en
Back to the list

Bitcoin ransomware Sodinokibi costing millions to victims, claims research

source-logo  eng.ambcrypto.com 14 October 2019 14:10, UTC

Sodinokibi ransomware, a new form of crypto-jacking malware which was discovered back in April, has according to estimates cost millions to its victims. Researchers believe that Sodinokibi might have some connection with the GrandCrab ransomware as it bears code similarities with it and was discovered right after GrandCrab was shut. Both malwares use ransom as a service (RaaS), where the developer of the program distributes it among cybercriminals and takes a cut from them, reported COS.

McAfee Labs in their research had tracked down underground distributors of the Sodinokibi malware and interestingly, the developer claimed to have worked on GrandCrab previously. The researchers were also able to track down several affected Bitcoin IDs and found out that the attackers managed a heist worth $287,499 in just 72 hours.

The malware comes encrypted with JSON-format and has the ability to specify target folders and extensions to breach. Interestingly, the developers have restricted the use of the ransomware in Commonwealth of Independent States (CIS) and have a program that detects the native language in those countries and automatically disables itself.

The research report noted,

“Overall, looking at the structure and coincidences, either the developers of the GandCrab code used it as a base for creating a new family or, another hypothesis is that people got hold of the leaked GandCrab source code and started the new RaaS Sodinokibi.”

How does the distribution of ransom work between the developer and the distributor?

Researchers found out that once the scammer received the ransom amount, it was passed through coin mixer services to prevent the detection of the origin of the payment. After that, 30%-40% of the cut is given to developers. The researchers also discovered that Sodinokibi creators have around 41 affiliates and each ransom payment ranged from $2,500 to $5,000. The developers receive a cut of around $700 to $1500.

One wallet, in particular, caught the eye of researchers. This was an affiliate wallet with 443 Bitcoin worth $4.5 million. It was found out that affiliates were using ransom money to buy illegal goods from the dark web and underground market places.

Ransomware attacks are becoming more sophisticated with each passing year

Ransomware attacks have been getting more sophisticated with each passing year, with the malwares used getting harder to detect.  A McAfee Labs report published earlier this year highlighted the emerging family of new ransomware and also noted that the attacks in 2019 until August, had increased by 118%.

The researchers added that although it is understandable that certain organizations had to pay ransom to get their data back, doing so encourages other players and also keeps them funded to create more sophisticated softwares. They noted,

“We do understand that there are situations in which [company] executives decide to pay the ransom but, by doing that, we keep this business model alive and also fund other criminal market.”

eng.ambcrypto.com