REvil/Sodinokibi Ransomware: Origin, Victims, Prevention Strategies
REvil/Sodinokibi Ransomware Is One of the Most Distributed Ransomware Strains in the World. Don’t Let Your Company Be Its Next Victim!
This post is also available in: Danish
Cyberattacks have become a part of our reality, but have you ever wondered what might happen if your company gets targeted? You probably imagine that you would lose some money and a great deal of time, maybe fire an employee or too, lose a few clients and have your reputation tainted or eventually even deal with a lawsuit. If these aren’t serious and bad enough for you to take cybersecurity seriously, let me tell you this: cyberattacks have just turned deadly. It happened this month in Germany, where “A person in a life-threatening condition passed away after being forced to go to a more distant hospital due to a ransomware attack.” Speaking of ransomware…you should pay particular attention to REvil/Sodinokibi ransomware.
REvil/Sodinokibi ransomware (AKA Sodin) is a perfect example of Ransomware-as-a-Service, a cybercrime that involves two groups teaming up for the hack: the code authors who develop the ransomware and the affiliates that spread it and collect the ransom.
As SecurityBoulevard says, REvil/Sodinokibi is “the apparent heir to a strain known as GandCrab. The security community believes GandCrab is responsible for 40 per cent of all ransomware infections globally. It has taken in around $2 billion in ransom. Then, earlier this year, the creators of GandCrab announced the malware’s retirement.”
Discovered in April 2019, REvil/Sodinokibi is a highly evasive and upgraded ransomware, which uses a special social engineering move – the ones who spread it threaten to double the ransom if not paid within a certain number of days. This aspect makes Sodinokibi ransomware dangerous for companies of all sizes. Also known as Sodin or REvil, Sodinokibi shortly became the 4th most distributed ransomware in the world, targeting mostly American and European companies.
How does REvil/Sodinokibi ransomware work?
Does REvil/Sodinokibi ransomware steal data?
Stealing data from ransomware victims before encrypting devices and using the stolen files as leverage to get paid is a tactic that the Maze Ransomware operators have started to bring into force. Since then, REvil/Sodinokibi, DoppelPaymer and Nemty followed their lead. According to BleepingComputer, until March 2020, the Sodinokibi ransomware operators had published over 12 GB of stolen data “allegedly belonging to a company named Brooks International”. Moreover, “other hackers and criminals have started to distribute and sell this data on hacker forums”, as you can see in the image below “where a member is selling a link to the stolen data for 8 credits, which is worth approximately 2 Euros”:
Who fell victim to REvil/Sodinokibi ransomware?
Among the first victims of REvil/Sodinokibi ransomware were two Florida states. SecurityBoulevard describes the attacks from May 2019:
The City of Riviera Beach, Florida, agreed to pay $600,000 for the decryption key to unlock their files. Weeks later, the city of Lake City, Florida, relented to a $450,000 ransom payment as well. Each of these cities faced service disruption after being infected. Some of these services included email, phones, police records, the public works department, the library, 911 emergency, and general offices. Because these towns do not have the personnel or knowledge base to remediate these attacks, paying the ransom seemed to be the best bet.
These attacks were followed by another impressive one, against Texas:
In a highly coordinated attack, hackers were able to bring down 22 separate municipalities, including the cities of Borger and Keene. The perpetrators of the attack then asked for a collective $2.5 million to release everyone caught in the net. Fortunately, the infected Texas municipalities received state-issued resources from Texas A&M University and the Texas Military Department.
In August 2019, Sodinokibi operators targeted PerCSoft, a company specialized in backup services for UK dental offices: more than 400 dental offices were affected during the attack. PerCSoft claimed that no data was accessed during the attack they presented as a virus infection, but it would appear that “a private Facebook group of IT professionals serving the dental industry shared […] screenshots that hint that the victim firm has paid the ransom to decrypt the data.” The most notable example of a REvil/Sodinokibi ransomware attack is probably the one on Travelex, a famous currency exchange company. On this subject, SecurityBoulevard notes:
An unnamed source within Travelex disclosed to The Wall Street Journal (WSJ) that the company paid $2.3 million in Bitcoin in an effort to restore functionality to its systems following a ransomware attack. Travelex was hit with a ransomware attack on New Year’s Eve, and it took a couple of weeks to restore some of its basic services, with the consumer side having to wait until February. The breadth of the attack was staggering, as the hackers infiltrated the company’s infrastructure six months before attacking with ransomware. Hackers didn’t just linger around the network. They used the time to exfiltrate valuable information, 5GB in total, which they then used to blackmail the company after deploying ransomware. […] In the Travelex attack, the hackers used Sodinokibi ransomware and an unpatched critical vulnerability in Pulse Secure VPN servers. Companies were warned about this particular VPN vulnerability, but some companies didn’t update their systems in time.
What can you do to prevent REvil/Sodinokibi Ransomware?
As Fernando Ruiz, head of operations at Europol’s European Cybercrime Center says, “Criminals behind ransomware attacks are adapting their attack vectors, they’re more aggressive than in the past – they’re not only encrypting the files, they’re also exfiltrating data and making it available”. In order to defend your company from this kind of menace, you need to approach the matter from various angles:
The first one is education-oriented:
BACKUP YOUR DATA!
This might seem tech-related, but we think of it more as common knowledge: how could you not have backups for your essential data? You should store it both online and offline and take time to test your ability to revert to backups during a potential incident.
Train your employees!
User awareness is one of the most reliable methods to prevent an attack, so make sure you take the time to educate your employees and advise them to report to the security teams as soon as they notice something unusual. They should be aware of phishing techniques and other social engineering tactics cybercriminals may use to get into your organization.
The second one – technology-related:
Keep your systems up to date.
Updates help you close security holes that many viruses use to enter your computers. Since dealing with patches is a resource and time-consuming task, the best option for you to stay safe from REvil/Sodinokibi and other ransomware would be to deploy an automated patching solution.
The Heimdal Patch & Asset Management ( automated patching ) efficiently addresses this problem by applying Windows and third-party updates in the background as soon as they are released.
Protect your email.
Many hackers rely on you not paying attention to what your emails actually contain and hope you’ll get infected by opening a malicious attachment or clicking on a fake link. Try to always hover over the links you want to access to make sure they lead where they’re supposed to lead and never open attachments or access links received from unknown, unexpected, or unwanted sources. You should also think about an email protection solution, like our Heimdal™ Email Security.
Deploy multi-layered Cybersecurity.
Good antivirus software is essential for any company’s cybersecurity but to be as protected as you can, we recommend you using a multi-layered security approach. Heimdal’s EDR Software uses multi-layered AI-powered protection that brings together threat hunting, prevention, and mitigation in one package, for the best endpoint protection.
Since there is no free decryption tool or a foolproof method that can completely decrypt REvil/Sodinokibi ransomware encrypted files and paying the ransom to get your data back from the hackers shouldn’t be an option, prevention remains the most effective approach.
Heimdal Security offers the latest in cybersecurity protection against advanced cyberattacks. Our security solutions are designed to work with your company’s needs and budget.
Heimdal™ Ransomware Encryption Protection