What We Do
How we do it
Resources
SECURITY ADVISORIES
Sep 14, 2021
Update 2: Microsoft Zero-Day Vulnerability Announced - CVE-2021-40444
THE THREAT UPDATE 2: As of September 14th, Microsoft has released security patches to address CVE-2021-40444 for all impacted versions of Windows. eSentire has tested the update and confirmed its validity against public exploits. Organizations are strongly recommended to apply these security patches as soon as possible, as exploitation in the wild is ongoing. UPDATE: As of September 11th,…
Read More
View all Advisories →
Company
ABOUT eSENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Aug 25, 2021
eSentire named a Leader in IDC MarketScape for U.S. Managed Detection and Response Services
August 26, 2021 – Waterloo, ON -  eSentire, recognized globally as the Authority in Managed Detection and Response (MDR), announced today that it has been named a Leader in the IDC MarketScape: U.S. Managed Detection and Response Services 2021 Vendor Assessment (doc #US48129921, August 2021). IDC defines the core services an MDR must provide as follows: reduced time for onboarding, 24/7…
Read More
Partners
PARTNER PROGRAM
Partners
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
Search
Resources
Security advisories — Jun 08, 2021

The Sodin/REvil Ransomware Group, Cited as Perpetrator of the JBS SA Cyberattack, Claims to Have Hit a Second Large Meat Producer in France

News broke on June 1 that the world’s largest meatpacker, JBS SA, was hit by a ransomware attack which disrupted meat production in the company’s North American and Australian facilities. Late on June 2, JBS was quoted as saying that most of their operations resumed on Wednesday, including all of their pork, poultry and prepared foods facilities around the world, in addition to the majority of their beef facilities in the U.S. and Australia. The FBI and several top news outlets are reporting that the Sodin/REvil ransomware group is the cybercriminal gang behind the ransomware attack. Interestingly, eSentire’s TRU team, who has been tracking the Sodin ransomware group since its inception, found that the Sodin gang claims to have hit another large meat manufacturer in France in the past two weeks.

“It is certainly plausible that the Sodin/REvil ransomware group launched the attack against meat packer and producer JBS, as well as another company in the same industry,” said Rob McLeod, Sr. Director of eSentire’s security research team, the Threat Resistance Unit (TRU). The TRU has been tracking the top ransomware groups for several years, and the Sodin/REvil gang ranks in the number one or number two spot, amongst all the ransomware gangs. The Sodin group is only rivaled by the Ryuk/Conti ransomware organization when it comes to high profile attacks, ransoms collected and news coverage. “The Sodin/REvil gang has all the technical capabilities, the infrastructure and the criminal network to pull off the attack against JBS, ” continued McLeod.

SODIN/REVIL RANSOMWARE ATTACK STATS

Sodin/REvil Number of Victims Listed New Since Jan. 1, 2021 –April 31, 2021 Recent Victim Profiles
161 52
  • Primarily manufacturers, as well as a few healthcare organizations, transportation/logistic companies, and construction firms

Sodin/REvil Claims New Manufacturing Victims and Boasts a Long History of Attacking Manufacturers

In tracking the activities of the Sodin/REvil ransomware group, eSentire found that the Sodin group reports to have compromised 161 victims since inception until April 31, 2021, and 52 in the first four months of 2021. These numbers do not include JBS or the other victims they have named on their blog/leak site Happy Blog since April 31. Many of the businesses the Sodin gang has been confirmed to have compromised and the businesses it claims to have compromised are manufacturers.

Some of the manufacturers that have publicly confirmed that they have suffered a ransomware attack by the Sodin group this year include Quanta Computer, Tata Steel, Acer, Pierre Fabre, Asteelflash and Evraz. Other manufacturers the Sodin group claims to have compromised this year on their blog/leak site, titled Happy Blog, include a Virginia-based manufacturer of comfort cushioning products, a Virginia-based manufacturer of motors, a Swiss manufacturer of hand tools, a California-based manufacturer of packaging for the beauty industry, e.g., makeup, perfume; a France-based manufacturer of paints and resins and a Hong Kong-based manufacturer of beauty products.

And the Sodin ransomware gang is, not surprisingly, targeting other types of lucrative organizations. In the past two weeks, the threat group reports that they have compromised new victims including: a large U.S.-based manufacturer of steel and aluminum for the auto industry, a court system in southeastern U.S. , a large chain of luxurious resorts in Mexico; a 70-year-old, established London-based accounting firm; one of the largest and oldest maritime logistics providers in Brazil; a U.S.-based luxury clothing line; a law firm based in Florida and one in California; and a large meat producer in France.

Costs of Ransomware Attacks to Businesses

While we don’t know if all these incidents reaped any ransom money for Sodin/REvil, we do know that ransomware operators are making plenty of money. Cybersecurity company Emisoft estimates that the true global cost of ransomware, including business interruption and ransom payments in 2020, was a minimum of $42bn and a maximum of nearly $170bn. A survey by Veritas Technologies found that 66 percent of victims admitted to paying part or all of the ransom.

"The ransomware attacks reported in the media are just the tip of the iceberg," continued McLeod. "The deep dive report our TRU Team did in May has exposed a veritable hornet's nest of attacks perpetrated by not just Sodin/REvil but other top ransomware gangs.”

With so many ransomware incidents being reported by the press and by the hackers themselves on their personal blog/leak sites, it’s tempting to think you’re fully aware of just how pervasive this threat has become. The reality is that the victim organizations we hear about publicly are a mere drop in the bucket compared to the actual incidents. One ransomware incident, which occurred in April 2021 but was never made public, involved a small private U.S. company. The threat actors demanded $12 million, and the company paid it, according to a high-ranking employee of the organization who asked not to be named.

Added McLeod: "Underestimating your risk of falling prey to ransomware is a dangerous game for companies. Increasingly, threat actors are widening their scope and have put manufacturers, transportation and logistics companies, and construction firms in their crosshairs. With so much at stake from both a financial and reputational standpoint, companies can't afford not to secure their networks, as we have seen with Meatpacker JBS, Quanta Computer, Acer and Tata Steel.”

Sodin, like the Darkside ransomware group (the ransomware gang behind the Colonial Pipeline incident), also utilizes an affiliate model. The Sodin threat actors are known to selectively recruit other cybercriminal groups to work with them, and these are known as affiliates. The affiliates recruited often run large botnets (networks of compromised business computers, which are totally under the threat actors’ control). The affiliates will infect their bots with the Sodin ransomware, and whichever victim companies and/or organizations pays the ransom then the Sodin leaders will take a percentage of the ransom monies collected.

Compromised Manufacturers.
Publicly announced in 2021 and late 2020.
Ransomware Group Month of Disclosure Ransom Amount Requested

Quanta Computer — Taiwan-based manufacturer of next-generation MacBook and other computer hardware. Threat actors claimed to have leaked purported schematics of Apple hardware.

Sodin/REvil

April 2021

$50 million demanded from Quanta, then Apple

Tata Steel — India-based steel maker.

Sodin/REvil

April 2021

$4 million

Acer — Taiwan-based. One of the industry’s largest computer manufacturers.

Sodin/REvil

March 2021

$50 million

Pierre Faber — France-based. Large pharmaceutical and dermocosmetics company.

Sodin/REvil

April 2021

$25 million, originally. Increased to $50 million after the victim didn’t respond to extortion

Asteelflash — French electronics manufacturer.

Sodin/REvil

March 2021

$12 million, originally. Increased to $24 million after victim didn’t respond to extortion

EVRAZ — One of the world's largest steel manufacturers and mining operations.

Sodin/REvil

Feb. 2021

A Partial List of Compromised Manufacturers. These companies are just a few of the victims named on Sodin/REvil blog/leak site, Happy Blog. Please note: eSentire does not name victims unless already made public.

Ransomware Group

Disclosed during 2021

Virginia, U.S. — Manufacturer of comfort cushioning products.

Switzerland — Manufacturer of hand tools.

California, U.S. — Manufacturer of packaging for beauty industry, e.g., makeup, perfume.

France — Manufacturer of paints and resins.

Virginia, U.S. — Manufacturer of motors.

Hong Kong/China — Manufacturer of beauty products.

Sodin/REvil

Sodin Group Behind Two of the Biggest Attacks Against Manufacturers in 2021

Two of this year’s most notable ransomware attacks against manufacturers involved the Sodin threat group. In March, the group hit computer and electronics manufacturer Acer and demanded a $50 million ransom. Quanta Computer, which manufactures the Notebook computer, was another victim. The Sodin gang demanded $50 million from Quanta. The company refused to negotiate, and the Sodin criminals reportedly turned to Apple for the ransom. The Sodin hackers posted on their blog “Happy Blog,” a warning stating that if they did not get paid, they would publish what they claimed were technical details for current and future Apple hardware. The website 9to5Mac.com published several images of blueprints, which the Sodin threat actors claim is from Quanta. See images 1-3.

Image 1: Technical design of Apple hardware stolen from hardware manufacturer Quanta, according to Sodin.

Image 2: Technical design of Apple hardware stolen from hardware manufacturer Quanta, according to Sodin.


Image 3: Technical design of Apple hardware stolen from hardware manufacturer Quanta, according to Sodin.

The Sodin gang threatened to publish new data from Quanta every day leading up to May unless Apple agreed to pay the $50 million ransom in exchange for deleting the files. As of May 10, no additional documents appearing to be related to the Apple products had been leaked on Sodin’s website. Interestingly, all images relating to the Quanta incident have been removed from Sodin’s website, as well as any mention of the Quanta breach.

One writer was quoted as saying: “Historically, Sodin isn't known for bluffing and routinely posts stolen documents if its victims don't pay up, so it's unclear why the group has failed to follow through on this occasion, and Apple has not commented on the breach thus far.”

For more information about this threat and how to protect against it go to https://www.esentire.com/get-started