Since January 2020, the Arete IR practice has responded to forty-one (41) Sodinokibi engagements. The industry has seen two big changes with Sodinokibi/REvil from their shift to exfiltrating data as of January 2020, and more, recently with their move to only accepting payments in Monero cryptocurrency (XMR). Recently our IR practice responded to a Sodinokibi/REvil engagement where we dug into the ransomware itself and this article is meant to provide information on the ransomware behavior observed during the engagement. Our intention is to summarize some of the high-level information on Sodinokibi/ REvil for general awareness, as well as provide a technical overview with behavioral indicators back to the community to help network defenders become more familiar with this threat.
The information listed below is based on forty-one (41) Sodinokibi cases since Jan 2020. Our IR and Data Analytics practices work hand-in-hand to track key data points for every ransomware engagement. The IR practice tracks data points on the ransomware variant and collects statistics based on handled engagements: