[MART] - Daily Diary #343- Sodinokibi Reappears After Two Months Offline

CTAS-MAT ctas-mat at appgate.com
Wed Sep 8 21:54:50 UTC 2021

I hope everyone is doing well!

Below is the entry for today.

09/08/2021 - Diary entry #343

In our Daily Diary #307, we covered the ransomware gang REvil (a.k.a. Sodinokibi) mysterious disappear. A few weeks after the major attack on Kaseya (covered in our Daily Diaries #307, #298 and #297), in which they claim to have infected millions of computers, their whole operation went offline. At the time, not only REvil "happy-blog" (their wall-of-shame where they publish stolen data from companies that refuse to pay the ransom) but also their C&C servers simply stopped replying. On our Daily Diary #310 we covered that Kaseya received from a third-part the universal decryptor for Sodinokibi, which Sodinokibi first advertised in their site for 70 million dollars in Bitcoins.

This week Sodinokibi's servers went back online, as mysterious as they went offline. Our team confirmed that REvil "Happy Blog" is back online, and showing leaked data from their older attacks. The last target available on the website is ensingerplastics.com, first noticed by our team's Ransom Tracker on August 11th. Kaseya's attack post is also available, with no mention of the universal decryptor purchase and no new information.

Some researchers say that the gang probably went offline for a cool-off period. Even before the Kaseya attack we covered lots of other important companies being attacked by REvil, so it makes sense for them to go dark for a while considering the ongoing investigations and the recent international efforts to fight ransomware. It's safe to say it was one of the more dangerous active ransomware families. In the past months other ransomware families are getting a lot of attention, like Lockbit, covered in our Daily Diaries #339, #338, #325, #319 and #315, that recently breached into Accenture, so it seems a good time for Sodinokibi to come back from the shadows.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Security Researcher

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210908/5d8a5420/attachment.htm>

More information about the MART mailing list