[MART] - Daily Diary #307 - Sodinokibi Goes Offline After Kaseya Attack

CTAS-MAT ctas-mat at appgate.com
Mon Jul 19 22:01:02 UTC 2021

I hope everyone is doing well!

Below is the entry for today.

07/19/2021 - Diary entry #307

On our Daily Diaries #297 and #298, we covered Sodinokibi (a.k.a. REvil) supply-chain attack on Kaseya systems, where the group managed to infect a lot of customers of Kaseya On-premises VSA appliances. On their deep-website Sodinokibi was offering their decryptor for $45k USD for each victim (or $70 million USD for a universal decryptor). It seems that a few victims payed the individual decryptor, but since last week all deep web sites controlled by Sodinokibi went dark.

Reportedly the group went offline on July 13th, almost a week ago, and so far there is no sign of recovery. It's not uncommon for deep-web websites to go offline for a few days. Specially in cases where the gang gets a lot of attention quickly, they shutdown parts of its structure to change servers and make tracking harder. What is uncommon in Sodinokibi's case is all of its structure becoming offline at once, when they are still "profiting" from a major attack like Kaseya. Our team monitors REvil "Happy Blog", having lastly detected a new post on July 11th. Some companies that decided to pay the ransom are complaining about the lack of "support", as in some cases the bought decryptor only worked for a few files. This can happen if some of the files are encrypted with a different key.

We would like to take this opportunity to reinforce to companies to never pay the ransom. This incident shows that paying the ransom is no guarantee of having your files back. Besides, it gives the attackers resources to finance new attacks, and motivation to develop and implement new techniques in their malware, increasing the damage and number of victims.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Security Researcher

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210719/f0b9fbed/attachment.html>

More information about the MART mailing list