Sodinokibi – when data is encrypted and published

Sodinokibi attacks often start with a phishing email.
Backdoor programs and ransomware such as Emotet and Ryuk, which ensured that the Justus Liebig University, among others, went offline in 2019, do indeed steal data from time to time. However, they focus on encryption and "ransom" by companies. However, Sodinokibi ("REvil") steals sensitive data every time it is infected - and increases the pressure.

Since the middle of 2019, an encryption trojan with the unwieldy name "Sodinokibi" has been making trouble on the World Wide Web. It usually hides in a phishing e-mail containing an assumed application. But also supposed e-mails from the Federal Office for Information Security can smuggle the ransomware into company networks through attached zip archives. In this way, data can not only be encrypted, but company secrets can also be searched for. This confidential information is often used by cybercriminals as leverage against the company if it does not comply with the ransom demand to decrypt the data. The threat is usually made with so-called 'public shaming', i.e. the public denunciation of the company concerned, whereby the stolen data would be published in a blog or on a specially set up homepage or even sold on the Darknet, according to the blackmailers. This has recently happened, for example, ro the Technische Werke Ludwigshafen and the law firm Grubman Shire Meiselas & Sacks. ).

Since many companies do not want to make such an attack public being afraid of the loss of reputation, this threat can work quite well and put a lot of money into the bank account of the attackers. The alleged predecessor of Sodinokibi, GandCrab, has probably earned its developers 150 million US dollars. A nice amount of money to retire - and an incentive for the next group of cyber criminals.

How to deal with an encryption attack?

Since spying on data and the subsequent threat to publish it is a logical further development of pure encryption, and since a lot of money can certainly still be "earned" with it, this kind of blackmail will continue to spread. The communication policy in companies can vary depending on the data that has been leaked and has to be decided individually by the company itself. For example, the Sauerland-based automotive supplier GEDIA refused to pay a ransom following a Sodinokibi attack in early 2020, despite the blackmailers' announcement that they would publish plans and data of employees and customers. In this way, the immediate material damage was 'limited' to the cost of cleaning up the systems, days of production downtime and reporting to the authorities. However, the new method of 'public shaming' also increases the long-term financial losses threatened by a cyber attack. This innovation thus provides an opportunity to reassess the risk assessment for cyber attacks - especially those caused by ransomware.

Awareness measures and co. for prevention

In order to avoid these costs and losses, all that remains is to invest in prevention: This is no longer just about backups, but about real protection, i.e. technical (e.g. through network segmentation and sandboxing systems), organizational (need-to-know principle) and human (such as through security awareness campaigns and the establishment of a security culture in the company). For example, if an employee knows what he or she needs to be aware of through targeted training with phishing simulations and consequently recognizes a phishing e-mail, the malware has no chance of establishing itself and spreading in the corporate network. Therefore it is worth to make employees aware of their own responsibility in the field of information security through trainings and seminars.