Sodinokibi/REvil ransomware explained
Networks of cybercriminals, often known as “ransomware families,” have become increasingly sophisticated in recent years. One ransomware family, known as either “Sodinokibi” or “REvil”, has made a name for itself using its “Ransomware-as-a-Service” (RaaS) model to attack both large corporations and private individuals.
The more complicated these ransomware operations grow, the harder it is to track down the core individuals responsible. This is why cybersecurity services like Mimecast are so important. They offer the tools and partnerships necessary to protect against advanced cybercriminal networks and their growing list of techniques and exploits.
What is Ransomware-as-a-Service?
The RaaS model functions through a preexisting network of cybercriminal actors. Distributors will develop the malware to work as destructively as possible and then pass off this software to “affiliates.” These affiliates will then perform the actual ransomware attack.
Usually, the affiliates gain access to the malware through subscription-based services which involve a monthly cut for distributors and affiliates, or they purchase a one-time license from the developers, similar to how many commercial software platforms function.
The benefit of this model is that tracing the source of the malware and tracking the cybercriminal attackers becomes a twofold task. Even if you find the affiliates, their trail doesn’t necessarily lead to the developers of the software, and vice-versa.
How does Sodinokibi ransomware work?
The Sodinokibi/REvil ransomware family uses a variety of attack vectors, exploiting RDP attacks, software vulnerabilities and human susceptibility to phishing attacks and email scams.
Once Sodinokibi/REvil affiliates have found a way to install their files into your system, they will then encrypt your files and all existing backups they can find on your network. You will then receive a message asking for a Bitcoin payment in exchange for your missing files.
If you are the victim of an attack, it’s recommended that you do not negotiate with your attackers. There is no guarantee that you will receive your information, and even if you do, there is nothing to stop these cybercriminals from selling off copies of your private information to other criminals.
What is Sodinokibi/REvil ransomware?
Sodinokibi ransomware is a particular Ransomware-as-a-Service operation that seems to have originated in Russia or Eastern Europe around 2019. The goal of this ransomware family seems to be explicitly monetary, as their general mode of operation is to collect private information or corporate data and threaten to publish this information unless the ransom is paid.
Since the family’s inception, they have attacked large-scale corporations such as Apple, and they’ve also targeted celebrities and politicians, such as Madonna and former US presidents.
However, there is some doubt as to whether the group is still active. As of July 2021, all known Sodinokibi/REvil ransomware affiliated websites have been inactive. While this inactivity is promising, this radio silence by no means guarantees that the group has ceased operations entirely. It could mean they’ve become tougher to find.
How can I protect against REvil/Sodinokibi?
The best way to protect against REvil/Sodinokibi ransomware is to take a multi-pronged approach involving security awareness, email scanning and audits of your current cybersecurity measures.
Security awareness involves training your staff to recognize potential phishing scams and faulty email attachments. This should always be the first line of defense for companies, as phishing and email scams are the most common attack vectors for ransomware criminals, including families such as Sodinokibi.
Cybersecurity experts like Mimecast offer security awareness training, email scanning, and cloud-based recovery archives so that even if you do suffer from a ransomware attack, you don’t have to feel beholden to cybercriminals to obtain access to private information.
Keep up with Sodinokibi and other ransomware families
Whether it’s Sodinokibi ransomware or any other number of ransomware networks, you and your organization need to be equipped to handle cybersecurity attacks. Otherwise, the risk of these attacks is great enough that you could stand to lose your entire IT infrastructure, as well as any private information you may have stored within your IT network.
Mimecast provides you with all the necessary tools to prevent these incidents. They also equip you and your team with the knowledge and leverage to handle any attacks should they arise.
Learn more about how Mimecast can help your organization, and partner with Mimecast today to protect against ransomware.