APT of Interest: Sodinokibi

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

 

Sodinokibi ransomware, a successor to GandCrab, came on the scene in 2019. It made headlines due to its ability to infect larger organizations and demand larger sums of ransom payouts. For example, In April Travelex paid out $2.3 million USD, as a result of the New Year’s Eve attack on the currency exchange giant.

 

Also in April, Sodinokibi changed tactics a bit and switched their payout requirements from Bitcoin to Monero in an effort to better protect attacker identities. According to a report by BleepingComputer, using Monero will make it harder for law enforcement to track ransom payments to the actors behind Sodinokibi. In fact, the Sodinokibi payment website already pushes people away from paying with Bitcoin by increasing the price by 10% compared to the Monero price.

 

Per the report, the actors behind the Sodinokibi ransomware announced their switch to Monero. In the post, the cybercriminals explicitly stated that the switch was meant to make it harder for law enforcement to track the money. The announcement reads: “In this regard, we inform you that after a while the BTC will be removed as a payment method. Victims need to begin to understand the new cryptocurrency, as well as other interested parties who work with us.”

Subscribe by Email