The operators of the Sodinokibi Ransomware (REvil) have started urging affiliates to copy their victim’s data before encrypting computers so it can be used as leverage on a new data leak site that is being launched soon.
The Sodinokibi Ransomware ransomware operation is a Ransomware-as-a-Service where the operators manage the payment portal and development of the ransomware and third-party ‘affiliates’ distribute the ransomware.
The operators and affiliates then share the ransomware payment made by victims.
Most likely spurred on by the release of DoppelPaymer’s data leak web site this week, the public-facing representative of Sodinokibi, Unknown, outlined their plans for the further extortion of victims on a Russian malware and hacker forum.
According to the post shared with BleepingComputer by Damian, the ransomware operators have finished a ‘blog’ that will be used to distribute unpaid victim’s stolen data, with some data like Social Security numbers being held back to be sold on dark markets for a ‘fairly high rate of return’.
Unknown states that the companies who are encrypted by REvil have “serious problems with data privacy” and should move to negotiations quickly.
Further laying their plans out in the open, Unknown speculates on other ways that they can further pressure victims to pay a ransom.
One idea they are thinking about is to auto-email stock exchanges, such as NASDAQ, to let them know about the company’s attack and hurt the value of their stock.
The full posted translated from Russian can be read below:
For all previously published orders, we found artists. The tasks set are difficult, but solvable. We hope to add all the functionality as soon as possible, as it will be ready. We also finished work on a blog in which data from compromised systems will be published. We urged all adverts to copy information as often as possible, so we are convinced that this will be a very effective use of this blog. Not all blog information is available for viewing - some information is previously available to services for the sale of SS and other information, which will allow you to get a fairly high rate of return on this information. Now we can say with confidence - all the companies that have our product have serious problems with data privacy. We strongly recommend that these companies move to negotiations fairly quickly, as we plan to expand and improve this blog. Have some interesting thoughts about auto -notification email addresses of stock exchanges (for example, NASDAQ ), which will allow you to influence the financial condition of the company quickly and efficiently. Now all data will be published on this blog. xxx There are 3 places in the affiliate program. Interested in networking . Soon, probably, we will leave all sites and stop recruiting. Hurry up.
As part of this post, they also linked to a 10MB stolen data dump of one of their victims that they claim contains financial and tax information. They go on to state that they will add more to this data dump if the victim does not pay.
BleepingComputer will not be naming the victim until we confirm the validity of the alleged attack.
Ransomware attacks are data breaches!
This feels like a daily statement from BleepingComputer, but all ransomware attacks are now data breaches and must be treated as such.
The files that were stolen by ransomware operators not only contain company data but also the personal information of its employees.
By not disclosing these attacks and what has been stolen, company’s put their employees at risk of identity theft, fraud, and other malicious attacks.
This could lead to fines by government agencies and lawsuits from employees whose data has been compromised.
Be smart and transparent about ransomware attacks. It is better in the long run.