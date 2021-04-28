Threat actors that use ransomware are taking advantage of the inherent power of public key infrastructure cryptology to encrypt information in a way that’s hard or impossible to break. The term “cryptoviral extortion” was coined in 1996 in an Institute of Electrical and Electronics Engineers (IEEE) paper. The IEEE also predicted that cryptoviral extortion would one day demand ‘e-money,’ long before Bitcoin even existed.

For the cryptographic basis of the attack, Sodinokibi uses a combination of elliptic curve Diffie-Hellman (ECDH), Salsa20, SHA-3 and Advanced Encryption Standard (AES) to encrypt and decrypt both malicious configuration data and user data (i.e., user files). It generates its private-public key pair using Curve25519, one of the fastest elliptic-curve cryptography (ECC) curves designed for use with the ECDH key agreement scheme.

Sodinokibi operators may steal data in advance and then resort to extortion tactics that exceed the ability of the malware itself. Those who refuse to pay up, relying on their ability to recover data, will then receive threats to have that data exposed on an auction site the group calls The Happy Blog. That’s also where it names and shames its victims, offering up information that could be of use to other criminals or even competitors.

Additionally, in an interview given by an alleged REvil operator, known as Unknown, the person said he/she was considering launching distributed denial-of-service (DDoS) attacks on victim organizations as yet another way to increase the pressure on victims to pay the ransom.

In terms of prevalence in the wild, Sodinokibi made up 22% of all X-Force incident response engagements in 2020, suggesting that those operating this malware are more skilled at gaining access to victims’ networks when compared to other ransomware strains. X-Force estimates that nearly 80% of the gang’s victims are a combination of organizations from the US (58%), UK (8%), Australia (5%) and Canada (3%).

The faces of Sodinokibi are many, as it is the sort of malware that’s distributed by various affiliates. In 2020, this ransomware’s originators showed off their success by depositing USD 1 million in Bitcoin into a Russian-speakers’ cyber crime forum as part of a recruitment drive for more affiliates to join its ranks.