zephyr_p - stock.adobe.com
Sodinokibi data auctions highlight changing criminal tactics
The operators of the Sodinokibi ransomware strain are auctioning off swathes of stolen data in an apparent bid to raise cash. What is motivating this new tactic?
The cyber criminal gang behind the Sodinokibi or ReVIL ransomware is making good on its threat to auction off the data it has stolen in various recent attacks – including legal documents stolen from a New York celebrity law firm – on the dark web, piling extra pressure on its victims.
The Sodinokibi group used its dark web site, The Happy Blog, to begin the auctions earlier this week, taking online bids from interested parties.
At the time of writing, the group was understood to be auctioning confidential data from two different victims, one a food distributor and the other an agricultural company, both based in North America. It has published some data related to both as proof and said it had not forgotten its threat to sell off data relating to Madonna.
Typifying the more organised and business-like attitude that has lately become common among cyber criminals, the group has set a number of rules for the auction process. Bidders must, for example, register with the group and make a deposit of 10% of the starting price, to be refunded later minus blockchain commission, or retained if the bidder wins but does not pay. All the auctions are being transacted in the monero cryptocurrency.
Earlier this year, researchers highlighted the emergence of the double extortion attack, whereby in addition to encrypting data in a ransomware attack, hackers would threaten to leak the data unless paid. This tactic was probably used on security firm Chubb by the group behind Maze, and by the Sodinokibi gang on law firm Grubman, Shire, Meiselas and Sacks.
The latest variation in tactics, the auction of data to third parties – although there is nothing to stop the victims taking part – is likely to reflect increased awareness of ransomware operations in the wider world.
Higher-profile ransomware attacks have many organisations running scared, and as a result paying more attention to ensuring they have appropriate cyber security measures in place, crucially backups of data, enhanced end-user training, and so on.
This means that merely encrypting the victim’s data is no longer the threat it once was, so attackers must go even further to monetise their activities.
“Affected organisations not only have to pay for a decryption key for their data, but they have to pay to prevent the criminals from selling or leaking their data,” said Javvad Malik, security awareness advocate at KnowBe4. “From the criminals’ perspective, this guarantees a payment even if the organisation can recover all its data from backups.”
Chris Hauk, consumer privacy champion at Pixel Privacy, added: “The FBI and many security firms are advising victims not to pay any ransom, as in many cases paying the ransom does not result in gaining access to encrypted files.
“Firms are finally learning the importance of securing access to their networks, ensuring their systems have the latest security patches applied, and are putting email filters in place to remove emails with those tempting links that employees seem to love clicking.
“They have also finally started following the all-important mantra ‘back up early, back up often’. Plus, websites like Nomoreransom offer tools that help some victims recover their data without paying the ransom.”
Some have even speculated that this new tactic may also be a result of the Covid-19 coronavirus pandemic. There is some evidence to suggest that ransomware payments to cyber criminal groups have slowed since the pandemic began to bite globally in March 2020, which may suggest some groups are feeling the pinch.
Read more about Sodinokibi
- McAfee shares insight into the Sodinokibi ransomware campaign gleaned from its network of honeypots.
- Apparent links between Sodinokibi and GandCrab suggests the GandCrab authors are keeping busy despite having “retired” in June 2019.
- Sodinokibi hacking group steps up pressure on German automotive manufacturer by publishing information, including the CEO’s computer password and sensitive details of its IT systems.
KnowBe4’s Malik said this may be the case, but the information around it was largely anecdotal.
“There is no doubt that Covid-19 has disrupted many organisations – and that includes criminal organisations, so they could be diversifying income streams because of this,” he said. “Or it could be that these plans were in motion before Covid-19 struck. It’s difficult to say for sure.”
But Ilia Kolochenko, a criminal justice and cyber crime investigation expert and founder of web security firm ImmuniWeb, went further by saying that, in many cases, he doubted the quality and credibility of some of the offers being made on auction sites.
“An interesting trend in today’s cyber crime landscape is fake threats to publish allegedly stolen data,” he said. “Many organisations, whose business largely depends on their reputation, are well prepared to pay a fortune to avoid negative publicity.
“Another relatively new, but rapidly growing, scenario is exaggeration of the nature or value of data stolen and encrypted by ransomware. Organisations have limited visibility of their attack surface, including corporate data, which is chaotically dispersed across computers and servers.
“Once a machine is hacked and encrypted, victims may well believe that attackers will find a backup of their database, critical source code or other important trade secrets. However, prior to paying a ransom, you should carefully investigate, analyse and assess the situation to avoid falling victim to manipulative fraudsters.”
Kolochenko added: “Sadly, the coronavirus pandemic has pushed many beginners in the IT field to become cyber criminals amid unemployment and lack of finding a well-paid job in their field. Thus, we will likely see a surge of fake extortion campaigns ventured by the newbies and aimed to strip organisations out of cash in a simple and swift manner.”