Sodinokibi

Threat Actor Profile Updated 17 days ago
Download STIX
Preview STIX
Sodinokibi, also known as REvil, is a significant threat actor first identified in April 2019. This ransomware family operates as a Ransomware-as-a-Service (RaaS) and has been responsible for one in three ransomware incidents responded to by IBM Security X-Force in 2020. The Sodinokibi ransomware strain was the most frequently observed by IBM Security X-Force in that year, capitalizing on blended ransomware and extortion attacks. Notably, at least 32% of Sodinokibi ransomware victims have had their data leaked by those operating this ransomware. The Sodinokibi ransomware has been delivered through various methods, including fileless techniques used by GootLoader. It has been linked with other significant threats such as SunCrypt ransomware, Kronos trojans, and Cobalt Strike. Notable instances of its deployment include an attack on Alameda County, California, where it was used to encrypt data, exfiltrate victim information, and extort a ransom payment. Throughout 2021, authorities arrested several individuals connected to the REvil and GandCrab RaaS operations, believed to be operated by the same group. Sodinokibi's influence extends to connections with other major ransomware groups. In early 2023, it was reported that the leader of LockBit had connections to the leader of REvil - Sodinokibi - as well as DarkSide, which hit Colonial Pipeline and later evolved into BlackMatter and Alphv, aka BlackCat. The group has drawn significant attention from U.S. authorities due to high-profile attacks, including a 2021 hack of IT management service Kaseya and multiple Texas towns in 2019. Over the last two years, the State Department has offered rewards up to $15 million for information leading to the location of members of the Sodinokibi (REvil), Conti, and DarkSide ransomware networks.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
REvil
10
REvil is a notorious form of malware, specifically ransomware, that infiltrates systems to disrupt operations and steal data. The ransomware operates on a Ransomware as a Service (RaaS) model, which gained traction in 2020. In this model, REvil, like other first-stage malware such as Dridex and Goot
Maze
3
Maze is a type of malware, specifically ransomware, that gained notoriety in 2019 for its double extortion tactic. This malicious software infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Maze w
Sodin
2
Sodin, also known as Sodinokibi or REvil, is a sophisticated threat actor that emerged in the first half of 2019. This entity quickly drew attention due to its unique methods of distribution and attack. It exploited an Oracle Weblogic vulnerability to distribute itself and targeted Managed Service P
Gandcrab
2
GandCrab, a threat actor, is known for its malicious activities involving ransomware attacks. Originating from Russian origins and evolving from Team Truniger, a former GandCrab affiliate, the group has been linked to numerous ransomware variants including Bad Rabbit, LockBit 2.0, STOP/DJVU, and REv
Carbanak Backdoor
1
The Carbanak Backdoor is a notorious malware, designed to exploit and damage computer systems. It is associated with the FIN7 threat group, also known as the "Carbanak Group", although not all usage of the Carbanak Backdoor can be directly linked to FIN7. This malicious software infiltrates systems
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Ransom
Encrypt
Exploit
Malware
Cybercrime
RaaS
Windows
Extortion
Apt
Vulnerability
Fraud
Bitcoin
Cobalt Strike
Spearphishing
WinRAR
Payload
T1189
Exploits
Encryption
Ibm
Hydra Market
Crowdstrike
Backdoor
Data Leak
T1193
T1195
Wordpress
T1076
T1486
flaw
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LockbitUnspecified
3
LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
RyukUnspecified
3
Ryuk is a sophisticated malware, specifically a ransomware variant, that has been extensively used by cybercriminal group ITG23. The group has been employing crypting techniques for several years to obfuscate their malware, with Ryuk often seen in tandem with other malicious software such as Trickbo
ContiUnspecified
3
Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
NetwalkerUnspecified
2
NetWalker is a highly profitable ransomware kit, known for its ability to disable antivirus software on Windows 10 systems and encrypt files, adding a random extension to the encrypted ones. Once executed, it disrupts operations and can even hold data hostage for ransom. It has been observed that Ne
ClopUnspecified
1
Clop is a notorious malware, short for malicious software, known for its disruptive and damaging effects on computer systems. It primarily infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Clop can steal personal information, disrupt o
BabukUnspecified
1
Babuk is a type of malware, specifically ransomware, which is designed to infiltrate systems and hold data hostage for ransom. It can be delivered through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, Babuk can disrupt operations and steal perso
GootloaderUnspecified
1
GootLoader is a potent malware that forms part of the GootKit malware family, which has been active since 2014. The malware operates by exploiting systems through suspicious downloads, emails, or websites, often without the user's knowledge. Its primary targets are professionals working in law firms
EmotetUnspecified
1
Emotet is a highly dangerous and insidious malware that has resurfaced with increased activity this summer. Originally distributed via email attachments, it infiltrates systems often without the user's knowledge, forming botnets under the control of criminals for large-scale attacks. Once infected,
WannaCryUnspecified
1
WannaCry is a type of malware, specifically ransomware, that caused significant global disruption in 2017. It exploited Windows SMBv1 Remote Code Execution Vulnerabilities (CVE-2017-0144, CVE-2017-0145, CVE-2017-0143), which allowed it to spread rapidly and infect over 200,000 machines across more t
CarbanakUnspecified
1
Carbanak is a sophisticated type of malware, short for malicious software, that is designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
DrovorubUnspecified
1
None
PysaUnspecified
1
Pysa is a type of ransomware, a malicious software designed to exploit and damage computer systems by encrypting data and demanding ransom for its decryption. The Pysa ransomware group, known for its organizational hierarchy that includes senior executives, system admins, developers, recruiters, HR,
VidarUnspecified
1
Vidar is a Windows-based malware written in C++, derived from the Arkei stealer, which is designed to infiltrate and exploit computer systems. It has been used alongside other malware variants such as Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2,
EgregorUnspecified
1
Egregor is a variant of the Sekhmet ransomware and operates as Ransomware-as-a-Service (RaaS). It emerged in 2020, suspected to be from former Maze affiliates. Known for its double extortion tactics, Egregor publicly shames its victims by leaking sensitive data if the ransom isn't paid. In one notab
HiveUnspecified
1
Hive is a malicious software, or malware, that infiltrates systems to exploit and damage them. This malware has been associated with Volt Typhoon, who exfiltrated NTDS.dit and SYSTEM registry hive to crack passwords offline. The Hive operation was primarily involved in port scanning, credential thef
NemtyUnspecified
1
Nemty is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It was developed by a cybercriminal group known as farnetwork, which has been active since 2019. Farnetwork has been involved in several ransomware projects, including JSWORM, Nefilim, Karma, an
NefilimUnspecified
1
Nefilim is a malware, specifically a ransomware, that has been responsible for significant cyber threats globally. It infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Between 2019 and 2021,
DoppelpaymerUnspecified
1
DoppelPaymer is a form of malware, specifically ransomware, known for its high-profile attacks on large organizations and municipalities. Originally based on the BitPaymer ransomware, DoppelPaymer was reworked and renamed by the threat group GOLD HERON, after initially being operated by GOLD DRAKE.
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
DarkSideUnspecified
3
DarkSide is a notable threat actor that emerged in the cybersecurity landscape with its advanced ransomware operations. In 2021, the group gained significant attention for its attack on the United States' largest oil pipeline, Colonial Pipeline, causing a temporary halt to all operations for three d
AlphvUnspecified
2
AlphV, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. This group has been involved in numerous high-profile attacks, including stealing 5TB of data from Morrison Community Hospital and compromising Clarion, a global manufacturer of audio and video equipment for car
GOLD SOUTHFIELDUnspecified
1
Gold Southfield is a threat actor group known for its malicious cyber activities. Secureworks® Counter Threat Unit™ (CTU) researchers have found significant overlaps in the code structure of LV ransomware and REvil, a ransomware operated by Gold Southfield. This suggests that Gold Southfield may hav
8baseUnspecified
1
8base, a significant threat actor in the cybersecurity landscape, has been active between April 2022 and May 2023. This group, while not new, has recently increased its visibility with the activation of a public leak site used to pressure victims into paying ransoms. In the last month alone, 8base o
Fox KittenUnspecified
1
Fox Kitten, an Iranian-backed threat actor group, has been identified as a significant cybersecurity risk by security researchers. The group's primary method of initial access is through VPN devices from Citrix, Fortinet, Palo Alto Networks, and Pulse Secure. Their sophisticated techniques have been
BlackmatterUnspecified
1
BlackMatter is a recognized threat actor in the cybersecurity industry, notorious for its malicious activities and the execution of ransomware attacks. The group initially operated as DarkSide, responsible for the high-profile Colonial Pipeline attack in May 2021, which led to significant attention
ITG14Unspecified
1
ITG14, a threat actor identified in the cybersecurity industry, has recently been linked to malicious activities involving the Domino Backdoor. X-Force researchers have found substantial evidence connecting the Domino Backdoor to ITG14’s Carbanak Backdoor. The Domino Backdoor not only shares signifi
FIN7Unspecified
1
FIN7, a notorious threat actor group known for its malicious activities, has recently been identified as targeting a large U.S. carmaker with phishing attacks. This group, which has previously operated behind fake cybersecurity companies such as Combi Security and Bastion Secure to recruit security
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2018-8453Unspecified
1
None
Pinchy Spider Gold SouthfieldUnspecified
1
None
Source Document References
Information about the Sodinokibi Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
17 days ago
GootLoader is still active and efficient
Krebs on Security
3 months ago
U.S. Charges Russian Man as Boss of LockBit Ransomware Group
CERT-EU
9 months ago
Medical firm reaches $100,000 settlement with HHS over 2017 ransomware attack
BankInfoSecurity
5 months ago
Who is LockBitSupp? Police Delay Promise to Reveal Identity
CERT-EU
a year ago
What Is Double Extortion Ransomware?
CERT-EU
a year ago
FBI Dismantles Hive Ransomware Network From the Inside, Thwarting Over $130m in Ransom Demands | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware - National Cyber Security
MITRE
a year ago
Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm
BankInfoSecurity
5 months ago
No Big Reveal: Cops Don't Unmask LockBit's LockBitSupp
BankInfoSecurity
3 months ago
Breach Roundup: REvil Hacker Gets Nearly 14-Year Sentence
DARKReading
3 months ago
Cisco Warns of Massive Surge in Password Spraying Attacks on VPNs
CERT-EU
4 months ago
A brief look at hacker group takedowns | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
5 months ago
Russia Announces Arrest of Medibank Hacker Tied to REvil | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
BankInfoSecurity
5 months ago
Post-LockBit, How Will the Ransomware Ecosystem Evolve?
Flashpoint
5 months ago
COURT DOC: U.S. and U.K. Disrupt LockBit Ransomware Variant
BankInfoSecurity
5 months ago
Russia Announces Arrest of Medibank Hacker Tied to REvil
CERT-EU
5 months ago
U.S. And United Kingdom Disrupt Prolific 'Lockbit' Cybercrime Gang: DOJ | #cybercrime | #infosec | National Cyber Security Consulting
CERT-EU
5 months ago
U.S. and U.K. Disrupt LockBit Ransomware Variant – Dailyfly | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
5 months ago
Two people arrested after takedown of Lockbit
Krebs on Security
5 months ago
Feds Seize LockBit Ransomware Websites, Offer Decryption Tools, Troll Affiliates
CERT-EU
5 months ago
Feds Seize LockBit Ransomware Websites, Offer Decryption Tools, Troll Affiliates – GIXtools