McAfee security researchers have traced down the bitcoin payments initiated by the victims of the Sodinokibi ransomware program. As inferred, the criminals propagating the threat procured massive million dollars from the scheme. Also known as REvil, Sodinokibi appeared shortly after the widely distributed GandCrab ransomware and also maintained similarities to the former, hinting at a possible connection.
The researchers tracked down a few posts on underground forums from a threat creator that contained the IDs of bitcoin transactions. The indications turned to inform that he had earned $287,499 in bitcoin from ransom payments in just 72 hours. Like GandCrab, Sodinokini also uses the ransomware-as-a-service (Raas) model, where the developers distribute the program to other criminals called affiliates. In exchange, a part of the ransom money obtained by the victims is offered to the team. McAfee estimates that Sodinokibi holds around 41 active members who receive between $700 and $1,500 as payment. In all, the developers get a 30%-40% cut from each transaction.
A large number of transactions have been observed from a creator’s wallet to another wallet that contained 443 bitcoins or around $4.5 million in fiat. It has also surfaced that Sodinokibi’s team spent the crypto coins to purchase illegal goods and services from underground markets.
Following an advertisement posted on a cybercrime forum, Sodinokibi’s producers forbid affiliates from distributing the ransomware in countries that are part of the Commonwealth of Independent States (CIS). Also, the program undermines itself on computers that use the languages of those countries, including Syrian. The blacklisting of Syrian is fascinating as GandCrab also proceeded with this.
