eSentire White Logo

Security advisories | Mar 11, 2021

The Sodin(REvil) Ransomware Hackers Claim 9 New Victims, Reports eSentire

Purported Victims Include: 2 Law Firms, 2 Large International Banks, an Insurance Company, a Construction Company, a Manufacturer, an Architectural Firm, and an Agricultural Co-Op

The Sodin ransomware threat group is currently reporting that they have infected nine new organizations with their ransomware, Sodin (a.k.a. REvil and Sodinokibi), said global cybersecurity services provider, eSentire. The organizations the Sodin gang is claiming to have compromised are two law firms, an insurance company, an architectural firm, a construction company, and an agricultural co-op, all located in the U.S., as well as two large international banks (one in Mexico and one in Africa), and a European manufacturer. As evidence, the Sodin hackers have posted documents on the Dark web purporting to be from the victims including company computer file directories, partial customer lists, customer quotes, copies of contracts, and even what appears to be several official IDs, either belonging to an employee or a customer of the victim company. In reviewing several of the documents that the Sodin gang claims are from their new victims, many of them appear to be authentic. See images 1 and 2. Most of the documents that do include a timestamp are recently dated, and the documents, overall, appear to pertain to the business of each respective victim. However, there are a few documents relating to the bank in Africa and to the insurance firm that have older dates listed, which makes one question whether these two organizations are truly victims of the Sodin gang or somehow the threat actors have gotten access to some old files belonging to the organizations. What we do know is that the Sodin ransomware gang is highly capable and resourceful, and they have successfully compromised numerous entities, large and small.

Image 1: A screenshot of some computer folders purported to belong to the Mexican bank and stolen by the Sodin gang.

“These new ransomware incidents, which the Sodin gang is claiming, could certainly be plausible,” said Rob McLeod, Sr. Director of the Threat Response Unit (TRU) for eSentire. “These attacks come directly on the heels of an extensive and well-planned Drive-By-Download Campaign which was launched in late December. This malicious campaign’s sole purpose is to infect business professionals’ computer systems with the Sodin ransomware, the Gootkit banking trojan or the Cobalt Strike intrusion tool.”

eSentire’s security research team, (TRU), discovered in early January that the threat group behind the malware downloader, Gootloader, had compromised dozens of legitimate websites across the globe. Their goal was to lure English, German and Korean speaking business professionals to these sites, where victims thought they could get a copy of various sample business agreements. When the business professionals went to retrieve the agreement, they unknowingly downloaded Gootloader. Once Gootloader was on the victim’s computer, all it had to do was fetch the malicious payload-- which could be the Sodin ransomware, the Gootkit banking trojan or Cobalt Strike.

“The Gootloader campaign was designed to seed the Sodin ransomware, as well as the Gootkit banking trojan and the Cobalt Strike intrusion tool,” said McLeod. ”We know this campaign has had some success because not only have we seen reports from other security groups, but we have also discovered multiple incidents where business professionals have been duped and have downloaded Gootloader onto their work computers. Luckily, we were able to disrupt the activity in midstream, preventing numerous related malware infections within the employee organizations, two of which were law firms and one which was a professional consulting firm.”

The Sodin Gang’s History with Banks

If the Sodin gang’s claim that they have recently compromised a bank in Mexico is true, then it will be the second large bank in Mexico to fall victim to the Sodin threat group in the past eight months. On August 14, 2020, officials with Mexico’s CIBanco reported that they had been hit by the Sodin ransomware. Just 23 days later, on September 7, 2020, one of Chile’s three largest banks, BancoEstado, reported being hit ransomware. The attack forced the bank to close all its branches for a day, the alleged culprit was the Sodin ransomware threat group.

The Sodin Gang and Law Firms

Among the new victim organizations Sodin claims to have compromised in 2021 are two U.S.-based law firms. In 2020, law firms seemingly became a frequent victim of the ransomware gangs, and thus far, this year seems like it will follow a similar trend. According to news sources, in early February the Jones Day law firm was the victim of a breach due to zero-day exploits, launched against the FTA file-sharing service from Accellion. Jones Day was a customer of Accellion. Forbes reported that the Clop ransomware group posted a large cache of the law firm’s stolen data in retaliation for the firm not meeting the cybercriminals’ payment demands. Jones Day counts former U.S. President Donald Trump as one of its clients.

However, equally as prominent, was the attack carried out by the Sodin gang against the law firm Grubman Shire Meiselas & Sacks in May 2020. The Sodin threat group claimed to have stolen sensitive data, including contracts, telephone numbers, email addresses and other personal correspondence relating to many of their high-profile clients. Their clients are reported to include: Lady Gaga, Madonna, Bruce Springsteen, Jessica Simpson, Mariah Carey, and Mary J. Blige, among others. The Sodin group demanded a ransom of $42 million for a return of the firm’s files. However, a ransom was not paid, and the threat actors threatened to auction off the data on the Dark Web.

The entities previously mentioned are just a few of the organizations reported to have been attacked by the Sodin ransomware gang. Some of the other notable victims include Travelex, CyrusOne, Artech Information Systems, Brown-Forman, Kenneth Cole and GEDIA Automotive Group. Unfortunately, eSentire believes that the Sodin ransomware gang will continue to be successful in their attacks, and of the nine new organizations they claimed to have compromised, quite a few of them could be real incidents.

Image 2. A screenshot of a computer file directory purported to be from the U.S.-based construction firm attacked by the Sodin gang.

Protection Tips Against Ransomware

In order to protect your company from ransomware attacks, the TRU recommends the following security steps:

  1. Employees should ensure that their downloaded content is what they intended. If you download a document from the Internet but you are served a JavaScript file, do not open it. You can right click the file and go to Properties to see what kind of file it is.
  2. Employees should be sure they trust document sources. Even legitimate Word and Excel documents from the Internet can lead to loader malware.
  3. Use Windows Attack Surface Reduction rules to block JavaScript and VBscript form launching downloaded content. Read more: Microsoft Docs.
  4. Employ an Endpoint Detection and Response (EDR) product​.
  5. User- awareness training should be mandated for all company employees. The training should focus on the following topics: ​
    1. The downloading and execution of files from unverified sources​
    2. Process of reporting potential security incidents​
    3. Educate users about safe Internet browsing habits​
    4. Avoid free versions of paid software​
    5. Inspect the full URL before downloading files to ensure it matches the source (e.g., Microsoft Teams should come from a Microsoft domain)​
    6. Always inspect the extension of files, do not trust the filetype logo alone. An executable file can be disguised as a PDF or office document​
    7. Employees need to report security threats without fear