Sodin

Threat Actor updated a year ago (2024-11-29T13:34:05.256Z)

Download STIX

Preview STIX

Sodin, also known as Sodinokibi or REvil, is a sophisticated threat actor that emerged in the first half of 2019. This entity quickly drew attention due to its unique methods of distribution and attack. It exploited an Oracle Weblogic vulnerability to distribute itself and targeted Managed Service Providers (MSPs). Additionally, it was discovered that Sodin utilized the CVE-2018-8453 vulnerability to elevate privileges in Windows, a tactic rare among ransomware. This Trojan employs legitimate processor functions to evade security solutions, further demonstrating its advanced capabilities. The Sodin configuration is intricate, containing various fields necessary for the Trojan's operation. These settings and data are stored in encrypted form within each Sodin sample's body. A key element of this configuration is the 'pk' field, which represents the 32-byte public key of the Trojan distributor and is saved under the name 'sub_key' in the registry. Another part of the Sodin configuration is responsible for network communication, while a hybrid scheme is used to encrypt victim files. Sodin has been linked to several high-profile attacks since its emergence and may be connected to GandCrab, a prominent threat actor from 2018. Its geographical spread and impact have been significant, with its tactics evolving to include double and triple extortion, akin to other rising ransomware operators such as DarkSide, Maze, Clop, NetWalker, and Conti. This evolution underscores the growing sophistication and audacity of these cyber threats.

Description last updated: 2024-05-05T06:33:00.065Z

What's your take? (Question 1 of 1)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Sodinokibi is a possible alias for Sodin. Sodinokibi, also known as REvil, is a highly active and impactful threat actor first identified in April 2019. Operating as a ransomware-as-a-service (RaaS), this group has been responsible for a significant proportion of global ransomware incidents. In 2020, Sodinokibi ransomware attacks accounted	2
REvil is a possible alias for Sodin. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. Th	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Sodin Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	2 years ago	Examples of Past and Current Attacks \| #ransomware \| #cybercrime \| National Cyber Security Consulting
MITRE	3 years ago	DarkSide Ransomware Gang: An Overview
MITRE	3 years ago	Sodin ransomware exploits Windows vulnerability and processor architecture
MITRE	3 years ago	A brief history and further technical analysis of Sodinokibi Ransomware