Home Malware GandCrab cousin Sodinokibi made a fortune for ransomware pushers

GandCrab cousin Sodinokibi made a fortune for ransomware pushers

by ethhack

Security researchers have tracked the bitcoin payments made by victims of the Sodinokibi ransomware threat and concluded that some of the criminals distributing the program earned millions of dollars from the scheme. Sodinokibi, also known as REvil, is a ransomware program that first appeared in April, shortly after another widely used ransomware operation called GandCrab shut down. While Sodinokibi is not necessarily a direct continuation of GandCrab, researchers have found code and other similarities between the two, indicating a likely connection.

Like GandCrab, Sodinokibi uses the ransomware-as-a-service (RaaS) model, where its developers provide the program to other cybercriminals called affiliates and offer support in exchange for a cut of the ransom money paid by victims.

Researchers from McAfee have tracked down some posts on underground forums from a Sodinokibi distributor who claimed that he worked with GandCrab in the past. His posts contained bitcoin transaction IDs that indicated he earned the equivalent of $287,499 in bitcoin from ransom payments made in just 72 hours.

From those transactions the researchers managed to track down more bitcoin wallets belonging to other Sodinokibi affiliates, as well as a wallet likely used by the program’s creators. The developers get a 30% or 40% cut from each payment after it’s passed through a bitcoin mixer that has the role of obfuscating transactions and making it harder for investigators to discover the final cash-out wallet.

Based on a blockchain analysis, McAfee estimates that Sodinokibi has around 41 active affiliates and that its creators receive between $700 and $1,500 from every ransom payment, considering that the ransom values vary between $2,500 and $5,000.

The researchers observed a large number of transactions from affiliates to a wallet that contained 443 bitcoins or around $4.5 million. Some affiliates were also observed spending some of their Sodinokibi bitcoins to buy illegal goods and services from underground marketplaces, such as Hydra Market.

Copyright © 2019 IDG Communications, Inc.

Source link

Related Articles

Leave a Comment