Security researchers have tracked the bitcoin payments made by victims of the Sodinokibi ransomware threat and concluded that some of the criminals distributing the program earned millions of dollars from the scheme. Sodinokibi, also known as REvil, is a ransomware program that first appeared in April, shortly after another widely used ransomware operation called GandCrab shut down. While Sodinokibi is not necessarily a direct continuation of GandCrab, researchers have found code and other similarities between the two, indicating a likely connection.
Like GandCrab, Sodinokibi uses the ransomware-as-a-service (RaaS) model, where its developers provide the program to other cybercriminals called affiliates and offer support in exchange for a cut of the ransom money paid by victims.
Researchers from McAfee have tracked down some posts on underground forums from a Sodinokibi distributor who claimed that he worked with GandCrab in the past. His posts contained bitcoin transaction IDs that indicated he earned the equivalent of $287,499 in bitcoin from ransom payments made in just 72 hours.
From those transactions the researchers managed to track down more bitcoin wallets belonging to other Sodinokibi affiliates, as well as a wallet likely used by the program’s creators. The developers get a 30% or 40% cut from each payment after it’s passed through a bitcoin mixer that has the role of obfuscating transactions and making it harder for investigators to discover the final cash-out wallet.
Based on a blockchain analysis, McAfee estimates that Sodinokibi has around 41 active affiliates and that its creators receive between $700 and $1,500 from every ransom payment, considering that the ransom values vary between $2,500 and $5,000.
The researchers observed a large number of transactions from affiliates to a wallet that contained 443 bitcoins or around $4.5 million. Some affiliates were also observed spending some of their Sodinokibi bitcoins to buy illegal goods and services from underground marketplaces, such as Hydra Market.
“We do understand that there are situations in which [company] executives decide to pay the ransom but, by doing that, we keep this business model alive and also fund other criminal markets,” the McAfee researchers said in a new report released today.
How Sodinokibi operates
Early on, Sodinokibi was distributed by exploiting a known vulnerability in Oracle’s WebLogic server. However, distribution by brute-forcing Remote Desktop Protocol (RDP) credentials is also very common and this is a popular attack vector for most ransomware programs that target organizations, including GandCrab in the past.
Since Sodinokibi is distributed by multiple affiliates, the infection methods they prefer to use can vary a lot. This includes traditional phishing emails with malicious attachments and exploit kits.
Based on an advertisement posted on a cybercrime forum, Sodinokibi’s authors prohibit affiliates from distributing the ransomware in countries that are part of the Commonwealth of Independent States (CIS) -- former Soviet Union members -- and the program actually disables itself on computers that use the languages of those countries, plus Syrian. The blacklisting of Syrian is interesting because this was also done by GandCrab.
The malware comes with an encrypted JSON-formatted configuration file that affiliates can edit to their own needs. This provides the ability to whitelist folders and files, to specify the targeted file extensions, to choose between full file encryption and encrypting just the first megabyte of each file, to target particular folders, to change the command-and-control domain names and more.
“Overall, looking at the structure and coincidences, either the developers of the GandCrab code used it as a base for creating a new family or, another hypothesis is that people got hold of the leaked GandCrab source code and started the new RaaS Sodinokibi,” the McAfee researchers said in a Sodinokibi analysis earlier this month.