Sodinokibi

Threat Actor updated 4 months ago (2024-07-07T00:17:37.303Z)
Download STIX
Preview STIX
Sodinokibi, also known as REvil, is a significant threat actor first identified in April 2019. This ransomware family operates as a Ransomware-as-a-Service (RaaS) and has been responsible for one in three ransomware incidents responded to by IBM Security X-Force in 2020. The Sodinokibi ransomware strain was the most frequently observed by IBM Security X-Force in that year, capitalizing on blended ransomware and extortion attacks. Notably, at least 32% of Sodinokibi ransomware victims have had their data leaked by those operating this ransomware. The Sodinokibi ransomware has been delivered through various methods, including fileless techniques used by GootLoader. It has been linked with other significant threats such as SunCrypt ransomware, Kronos trojans, and Cobalt Strike. Notable instances of its deployment include an attack on Alameda County, California, where it was used to encrypt data, exfiltrate victim information, and extort a ransom payment. Throughout 2021, authorities arrested several individuals connected to the REvil and GandCrab RaaS operations, believed to be operated by the same group. Sodinokibi's influence extends to connections with other major ransomware groups. In early 2023, it was reported that the leader of LockBit had connections to the leader of REvil - Sodinokibi - as well as DarkSide, which hit Colonial Pipeline and later evolved into BlackMatter and Alphv, aka BlackCat. The group has drawn significant attention from U.S. authorities due to high-profile attacks, including a 2021 hack of IT management service Kaseya and multiple Texas towns in 2019. Over the last two years, the State Department has offered rewards up to $15 million for information leading to the location of members of the Sodinokibi (REvil), Conti, and DarkSide ransomware networks.
Description last updated: 2024-07-07T00:15:35.517Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
REvil is a possible alias for Sodinokibi. REvil is a notorious malware, specifically a type of ransomware, that gained prominence in the cybercrime world as part of the Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, establishing relationships between first-stage malwares and subsequent ransomware attac
10
Maze is a possible alias for Sodinokibi. Maze is a form of malicious software, or malware, that pioneered a novel double-extortion tactic in the cyber threat landscape. Its modus operandi involves stealing victims' files before encrypting them, thereby enabling the threat actors to threaten both the disruption of operations and the release
3
Gandcrab is a possible alias for Sodinokibi. GandCrab, a threat actor, is known for its malicious activities involving ransomware attacks. Originating from Russian origins and evolving from Team Truniger, a former GandCrab affiliate, the group has been linked to numerous ransomware variants including Bad Rabbit, LockBit 2.0, STOP/DJVU, and REv
2
Sodin is a possible alias for Sodinokibi. Sodin, also known as Sodinokibi or REvil, is a sophisticated threat actor that emerged in the first half of 2019. This entity quickly drew attention due to its unique methods of distribution and attack. It exploited an Oracle Weblogic vulnerability to distribute itself and targeted Managed Service P
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Ransom
Encrypt
Exploit
RaaS
Malware
Cybercrime
Windows
Apt
Vulnerability
Extortion
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Conti Malware is associated with Sodinokibi. Conti is a notorious type of malware, specifically ransomware, that infiltrates computer systems to steal data and disrupt operations. The malicious software often spreads through suspicious downloads, emails, or websites, and once inside, it can hold data hostage for ransom. The Conti ransomware opUnspecified
3
The Ryuk Malware is associated with Sodinokibi. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware invesUnspecified
3
The Lockbit Malware is associated with Sodinokibi. LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It typically enters through suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data hostage forUnspecified
3
The Netwalker Malware is associated with Sodinokibi. NetWalker is a highly profitable ransomware kit, known for its ability to disable antivirus software on Windows 10 systems and encrypt files, adding a random extension to the encrypted ones. Once executed, it disrupts operations and can even hold data hostage for ransom. It has been observed that NeUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The DarkSide Threat Actor is associated with Sodinokibi. DarkSide is a threat actor known for its malicious activities, primarily in the realm of ransomware attacks. One of their most notable exploits occurred on May 7, 2021, when they targeted Colonial Pipeline Co., a major player in the U.S. energy sector. The attack disrupted the gasoline supply acrossUnspecified
3
The Alphv Threat Actor is associated with Sodinokibi. AlphV, also known as BlackCat, is a notorious threat actor that has been active since November 2021. This group pioneered the public leaks business model and has been associated with various ransomware families, including Akira, LockBit, Play, and Basta. AlphV gained significant attention for its laUnspecified
2
Source Document References
Information about the Sodinokibi Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
4 months ago
Krebs on Security
6 months ago
CERT-EU
a year ago
BankInfoSecurity
8 months ago
CERT-EU
a year ago
CERT-EU
2 years ago
MITRE
2 years ago
BankInfoSecurity
8 months ago
BankInfoSecurity
6 months ago
DARKReading
6 months ago
CERT-EU
8 months ago
CERT-EU
8 months ago
BankInfoSecurity
8 months ago
Flashpoint
8 months ago
BankInfoSecurity
8 months ago
CERT-EU
8 months ago
CERT-EU
8 months ago
CERT-EU
8 months ago
Krebs on Security
8 months ago
CERT-EU
8 months ago