Inheriting all the sinister characteristics of its much successful predecessor GandCrab, the ransomware strain involves similar affiliates for spreading the peril. The REvil/Sodinokibi ransomware makes an average ransom of over $3,00,000 via its TOR site per victim. Out of which 20-30% money goes to the core team, the rest of the payment gets directed to their affiliates.
The REvil/Sodinokibi operators often exfiltrate victim’s data before applying the extortion tactics. Keeping a backup helps the ransomware operator threaten the victims unwilling to pay the ransom. Sometimes they leak parts of the data on an auction site referred to as The Happy Blog to threaten the victims for selling them off to the criminals or competitors.
Besides making money, the group also got involved in cyber espionage. There are instances where the operator had targeted defence contractors and organisations.
After successfully intruding into the victim’s machine, the ransomware strain encrypts the configuration and user data using elliptic curve Diffie-Hellman (ECDH), Salsa20, SHA-3 and Advanced Encryption Standard (AES). Post encrypting, the malware uses Curve25519, one of the fastest elliptical-curve cryptography (ECC), to generate private and public keys.