Threat Watch

Sodinokibi Responds to Being Classified as Terrorists and Makes New Threat to Their Victims

Sodinokibi: The threat group behind the Sodinokibi ransomware already had gained a significant amount of attention following the breach of the law firm Grubman, Shire, Meiselas, & Sacks. The group then doubled down and threatened to release information on Donald Trump, while also doubling their ransom demand. Following the threats to publish data related to President Donald Trump, the law firm in a statement described the threat as an act of terrorism and suggested that the FBI may have identified it the same way, although there was no official announcement from the FBI to confirm that. The group has since responded to being branded as terrorists. According to the latest statement from the group this decision by law enforcement “will not affect our work in any way.” The group announced that if their ransom demands continue to be refused that they will begin to auction off the law firm’s customer’s data every week on the Darknet auction site Joker Buzz. Along with their threats to Grubman, Shire, Meiselas, & Sacks and their clients, the group posted the “first part” of their data on President Donald Trump. The data on President Trump was posted with a warning that he should buy all of the data before someone else purchases the whole of it to use against him during the upcoming election.

ANALYST NOTES

Sodinokibi is approaching negotiations with Grubman, Shire, Meiselas, & Sacks in a much more aggressive manner than is typically seen in cases like these. Such aggressive tactics in a high-profile case is a gamble for the group. If the data they have from the law firm is as valuable as they claim, this could work out to be a significant payday for the group, no matter how the data is sold. This is assuming though that the group is able to sell the data and disappear without being tracked down by law enforcement. The nature of ransomware operators has been shifting over the past year with many criminal groups threatening to release data if their ransom is not met rather than just leaving the data encrypted. This move by Sodinokibi opens a new door for ransomware operators to increase the odds of receiving payment for their attacks, either from the victim or from those who would be interested in purchasing the victim’s data. Ensuring proper defenses are in place are vital in defending against attacks from groups like Sodinokibi. Early detection to contain ransomware can not only aid in stopping the ransomware’s spread through a network but also minimize the amount of data stolen by attackers and the potential damage done to the victim’s public image and customer base. Endpoint Detection and Response (EDR) with 24/7 monitoring by experienced security professionals can aid in the rapid response to not only the threat from ransomware but many other threats which organizations face every day.

For more information, please read:

https://pagesix.com/2020/05/14/la-law-firm-hackers-double-ransom-demand-threaten-donald-trump/
https://www.forbes.com/sites/daveywinder/2020/05/17/hackers-publish-first-169-trump-dirty-laundry-emails-after-being-branded-cyber-terrorists/#3ac7dd975268