Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Visibility and response across your entire Microsoft security ecosystem.
XDR with Machine Learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert threat hunting, original research, and proactive threat intelligence.
TRU is foundational to our MDR service. No add-ons or additional costs required.
Stop ransomware attacks before they disrupt your business.
Detect and respond to zero-day exploits.
Protect against third-party and supply chain risk.
Adopt a risk-based approach to cybersecurity.
Protect your most sensitive data.
Meet cybersecurity regulatory compliance mandates.
Eliminate misconfigurations and policy violations.
Prevent business disruption by outsourcing MDR.
Meet insurability requirements with MDR.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and mediating threats to prevent lateral spread.
Enhance investigation and threat detection across multi-cloud or hybrid environments.
Remediate critical misconfigurations, security vulnerabilities and policy violations across cloud and containerized environments.
Detect malicious insider and identity-based behavior leveraging machine learning models.
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company's mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
We believe a multi-signal approach is paramount to protecting your complete attack surface. See why eSentire MDR means multi-signal telemetry and complete response.
See how our 24/7 SOC Cyber Analysts and Elite Threat Hunters stop even the most advanced cyberattacks before they disrupt your business.
Choose the right mix of Managed Detection and Response, Exposure Management, and Incident Response services to strengthen your cyber resilience.
Try our interactive tools including the MITRE ATT&CK Tool, the SOC Pricing Calculator, the Cybersecurity Maturity Assessment, and our MDR ROI Calculator.
Read the latest security advisories, blogs, reports, industry publications and webinars published by eSentire's Threat Response Unit (TRU).
See why 2000+ organizations count on eSentire to build resilience and prevent business disruption.
The Sodin ransomware threat group is currently reporting that they have infected nine new organizations with their ransomware, Sodin (a.k.a. REvil and Sodinokibi), said global cybersecurity services provider, eSentire. The organizations the Sodin gang is claiming to have compromised are two law firms, an insurance company, an architectural firm, a construction company, and an agricultural co-op, all located in the U.S., as well as two large international banks (one in Mexico and one in Africa), and a European manufacturer. As evidence, the Sodin hackers have posted documents on the Dark web purporting to be from the victims including company computer file directories, partial customer lists, customer quotes, copies of contracts, and even what appears to be several official IDs, either belonging to an employee or a customer of the victim company. In reviewing several of the documents that the Sodin gang claims are from their new victims, many of them appear to be authentic. See images 1 and 2. Most of the documents that do include a timestamp are recently dated, and the documents, overall, appear to pertain to the business of each respective victim. However, there are a few documents relating to the bank in Africa and to the insurance firm that have older dates listed, which makes one question whether these two organizations are truly victims of the Sodin gang or somehow the threat actors have gotten access to some old files belonging to the organizations. What we do know is that the Sodin ransomware gang is highly capable and resourceful, and they have successfully compromised numerous entities, large and small.
Image 1: A screenshot of some computer folders purported to belong to the Mexican bank and stolen by the Sodin gang.
“These new ransomware incidents, which the Sodin gang is claiming, could certainly be plausible,” said Rob McLeod, Sr. Director of the Threat Response Unit (TRU) for eSentire. “These attacks come directly on the heels of an extensive and well-planned Drive-By-Download Campaign which was launched in late December. This malicious campaign’s sole purpose is to infect business professionals’ computer systems with the Sodin ransomware, the Gootkit banking trojan or the Cobalt Strike intrusion tool.”
eSentire’s security research team, (TRU), discovered in early January that the threat group behind the malware downloader, Gootloader, had compromised dozens of legitimate websites across the globe. Their goal was to lure English, German and Korean speaking business professionals to these sites, where victims thought they could get a copy of various sample business agreements. When the business professionals went to retrieve the agreement, they unknowingly downloaded Gootloader. Once Gootloader was on the victim’s computer, all it had to do was fetch the malicious payload-- which could be the Sodin ransomware, the Gootkit banking trojan or Cobalt Strike.
“The Gootloader campaign was designed to seed the Sodin ransomware, as well as the Gootkit banking trojan and the Cobalt Strike intrusion tool,” said McLeod. ”We know this campaign has had some success because not only have we seen reports from other security groups, but we have also discovered multiple incidents where business professionals have been duped and have downloaded Gootloader onto their work computers. Luckily, we were able to disrupt the activity in midstream, preventing numerous related malware infections within the employee organizations, two of which were law firms and one which was a professional consulting firm.”
If the Sodin gang’s claim that they have recently compromised a bank in Mexico is true, then it will be the second large bank in Mexico to fall victim to the Sodin threat group in the past eight months. On August 14, 2020, officials with Mexico’s CIBanco reported that they had been hit by the Sodin ransomware. Just 23 days later, on September 7, 2020, one of Chile’s three largest banks, BancoEstado, reported being hit ransomware. The attack forced the bank to close all its branches for a day, the alleged culprit was the Sodin ransomware threat group.
Among the new victim organizations Sodin claims to have compromised in 2021 are two U.S.-based law firms. In 2020, law firms seemingly became a frequent victim of the ransomware gangs, and thus far, this year seems like it will follow a similar trend. According to news sources, in early February the Jones Day law firm was the victim of a breach due to zero-day exploits, launched against the FTA file-sharing service from Accellion. Jones Day was a customer of Accellion. Forbes reported that the Clop ransomware group posted a large cache of the law firm’s stolen data in retaliation for the firm not meeting the cybercriminals’ payment demands. Jones Day counts former U.S. President Donald Trump as one of its clients.
However, equally as prominent, was the attack carried out by the Sodin gang against the law firm Grubman Shire Meiselas & Sacks in May 2020. The Sodin threat group claimed to have stolen sensitive data, including contracts, telephone numbers, email addresses and other personal correspondence relating to many of their high-profile clients. Their clients are reported to include: Lady Gaga, Madonna, Bruce Springsteen, Jessica Simpson, Mariah Carey, and Mary J. Blige, among others. The Sodin group demanded a ransom of $42 million for a return of the firm’s files. However, a ransom was not paid, and the threat actors threatened to auction off the data on the Dark Web.
The entities previously mentioned are just a few of the organizations reported to have been attacked by the Sodin ransomware gang. Some of the other notable victims include Travelex, CyrusOne, Artech Information Systems, Brown-Forman, Kenneth Cole and GEDIA Automotive Group. Unfortunately, eSentire believes that the Sodin ransomware gang will continue to be successful in their attacks, and of the nine new organizations they claimed to have compromised, quite a few of them could be real incidents.
Image 2. A screenshot of a computer file directory purported to be from the U.S.-based construction firm attacked by the Sodin gang.
In order to protect your company from ransomware attacks, the TRU recommends the following security steps: