Threat Watch

Sodinokibi Ransomware Crew Switching to Monero for Extortion Payments

Sodinokibi: The threat group that is behind the Sodinokibi ransomware left a message on their website announcing that they will begin to accept Monero cryptocurrency for victims to pay their extortion demands and begin to move away from Bitcoin. As of right now, they will still accept Bitcoin for payment, but there will be a 10% increase in price for paying in Bitcoin instead of Monero. By switching to Monero, transactions are more anonymous because of the CryptoNote application layer protocol and the obfuscation implemented into the protocol. The group also announced on their website that any incident response company that wants to “partner” with them would see a significant discount on the cost of a decryptor for their client if they use the chat feature on the website to introduce the company.

ANALYST NOTES

With a prolific criminal group such as Sodinokibi moving towards only using Monero, other ransomware and groups will likely follow. Because of the anonymity of Monero, the criminals may believe that law enforcement will have a harder time tracking the money. The group stated that they want to work with incident response companies to help companies get a decryptor, but this poses major issues for the victim and the incident response company. Although the threat actors state they will keep this information private, it is impossible to know whether they actually will or not. Defenders should place monitoring on their networks and endpoints to detect intrusions and prevent initial intrusions. A service such as Binary Defense’s Managed Detection and Response would be able to better protect companies from ransomware threats before they escalate. More about this can be read here: https://securityaffairs.co/wordpress/101483/cyber-crime/sodinokibi-ransomware-monero.html