Sodin

Threat Actor updated a month ago (2024-11-29T13:34:05.256Z)
Download STIX
Preview STIX
Sodin, also known as Sodinokibi or REvil, is a sophisticated threat actor that emerged in the first half of 2019. This entity quickly drew attention due to its unique methods of distribution and attack. It exploited an Oracle Weblogic vulnerability to distribute itself and targeted Managed Service Providers (MSPs). Additionally, it was discovered that Sodin utilized the CVE-2018-8453 vulnerability to elevate privileges in Windows, a tactic rare among ransomware. This Trojan employs legitimate processor functions to evade security solutions, further demonstrating its advanced capabilities. The Sodin configuration is intricate, containing various fields necessary for the Trojan's operation. These settings and data are stored in encrypted form within each Sodin sample's body. A key element of this configuration is the 'pk' field, which represents the 32-byte public key of the Trojan distributor and is saved under the name 'sub_key' in the registry. Another part of the Sodin configuration is responsible for network communication, while a hybrid scheme is used to encrypt victim files. Sodin has been linked to several high-profile attacks since its emergence and may be connected to GandCrab, a prominent threat actor from 2018. Its geographical spread and impact have been significant, with its tactics evolving to include double and triple extortion, akin to other rising ransomware operators such as DarkSide, Maze, Clop, NetWalker, and Conti. This evolution underscores the growing sophistication and audacity of these cyber threats.
Description last updated: 2024-05-05T06:33:00.065Z
What's your take? (Question 1 of 1)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Sodinokibi is a possible alias for Sodin. Sodinokibi, also known as REvil, is a highly active and impactful threat actor first identified in April 2019. Operating as a ransomware-as-a-service (RaaS), this group has been responsible for a significant proportion of global ransomware incidents. In 2020, Sodinokibi ransomware attacks accounted
2
REvil is a possible alias for Sodin. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. Th
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Sodin Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more