Sodinokibi

Threat Actor updated 15 days ago (2024-11-08T12:44:29.320Z)
Download STIX
Preview STIX
Sodinokibi, also known as REvil, is a highly active and impactful threat actor first identified in April 2019. Operating as a ransomware-as-a-service (RaaS), this group has been responsible for a significant proportion of global ransomware incidents. In 2020, Sodinokibi ransomware attacks accounted for one in three ransomware incidents that IBM Security X-Force responded to, making it the most frequently observed strain by the organization that year. The group's operations have been characterized by blended ransomware and extortion attacks, with data leakage occurring in at least 32% of Sodinokibi's ransomware victims. The group has been linked to other notorious ransomware gangs such as LockBit and DarkSide, the latter being responsible for the high-profile Colonial Pipeline attack. These connections suggest a network of collaboration among some of the most destructive cybercrime entities. Despite being targeted by Russia under U.S. pressure, Sodinokibi continued its operations, often utilizing sophisticated delivery methods such as fileless techniques employed by GootLoader to deliver its ransomware, along with other threats like SunCrypt ransomware, Kronos trojans, and Cobalt Strike. Throughout 2021, efforts to disrupt Sodinokibi's operations led to multiple arrests associated with the group by Europol and South Korean authorities. Notably, an individual named Kondratyev was charged with using the Sodinokibi ransomware variant for data encryption, victim information exfiltration, and ransom extortion from a corporate victim based in Alameda County, California. Furthermore, the U.S. State Department offered rewards up to $15 million for information leading to the identification of members of the Sodinokibi network, reflecting the high level of threat posed by this group.
Description last updated: 2024-11-01T03:01:45.679Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
REvil is a possible alias for Sodinokibi. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. Th
10
Maze is a possible alias for Sodinokibi. Maze is a form of malicious software, or malware, that pioneered a novel double-extortion tactic in the cyber threat landscape. Its modus operandi involves stealing victims' files before encrypting them, thereby enabling the threat actors to threaten both the disruption of operations and the release
3
Gandcrab is a possible alias for Sodinokibi. GandCrab, a threat actor, is known for its malicious activities involving ransomware attacks. Originating from Russian origins and evolving from Team Truniger, a former GandCrab affiliate, the group has been linked to numerous ransomware variants including Bad Rabbit, LockBit 2.0, STOP/DJVU, and REv
2
Sodin is a possible alias for Sodinokibi. Sodin, also known as Sodinokibi or REvil, is a sophisticated threat actor that emerged in the first half of 2019. This entity quickly drew attention due to its unique methods of distribution and attack. It exploited an Oracle Weblogic vulnerability to distribute itself and targeted Managed Service P
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Ransom
Encrypt
Exploit
RaaS
Malware
Cybercrime
Windows
Apt
Vulnerability
Extortion
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Conti Malware is associated with Sodinokibi. Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. Often spreading through suspicious downloads, emails, or websites, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notably, Conti was linked to several raUnspecified
3
The Ryuk Malware is associated with Sodinokibi. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware invesUnspecified
3
The Lockbit Malware is associated with Sodinokibi. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit Unspecified
3
The Netwalker Malware is associated with Sodinokibi. NetWalker is a highly profitable ransomware kit, known for its ability to disable antivirus software on Windows 10 systems and encrypt files, adding a random extension to the encrypted ones. Once executed, it disrupts operations and can even hold data hostage for ransom. It has been observed that NeUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The DarkSide Threat Actor is associated with Sodinokibi. DarkSide is a threat actor known for its malicious activities, primarily in the realm of ransomware attacks. One of their most notable exploits occurred on May 7, 2021, when they targeted Colonial Pipeline Co., a major player in the U.S. energy sector. The attack disrupted the gasoline supply acrossUnspecified
3
The Alphv Threat Actor is associated with Sodinokibi. Alphv, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. Originating from Russia, this cybercriminal group has been involved in multiple high-profile ransomware attacks, specifically targeting healthcare providers. They gained significant attention after stealing 5TB Unspecified
2
Source Document References
Information about the Sodinokibi Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
BankInfoSecurity
22 days ago
Securityaffairs
5 months ago
Krebs on Security
7 months ago
CERT-EU
a year ago
BankInfoSecurity
9 months ago
CERT-EU
a year ago
CERT-EU
2 years ago
MITRE
2 years ago
BankInfoSecurity
9 months ago
BankInfoSecurity
7 months ago
DARKReading
7 months ago
CERT-EU
8 months ago
CERT-EU
9 months ago
BankInfoSecurity
9 months ago
Flashpoint
9 months ago
BankInfoSecurity
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
Krebs on Security
9 months ago