Sodin

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
Sodin, also known as Sodinokibi or REvil, is a sophisticated threat actor that emerged in the first half of 2019. This entity quickly drew attention due to its unique methods of distribution and attack. It exploited an Oracle Weblogic vulnerability to distribute itself and targeted Managed Service Providers (MSPs). Additionally, it was discovered that Sodin utilized the CVE-2018-8453 vulnerability to elevate privileges in Windows, a tactic rare among ransomware. This Trojan employs legitimate processor functions to evade security solutions, further demonstrating its advanced capabilities. The Sodin configuration is intricate, containing various fields necessary for the Trojan's operation. These settings and data are stored in encrypted form within each Sodin sample's body. A key element of this configuration is the 'pk' field, which represents the 32-byte public key of the Trojan distributor and is saved under the name 'sub_key' in the registry. Another part of the Sodin configuration is responsible for network communication, while a hybrid scheme is used to encrypt victim files. Sodin has been linked to several high-profile attacks since its emergence and may be connected to GandCrab, a prominent threat actor from 2018. Its geographical spread and impact have been significant, with its tactics evolving to include double and triple extortion, akin to other rising ransomware operators such as DarkSide, Maze, Clop, NetWalker, and Conti. This evolution underscores the growing sophistication and audacity of these cyber threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Sodinokibi
2
Sodinokibi, also known as REvil, is a significant threat actor first identified in April 2019. This ransomware family operates as a Ransomware-as-a-Service (RaaS) and has been responsible for one in three ransomware incidents responded to by IBM Security X-Force in 2020. The Sodinokibi ransomware st
REvil
2
REvil, also known as Sodinokibi, is a type of malware that gained notoriety through its use in ransomware attacks. As the Ransomware as a Service (RaaS) model grew in popularity during 2020, relationships between first-stage malware and subsequent ransomware attacks were established. One such connec
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Windows
Encrypt
Exploits
Vulnerability
Extortion
Trojan
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
MazeUnspecified
1
Maze is a type of malware, specifically ransomware, that gained notoriety in 2019 for its double extortion tactic. This malicious software infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Maze w
ClopUnspecified
1
Clop is a notorious malware, short for malicious software, that is designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Clop can steal personal information, disrupt operations, or h
NetwalkerUnspecified
1
NetWalker is a highly profitable ransomware kit, known for its ability to disable antivirus software on Windows 10 systems and encrypt files, adding a random extension to the encrypted ones. Once executed, it disrupts operations and can even hold data hostage for ransom. It has been observed that Ne
ContiUnspecified
1
Conti is a type of malware, specifically ransomware, which was designed to infiltrate systems, disrupt operations, and potentially hold data hostage for ransom. The malware has been used by various threat actors, including ITG23, who have utilized it alongside other malicious software such as Trickb
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
DarkSideUnspecified
1
DarkSide is a notorious threat actor known for its malicious activities involving ransomware attacks. The group gained significant notoriety in 2021 when it attacked the largest oil pipeline in the United States, leading to a temporary halt of all operations for three days. This incident, along with
GandcrabUnspecified
1
GandCrab, a threat actor, is known for its malicious activities involving ransomware attacks. Originating from Russian origins and evolving from Team Truniger, a former GandCrab affiliate, the group has been linked to numerous ransomware variants including Bad Rabbit, LockBit 2.0, STOP/DJVU, and REv
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2018-8453Unspecified
1
None
Source Document References
Information about the Sodin Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
6 months ago
Examples of Past and Current Attacks | #ransomware | #cybercrime | National Cyber Security Consulting
MITRE
a year ago
DarkSide Ransomware Gang: An Overview
MITRE
a year ago
Sodin ransomware exploits Windows vulnerability and processor architecture
MITRE
a year ago
A brief history and further technical analysis of Sodinokibi Ransomware