelisey Boguslavskiy, director of security research at Advanced Intelligence (AdvIntel), told BleepingComputer that UNKN\r\nregistered an account on one cybercriminal forum on July 4 and that it is clear that they had been active outside this\r\ncommunity.\r\nTwo high-profile community members specializing in ransomware attacks endorsed UNKN and also revealed that they had\r\njoined the affiliate program, indicating that they already knew who they were dealing with.\r\nIn the image above, forum member Lalartu discloses that they started to work with Sodinokibi after the GandCrab operation\r\nwent belly up. They praise the new RaaS disclosing the move had a significant effect on earnings, which \"not only grew, it\r\nbroke through the ceiling and grows further.\"\r\nBoguslavskiy told us that positive feedback for a new ransomware strain is very uncommon on that forum. The two\r\nmembers are typically very critical with newcomers.\r\n\"For instance, when \"JSWorm\" and \"NEMTY\" were introduced, the community reacted with extreme skepticism and\r\naggression.\"\r\nA discussion thread on Sodinokibi started in June, with most forum members showing skepticism about the new ransomware\r\nand its legitimacy. The thread was deleted soon after UNKN presented the affiliation offer.\r\nThe GandCrab connection\r\nSodinokibi was spotted when researchers saw it deployed on Oracle WebLogic servers by exploiting a critical deserialization\r\nvulnerability. On the same systems infected with Sodinokibi, cybercriminals also installed GandCrab a few hours later.\r\nAt the end of April, GandCrab administrators announced that they would close shop within 20 days. And they kept their\r\nword.\r\nThe operators behind the Sodinokibi Ransomware started looking for affiliates to distribute their software soon after the\r\nGandCrab ransomware-as-a-service (RaaS) shut down. Underground reactions towards the new product suggest that there\r\nmay be a connection with the administrators or the affiliates of the now defunct GandCrab operation.\r\nhttps://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/\r\nPage 5 of 6\n\nSome malware analysts pointed to code-level similarities between the two ransomware strains, although plenty of\r\ndifferences exist between the two.\r\nHowever, one similarity is that administrators of both malware families would not carry business in the Commonwealth of\r\nIndependent States (CIS) area. This includes Russia, Ukraine, Moldova, Belarus, Kyrgyzstan, Kazakhstan, Armenia,\r\nTajikistan, Turkmenistan, and Uzbekistan.\r\nThese breadcrumbs along with the rapid ascension of the malware seem to suggest involvement from the GandCrab crew or\r\nits affiliates. Already having connections on private forums, it allowed them to quickly promote Sodinokibi and be selective\r\nabout their partners.\r\nThere is no clear, undeniable evidence that Sodinokibi is run by the same individuals that administered GandCrab, but they\r\nobviously know the ransomware game and are into the money-making business.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/\r\nhttps://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/\r\nPage 6 of 6\n\ntransaction. Another capture from Damian makes it clear that this particular ransomware program is highly profitable with some victims\npaying as little as .4 bitcoins (~$4,000) while others shelling out 26 bitcoins or approximately $240,000 at the moment of\n   Page 3 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/"
	],
	"report_names": [
		"a-look-inside-the-highly-profitable-sodinokibi-ransomware-business"
	],
	"threat_actors": [],
	"ts_created_at": 1775434943,
	"ts_updated_at": 1775791249,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5857332e6120f9cf7bea2ee13d89a7299fd4354a.pdf",
		"text": "https://archive.orkl.eu/5857332e6120f9cf7bea2ee13d89a7299fd4354a.txt",
		"img": "https://archive.orkl.eu/5857332e6120f9cf7bea2ee13d89a7299fd4354a.jpg"
	}
}