After the December infection of CyrusOne, the operators of the ransomware known as Sodinokibi made it clear they weren’t happy with victims being able to successfully recover their files without paying their ransom demand. A forum post by a representative for the threat group tries to argue that paying a ransom is much less expensive than the cost of recovery from scratch. In the case that victims don’t pay, the representative states that stolen data from the breach will either be sold to competitors or dumped online for free. The group even tries to use the potential GDPR fines as a threat. Since that December post, it seemed like the group was only trying out a scare tactic. Unfortunately, the threat group has finally followed through on their threats by posting a 337MB partial dump of data stolen from Artech Information Systems and promises to sell more sensitive financial information if they do not receive the extortion payment that they demanded. This appears to be a move to prove they are willing to follow in the example of the Maze ransomware which has been publishing victim data since May.
Sodinokibi Operators Follow Through on Threats
Always keep anti-virus solutions up-to-date. When deploying security solutions for the enterprise, consider using an EDR (endpoint detection and response) solution side-by-side with AV products. Utilizing an EDR solution or an MDR (managed detection and response) can help spot threats before they spread too far. Many forms of ransomware also seek out network-attached drives when encrypting files; backups should be completed periodically and stored offline in a secure location. To combat data exfiltration, consider adding a DLP (data loss prevention) solution as another layer of security.