Ransomware generates massive profits for its operators. How much do they make, and how do their spend their illicit earnings? Newly published research on Sodinokibi ransomware sheds some light on this.
The McAfee Advanced Threat Research (ATR) team has been investigating ransomware-as-a-service (RaaS) Sodinokibi, also known as Sodin or REvil, since it was spotted in the wild back in April. Around the same time, GandCrab's operators announced their retirement. Secureworks analysis showed Gold Garden, the group behind GandCrab, is also behind REvil ransomware.
From the start, it was clear Sodinokibi was a serious threat. It was first seen propagating by exploiting a vulnerability in Oracle's WebLogic server; however, its affiliates have several tactics. Some attackers exploited a Windows privilege escalation bug, Kaspersky Lab researchers found.
Given the severity of Sodinokibi's attacks, in particular those targeting US managed services providers, McAfee's team wanted to take a deeper dive, says John Fokker, head of cyber investigations. ATR researchers are now publishing a series of blog posts to detail their findings on Sodinokibi and its connections to GandCrab. The first in the series digs into the code and inner workings of the ransomware; the second analyzes affiliate structures in RaaS campaigns. Affiliates are the attackers who buy ransomware from Sodinokibi's operators and deploy i ..
Support the originator by clicking the read the rest link below.
