{ "id": "755aa218-a1e1-4d5d-84c0-aea2e6f52da5", "created_at": "2026-04-06T00:21:07.219495Z", "updated_at": "2026-04-10T03:24:24.590063Z", "deleted_at": null, "sha1_hash": "ddcd8ae2b5336056ea289d8051ccb28305d094a7", "title": "Sodinokibi REvil ransomware disrupt trade secrets", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1336973, "plain_text": "Sodinokibi REvil ransomware disrupt trade secrets\r\nBy Limor Kessem\r\nPublished: 2021-04-28 · Archived: 2026-04-05 14:48:16 UTC\r\nLimor Kessem\r\nX-Force Cyber Crisis Management Global Lead\r\nIBM\r\nIt likes big game hunting, it enjoys deploying Cobalt Strike and it dabbles in critical vulnerability abuse. It’s\r\nknown as Sodinokibi/REvil, a ransomware strain that emerged in 2019 as the heir to the GandCrab ransomware, a\r\nmalware family that supposedly retired from the cyber crime arena in mid-2019 after reportedly amassing illicit\r\nprofits of over USD 2 billion.\r\nIn the two years of its existence, Sodinokibi has gained considerable momentum, having been implicated in high-profile cyberattacks, locking up and even auctioning off data that belonged to companies like Travelex, Gunnebo,\r\nBrown-Forman, Asian retail giant The Dairy Farm Group and, most recently, an Apple supplier. The demand in\r\neach case is often exorbitant, asking victims for multi-million-dollar ransoms for their data:\r\nLeading cosmetics group Pierre Fabre: USD 25,000,000\r\nThe Dairy Farm Group: USD 30,000,000\r\nNew York-based law firm Grubman Shire Meiselas \u0026 Sacks: USD 42,000,000\r\nApple MacBook supplier: USD 50,000,000\r\nIs Sodinokibi all about the money? It’s hard to say. In some cases, Sodinokibi actors manage to target defense\r\ncontractors and organizations in countries that rival their assumed originating state, Russia.\r\nRobbing terabytes of data, with no way for victims to know what they actually do with it after they receive\r\npayment, it’s very plausible that money is just one objective, followed by espionage, both business and nation-state driven. Not unlike other major cybercrime gangs, the group’s access and control over major organizations’\r\nassets can lend it the power to collaborate on a variety of nefarious schemes, including adversarial nation-state\r\nactivity.\r\n‘Cryptoviral extortion’ is the name of the game\r\nThreat actors that use ransomware are taking advantage of the inherent power of public key infrastructure\r\ncryptology to encrypt information in a way that’s hard or impossible to break. The term “cryptoviral extortion”\r\nwas coined in 1996 in an Institute of Electrical and Electronics Engineers (IEEE) paper. The IEEE also predicted\r\nthat cryptoviral extortion would one day demand ‘e-money,’ long before Bitcoin even existed.\r\nFor the cryptographic basis of the attack, Sodinokibi uses a combination of elliptic curve Diffie-Hellman (ECDH),\r\nSalsa20, SHA-3 and Advanced Encryption Standard (AES) to encrypt and decrypt both malicious configuration\r\nhttps://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/\r\nPage 1 of 11\n\ndata and user data (i.e., user files). It generates its private-public key pair using Curve25519, one of the fastest\r\nelliptic-curve cryptography (ECC) curves designed for use with the ECDH key agreement scheme.\r\nSodinokibi operators may steal data in advance and then resort to extortion tactics that exceed the ability of the\r\nmalware itself. Those who refuse to pay up, relying on their ability to recover data, will then receive threats to\r\nhave that data exposed on an auction site the group calls The Happy Blog. That’s also where it names and shames\r\nits victims, offering up information that could be of use to other criminals or even competitors.\r\nAdditionally, in an interview given by an alleged REvil operator, known as Unknown, the person said he/she was\r\nconsidering launching distributed denial-of-service (DDoS) attacks on victim organizations as yet another way to\r\nincrease the pressure on victims to pay the ransom.\r\nIn terms of prevalence in the wild, Sodinokibi made up 22% of all X-Force incident response engagements in\r\n2020, suggesting that those operating this malware are more skilled at gaining access to victims’ networks when\r\ncompared to other ransomware strains. X-Force estimates that nearly 80% of the gang’s victims are a combination\r\nof organizations from the US (58%), UK (8%), Australia (5%) and Canada (3%).\r\nThe faces of Sodinokibi are many, as it is the sort of malware that’s distributed by various affiliates. In 2020, this\r\nransomware’s originators showed off their success by depositing USD 1 million in Bitcoin into a Russian-speakers’ cyber crime forum as part of a recruitment drive for more affiliates to join its ranks.\r\nThe latest tech news, backed by expert insights\r\nStay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with\r\nthe Think Newsletter, delivered twice weekly. See the IBM Privacy Statement.\r\nSodinokibi: A head-to-head battle with manual targeted attacks\r\nOnce Sodinokibi focuses on a potential victim, the attack goes into a more sophisticated operation by human\r\nactors who pave their way through the compromised networks to find data, exfiltrate it and sow the seeds of the\r\nransomware phase across as many devices as possible. This is a major issue since it’s harder to detect a careful\r\nhuman who can change tactics according to what’s happening on the defenders’ side.\r\nThat has not restricted the number of attacks by the group of Sodinokibi operators. The number of publicized\r\nattacks is likely the tip of an iceberg. According to X-Force data from 2020, we estimate the total victim count to\r\nbe around 250 organizations. Our most conservative estimate places the total Sodinokibi ransom revenue at USD\r\n123 million in 2020. This estimate is the result of several factors, notably the big game hunting attacks. Of the\r\nestimated 19 victim organizations with total annual revenue of USD 1 billion or more, at least 15 have probably\r\npaid a multi-million-dollar ransom.\r\nhttps://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/\r\nPage 2 of 11\n\nFigure 1: Attacks per month (Source: IBM X-Force)\r\nhttps://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/\r\nPage 3 of 11\n\nFigure 2: Ransom demands per month (Source: IBM X-Force)\r\nhttps://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/\r\nPage 4 of 11\n\nFigure 3: Victimized organizations by geo-location (Source: IBM X-Force)\r\nhttps://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/\r\nPage 5 of 11\n\nFigure 4: Victimized organizations by industry (Source: IBM X-Force)\r\nThe price of trust\r\nAccording to IBM Security surveys and data collected on ransomware attacks, at least half of organizations\r\ntargeted with ransomware pay the ransom. That model might have worked in some cases, in the past, when the\r\nonly threat was locked files. But, a new question arises: Are cyber criminals breaking their own business model by\r\nchallenging organizations to trust them with their stolen data?\r\nWith blended attacks that both steal and encrypt data, cyber criminals can add pressure to their scheme and force\r\norganizations to pay or have their data exposed or auctioned off. But, in reality, the minute a copy of confidential\r\ndata is outside the organization, there is no telling what’s actually being done with it. Is it truly being deleted? This\r\nis not a predicament any organization would choose to be in. In some Sodinokibi cases, the attackers who were\r\nhttps://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/\r\nPage 6 of 11\n\nsupposed to delete the stolen data after they got paid ended up coming back for seconds, demanding more money\r\nbe paid because they kept the data.\r\nThis raises the espionage question once again. After the ransom is paid for the decryption and supposed deletion\r\nof the stolen data, who’s to guarantee that the same data is not then offered anonymously to a competitor? Who’s\r\nto say it won’t be offered to a rivaling nation-state for a hefty fee, all under the cloak of cryptocurrency payments\r\nand money-laundering capacity that cyber crime gangs build by fostering relationships with other organized crime\r\ngroups?\r\nThere are no guarantees. A decryption key is one thing, buying trust is another. That’s why this may seem like bad\r\nnews at first sight, but it could be a factor that will make organizations less inclined to pay ransoms.\r\nWith gangs like Sodinokibi thinking of expansion and attack diversity, security executives are better off looking at\r\nsecurity reinforcements and preventive measures (i.e., encrypting data so it is useless if stolen, safely storing\r\nbackups, threat intelligence-driven patch vulnerability strategy, data loss prevention, continuous zero-trust\r\nimprovements, etc.) rather than dumping millions of dollars into a losing game — an attacker’s bottomless pocket.\r\nIt’s Sodinokibi — What’s next?\r\nWhen a ransomware attack is discovered, every second counts. As time passes, more data and files are being\r\nencrypted, driving up the cost and damage of that attack. Immediate — yet methodical and informed — action\r\nmust be taken.\r\nA first move should be involving IT security teams and allowing them to launch the incident response process that\r\nthey have prepared to combat ransomware. If you have a retainer contract with a third-party provider, it is\r\nadvisable to engage them now and get responders on site. In the meantime, all defensive actions should count on\r\nthe assumption that the attacker is still in the environment and monitoring all communications.\r\nIf your team figures out which malware has encrypted data, typically by the encrypted file extensions, run an\r\ninitial root cause analysis (RCA) to determine how the malware got in. While a formal RCA can wait until the\r\npost-incident activity phase, an abridged RCA will aid the organization in entering the containment phase. Without\r\na basic RCA, the infection cycle is more likely to repeat itself. It is also important to perform the RCA before the\r\nrecovery phase, since an organization could expend a large amount of time and effort recovering files only to see\r\nthem re-encrypted shortly thereafter.\r\nThe pressure is on, the attackers make every possible threat at this point, and time is running out quickly. If data\r\nhas been stolen (e.g., customer data, financial data, cyber insurance information, intellectual property, etc.) and the\r\norganization understands what’s at stake, the company’s counsel, data privacy officer (DPO) or privacy officer\r\nshould be involved to plan the response that concerns customers and data subjects. Other parties to consider\r\ncontacting are federal law enforcement and regulators, depending on the local requirements for the industry and\r\ngeographies in which your company operates.\r\nFast forward to the recovery stage, as this is the point at which companies will typically consider cutting their\r\nlosses and may plan on paying the ransom or negotiating it down. It’s important to consider the newer pressure\r\ntactics Sodinokibi operators use on top of encryption, data exfiltration and DDoS, before paying. Moreover:\r\nhttps://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/\r\nPage 7 of 11\n\nPaying a ransom does not guarantee recovery; some data may have been corrupted.\r\nPaying a ransom does not equal instant recovery; it may take weeks or months to decrypt data.\r\nPaying a ransom can be a federal offense if paid to attackers in certain countries.\r\nPaying organized cyber crime operations like Sodinokibi funds and strengthens their business model.\r\nSodinokibi expanding in 2021\r\nSodinokibi actors have been trying to recruit additional affiliates. One way to lure new members to collaborate\r\nwith them is by flaunting their wealth, by depositing USD 1 million in a Russian-speaking underground forum, to\r\nassure members they can be trusted and those who join will get paid.\r\nThe types of skills the group is after, and those which defenders will be seeing more of in 2021, appeared in a post\r\nin a dark web forum.\r\n“Groups that have already got expertise and expertise in penetration testing, working with MSF (aka MetaSploit\r\nFramework)/CS (aka Cobalt Strike)/Koadic (a Windows post-exploitation framework and penetration testing\r\ntool), NAS/Tape (enterprise data archiving and storage), Hyper-V, and analogues of the listed software\r\nprograms…”\r\nOn top of these popular ransomware tactics, techniques and procedures (TTPs), check out the annex at the end of\r\nthis blog post for additional cues.\r\nAt this time, no end is in sight for Sodinokibi, but that does not mean it will not suddenly shut down operations\r\nand disappear. In some cases, cyber criminals bow out of the arena when they have amassed considerable wealth\r\nand are worried about potential law enforcement crackdowns. We have seen such occurrences with GandCrab in\r\n2019, Maze ransomware in late 2020 and FonixCrypter in January 2021.\r\nUntil that happens with Sodinokibi — and with no reason to doubt that new actors will rise next — defenders\r\nshould continue to focus on security and employee awareness to limit the potential for these types of attacks.\r\nFacing a Sodinokibi attack?\r\nIf your team requires assistance, please contact the X-Force hotlines:\r\nNorth America: 24×7 Hotline: 1-888-241-9812\r\nGlobal Hotline: +00 1 (312) 212-8034\r\nIBM X-Force Threat Intelligence\r\nIBM X-Force IRIS Threat Intelligence Solutions offers global intelligence experts, analysis and platform\r\nintegration of threat intelligence into security workflow applications.\r\nIBM X-Force Incident Response Services\r\nIncident response services — retainer subscription and proactive services to reduce incident response time,\r\nminimize breach impact and help you recover faster.\r\nhttps://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/\r\nPage 8 of 11\n\nANNEX\r\nGeneral ransomware characteristics to look out for\r\nRansomware attackers, including Sodinokibi actors, tend to be sophisticated, stealthy and prevalent. Most times,\r\nthey seek to gain access to a victim organization’s network by either exploiting a vulnerability or acquiring and\r\nabusing valid account credentials.\r\nObtaining that initial set of account credentials typically comes through phishing attacks or purchases in dark web\r\ncyber crime forums. Ultimately, once an attacker gains an initial foothold, they seek to move laterally and acquire\r\nas many privileged account credentials as possible. The use of some malware or penetration testing tools is a\r\ncommon practice.\r\nCommon infection vectors (e.g., vulns. exploits)\r\nPhishing/malware\r\nVulnerability exploitation\r\nOpen/poorly secured RDP\r\nCommonly exploited vulnerabilities to prioritize\r\nRDPs\r\nBlueGate CVE-2020-0609, CVE-2020-0610\r\nCVE-2020-16896\r\nCVE-2019-1225\r\nCVE-2019-1224\r\nCVE-2019-1108\r\nCVE-2019-19781 Citrix\r\nCVE-2019-2725 Oracle WebLogic\r\nCVE-2020-2021 Palo Alto Firewall\r\nCVE-2020-5902 F5 BIG-IP\r\nCVE-2018-8453 (EoP) Windows (RCE) win32k.sys\r\nCVE-2020-1472 Windows Netlogon ZeroLogon (post-initial foothold/compromise)\r\nVPNs\r\nCVE-2019-11510 Pulse Secure Connect\r\nCVE-2019-11539 Pulse Secure Connect\r\nCVE-2018-13379 FortiOS SSL VPN\r\nCVE-2019-18935 Telerik UI (JuicyPotato exploit)\r\nCommon capabilities\r\nAntivirus and sandbox evasion/anti-debug, anti-analysis tricks\r\nBinary file is encrypted\r\nCRC32 checks\r\nhttps://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/\r\nPage 9 of 11\n\nProcess injection tactics\r\nAPI hashing/dynamic API resolution\r\nMount and encrypt virtual disks (e.g. virtual machine files like VHD, VHDX)\r\nUAC bypass\r\nWake-on-Lan (WoL)\r\nProcess doppelgänging\r\nDeploy and execute ransomware inside its own virtual machine container\r\nDisable Windows driver signature enforcement\r\nKill specific running processes and services\r\nDelete data, e.g., various logs (attack evidence), volume shadow copies, backups, etc.\r\nDisable/delete various system security settings (e.g., Windows firewall, Windows Defender definitions,\r\netc.)\r\nEvade detection, e.g., msbuild.exe, Heaven’s Gate technique, use memory mapped I/O to encrypt each file,\r\netc.\r\nRapid, multithread encryption\r\nCommon TTPs to look out for\r\nHarvesting privileged account credentials, admins of varying sorts.\r\nUse of legitimate, remote access software like AnyDesk, NetSupport Manager, etc.\r\nUse of PuTTY Link (aka Plink) to tunnel RDP sessions and establish connections to other devices on the\r\nnetwork with randomized source and destination ports.\r\nCreation of one or more user accounts and/or groups, group policies (GPOs).\r\nAttempts to encrypt network shares; creates new tasks, registry keys\r\nAttacker will target systems with V-sphere/ESXi/Nagios, NAS (data exfil), network shares (data exfil),\r\nExchange server (monitor and steal internal communications) and consolidated backups (which can\r\nfrustrate recovery efforts) especially during the internal reconnaissance phase.\r\nInternal network scans looking for IP ranges with the following services/ports:\r\n10.0.0.0-10.0.255.255\r\nHTTP and proxy (ports 80, 443, 3128, 8080)\r\nFTP and SFTP (port 21, 115)\r\nDatabase servers (ports 1433, 3050, 3306)\r\nRemote management (ports 22, 23, 3389, and 4899)\r\nLog deletion using publicly available code.\r\nLateral movement — many times, a primary subgoal is to move to a domain controller (DC).\r\nPSremoting session started; PowerShell downloads scripts and files; privileged account used (i.e.,\r\nDomain Admin); ADrecon executed (reconnaissance); Scheduled Task executes script from\r\nSystemApps; lateral movement via Cobalt SMB beacon.\r\nOnce on a DC, attackers attempt to disable Windows security settings like MS firewall settings for\r\nall domain-joined computers via new GPO.\r\nDeployment and detonation of ransomware on all domain-joined computers via GPO.\r\nWatch for any network activity to/from cloud storage platforms as a way by which data is being exfiltrated.\r\nhttps://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/\r\nPage 10 of 11\n\nSource: https://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/\r\nhttps://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/" ], "report_names": [ "sodinokibi-revil-ransomware-disrupt-trade-secrets" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434867, "ts_updated_at": 1775791464, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ddcd8ae2b5336056ea289d8051ccb28305d094a7.pdf", "text": "https://archive.orkl.eu/ddcd8ae2b5336056ea289d8051ccb28305d094a7.txt", "img": "https://archive.orkl.eu/ddcd8ae2b5336056ea289d8051ccb28305d094a7.jpg" } }