Sodinokibi, also known as REvil (short for Ransomware Evil) is a ransomware threat group gaining more and more notoriety. Similar to some other ransomware families, REvil is what is called a Ransomware-as-a-Service (RaaS). Ransomware-as-a-Service is where a group of people maintain the code and another group, known as affiliates, spread the ransomware. Such RaaS models allow affiliates to distribute REvil ransomware in various ways, such as phishing campaigns or by uploading tools and scripts allowing them to execute the ransomware in the internal network of a victim.
Sodinokibi hacks organizations by infecting them with a file blocking virus, which encrypts files after infection and discards a ransom request message. In the message, Sodinokibi explains that the victim needs to pay a ransom in bitcoins or else the files will be leaked.
The group recently made headlines when they targeted Acer, a Taiwanese electronics company. On March 19th 2021, Acer was the subject of a hacker attack. The attackers, who are the REvil group, demanded the biggest known ransom to date in the history of cyber-attacks – $50 million. The hackers gave Acer until the 28th of March to pay the ransom, or all the stolen data will be released to the public. As of March 20th, Acer did not acknowledge that they were the victim of a security breach.
The malware first surfaced in 2019, when it was discovered that in Oracle’s WebLogic server a serious flaw was noticed – a remote code execution bug which was remotely exploitable without authentication. This was an unusual attack from the side of the hackers, as it directly utilized the vulnerability of the server – and as researchers suggests, such attacks are typically executed with the involvement of user interactions, e.g., the act of opening an attachment to an email message or clicking on a malicious link.
Sodinokibi has subsequently targeted organizations such as celebrity law firm Grubman Shire Meiselas & Sacks, foreigner currency exchange giant Travelex, Brown Forman Corp. (the owner of the Ritz Hotel in London) and as of recently Acer.
REvil is gaining momentum and notoriety, which is evident in the way the hacking group decided to target the tech giant Acer. This cyber security breach is worth following, as the repercussions for Acer may be substantial. This unfortunate event for Acer should also serve as a reminder to all internet users that cyber security attacks keep getting more refined and complex, and that substantial security measures should always be kept in place.
References
https://www.infradata.pl/en/resources/what-is-revil-ransomware/
https://threatpost.com/revil-claims-ransomware-attacks/164739/
https://www.theverge.com/2021/3/20/22341642/acer-ransomware-microsoft-exchange-revil-security