Sodinokibi announces new data leak blog

The Sodinokibi (REvil) ransomware operators have launched a blog on which they plan to leak data stolen from victims who do not pay ransom demands. Affiliates are being asked to steal victim data and upload it to the site, with the exception of data that is attractive to buyers, like Social Security Numbers (SSN).

In his post on Russian Darknet forum, REvil representative @UNKN also suggests some other methods that the operators may use to pressure victims to pay a ransom in the future. One suggestion the group appears to be considering is emailing stock exchanges to inform them that a particular company has been attacked. This would potentially impact the value of a victim company’s stock. NASDAQ is mentioned by name.

Analyst comment: The Sodinokibi site is still in its infancy. It currently only hosts a small data file (10.5MB) supposedly containing information from Dutch software company SoftwareONE. Upon review, the leaked data includes scans of different insurance contracts, such as life and accident insurance, customer names, SSNs, dates of birth, residential address, annual salary, and more. One of the documents even contains a paper copy of a Tennessee drivers license.

Most of the leaked documents appear to pertain to the Colonial Life & Accident Insurance Company, with a couple belonging to Fidelity Security Life Insurance Company and Pierce Group Benefits LLC. The documents are dated between November 2013 to September 2019. It is currently unclear what the relationship is between SoftwareONE and the leaked documents or Colonial Life. REvil has leaked data from Artech and the GEDIA Automotive Group in the past, so it is likely that this is a legitimate leak, but more research needs to be done.

@UNKN also advertised, in the same post, that there are three affiliate program positions open at present. This shows that Sodinokibi is serious about not only expanding its team of affiliates but also making attacks more damaging for companies. The obvious consequences of these types of leaks are the opportunity for identity theft and fraud. An attacker with access to SSNs, payroll, and employment information, as well as PII, can easily impersonate a victim and steal their identity or commit credit fraud and other types of malicious activity.

What is even more pressing, however, is that these ransomware attacks could have a broader impact on law enforcement and criminal proceedings. For example, in February US prosecutors were forced to drop 11 narcotics charges against suspected drug dealers after case files had been lost in ransomware attacks. The Stuart police department was hit with ransomware in April 2019, making this the seventh criminal investigating impacted by ransomware in the US since January 2017:

  • January 2017 – Police in Cockrell Hill lost eight years-worth of evidence following an infection with the Osiris ransomware.
  • May 2018 – Police in Riverside lost ten months worth of case files after a ransomware infection.
  • June 2018 – Atlanta city’s police department lost almost two years of police car dash-cam video evidence after a ransomware attack in March 2018.
  • July 2019 – Police in Lawrenceville lost an unknown quantity of case files and bodycam footage following a ransomware incident.
  • July 2019 – A ransomware infection impacted police car laptops for the Georgia State Patrol, Capitol Police, and the Motor Carrier Compliance Division. They remained offline and unable to record new video evidence for over a month.
  • December 2019 – The St. Lucie County Sheriff’s Office lost a week’s worth of emails and evidence following a ransomware attack.

These attacks clearly show the real-life impact that these sorts of attacks can have on vital services. This can also impact society as a whole, as losing crucial cases could allow criminals to go free. (source)

Knowledge Base

Incidentally Informed – How to Achieve Cyber Resilience in Today’s Threat Landscape

The number of vendors providing some sort of technology to protect against or detect threats is growing daily. However, breaches still occur at an even more frequent rate than ever.

Read More +

What is Pass-The-Cookie Website Exploitation?

Written By Hannah Golding What is a Website Vulnerability? An attacker will first discover a vulnerability, then attempt to exploit it to gain a foothold within the host. Most commonly,

Read More +

Incidentally Informed – Effective Restoration After a Cyber Attack

During this webinar, we discussed the topic of effective restoration after a cyberattack. We looked at this from the point of view of the Post Breach Remediation team, Legal and

Read More +
icon-dark icon-light icon logo-light