Threat Watch

Sodinokibi Operators Brainstorming New Extortion Ideas

A new forum post by the Sodinokibi operators show they are doubling down on their efforts to coerce victims into paying the ransom. Although the group had already begun to follow in the footsteps of others by posting stolen data, all data and announcements were posted on third party forums. According to a recent announcement, the group has finished work on a “blog” for sharing stolen data, falling in line with groups like Maze and the recent DoppelPaymer. Forum user “Unknown” also went on to encourage all affiliates to exfiltrate data as often as possible to convince them that this new blog is worth the effort. Perhaps trying to get ahead of the game after following in the lead of others, Unknown also mentions how the group is considering an automatic email notification to stock markets after a victim has been infected in hopes of affecting company value.


Always keep anti-virus solutions up-to-date. When deploying security solutions for the enterprise, consider using an EDR (endpoint detection and response) solution side-by-side with AV products. Using an EDR solution or an MDR (managed detection and response) can help spot threats before they spread too far. Analysts at the Binary Defense Security Operations Center detect threats on our clients’ workstations and servers 24-hours a day and respond quickly to contain infections, preventing minor incidents from becoming a source of major damage across the company. Most importantly, make backups! Backups should be created at regular intervals and stored offline. Many ransomware families look for connected USB devices and network drives, so multiple backups should exist in different locations to minimize the chance they could be infected as well.