CSO: Cyber security researchers have tracked the bitcoin payments made by victims of Sodinokibi (aka REvil), and concluded that some of the criminals distributing the ransomware earned millions of dollars from the scheme
Cybercrime often pays, especially if crooks use strong ransomware as Sodinokibi (REvil). According to CSO, cyber security researchers have tracked the bitcoin payments made by victims of the malware, and concluded that some of the criminals distributing the program earned millions of dollars from the scheme. The malicious code first appeared in April, shortly after another widely used ransomware operation dubbed GandCrab shut down. While Sodinokibi is not necessarily a direct continuation of GandCrab, researchers have found code and other similarities between the two, indicating a likely connection. The new malware, like the old one, uses the ransomware-as-a-service (RaaS) model, where its developers provide the program to other cyber criminals called affiliates and offer support in exchange for a cut of the ransom money paid by victims.
The malware’s “affiliate program”
McAfee cyber security experts tracked down some posts on underground forums from a Sodinokibi distributor who claimed that he worked with GandCrab in the past. His posts contained bitcoin transaction IDs that indicated he earned the equivalent of $287,499 in bitcoin from ransom payments made in just 72 hours. The researchers managed to track down more bitcoin wallets belonging to other malware affiliates, as well as a wallet likely used by the program’s creators. The cybercrime developers get a 30% or 40% cut from each payment after it’s passed through a bitcoin mixer that has the role of obfuscating transactions and making it harder for investigators to discover the final cash-out wallet. Based on a blockchain analysis, McAfee estimates that Sodinokibi has around 41 active affiliates and that its creators receive between $700 and $1,500 from every ransom payment, considering that the ransom values vary between $2,500 and $5,000.
A large number of transactions from cybercrime affiliates are related a wallet that contained 443 bitcoins (around $4.5 million)
The cyber security researchers observed a large number of transactions from affiliates to a wallet that contained 443 bitcoins or around $4.5 million. Some of them were also observed spending some of their Sodinokibi bitcoins to buy illegal goods and services from underground marketplaces, such as Hydra Market. Since Sodinokibi is distributed by multiple affiliates, the infection methods they prefer to use can vary a lot. This includes traditional phishing emails with malicious attachments and exploit kits.
How the ransomware works and the “distribution rules”
Based on an advertisement posted on a cybercrime forum, cybercrime’s authors prohibit affiliates from distributing the ransomware in countries that are part of the Commonwealth of Independent States (CIS) and the malware actually disables itself on computers that use the languages of those countries, plus Syrian. The ransomware comes with an encrypted JSON-formatted configuration file that affiliates can edit to their own needs. This provides the ability to whitelist folders and files, specify targeted file extensions, choose between full file encryption and encrypting just the first megabyte of each file, target particular folders, change the command-and-control domain names and more.