Data Leaks From Sodinokibi Ransomware Now Selling On Hacker Forums

The past year has seen changes in the way that malware threat actors extort money from their victims. In 2019, the operators of Maze Ransomware started publishing files of their victims on hack forums if they refused to pay the stipulated ransom. And since then, there has been an increasing adoption of this model by other operators. One of such operators is the Ransomware as a Service (RaaS) operator, Sodinokibi.

Sodinokibi ransomware, which is also called REvil, is an advanced family member of GandCrab ransomware. It gained popularity between 2018 and 2019 when its operators used it to attack different enterprises. The malware can render business operations incapacitated, preventing access of data of the business. It was tagged a nasty malware as it demanded ransom payment in cryptocurrencies. And as it seems, it is adopting new approaches.

Sodinokibi is not just adopting the publishing of files; other hackers are putting the data up for sale on hacker forums. Recently, the RaaS operators published 12GB worth of data that reports suggests belongs to Brooks International. Apparently, Brooks International had recovered their data using backups and they refused to pay any ransom. Below is a screenshot of the leaked data as published:

According to reports from BleepingComputer, other hackers and criminals have started auctioning these data on different forums. One of such case is the information from Cybe, a cyber-intelligence firm, suggesting that the stolen data is sold for approximately 2 Euros.

Although Brooks International is yet to give details of the data that was stolen, the information from hacking forums suggests that the published data includes usernames, passwords, account statements, credit card information, tax payment details and other sensitive information.

Ransomware as Data Breaches?

While the practice of ransomware involves the encryption of files by the attackers, it is widely known that some attackers sift through the files of their victims before they go encrypt them. With the new approach of publishing these files for non-payment of ransom, it is safe to say that these attacks are morphing into data breaches. And if indeed they are, then companies need to take measures to protect themselves against these attacks.

The Brooks International case does not only expose company data to the public, but also the data of its employees and customers. Therefore, there is a need by the company to inform its employees and customers to take actions in order to protect themselves, and if the situation gets worse, the company may end up engaged in a data privacy court battle.

Also, this new development will pose a threat to companies who manage to sweep malware attacks under the carpet, dodging forensic auditing in the process. But then, despite the seriousness of probable blackmails from attackers, it is advisable that ransom payment should be avoided. Attackers like Sodinokibi are known for continuous blackmail, and as such, the best remedy remains staying away from them by ensuring proper security protocols in preventing it in the first place.