Bryson Blog

What is Sodinokibi Ransomware?

No company can eliminate the risk of being hacked, not even the CEO of Amazon. Do what you can to mitigate cyber risk while also ensuring your organization considers cyber risk transfer seriously too.

Here is a common statement you may hear expressed from an executive at a company actively focusing on cyber risk mitigation:

“We have a good data back-up and recovery program in place. Our employee cyber awareness training is going smoothly, no one is clicking on our faux-phishing campaigns. At the end of the day, ransomware only encrypts files locally. Even if we do fall victim we can get things back up and running quickly… we can finally take a deep breath and relax…”

News Alert: Sodinokibi ransomware sneaked through a backdoor of a third-party software stealing sensitive client data from a corporate victim. The criminal hackers are now holding the corporate victim's data hostage. The hackers are demanding a significant ransom payment. The hackers are threatening to release the sensitive data publicly stating ‘pay us because it will be 5 times worse suffering penalties enforced by the regulators’.


Welcome to the next phase of ransomware. From the linked article: "The authors behind Sodinokibi ransomware were threatening companies for the past one month to make the stolen files public if victims don’t pay the demanded ransom."

What is Sodinokibi ransomware?

It is a script that doesn’t require any human misstep to successfully breach and transfer a company’s most sensitive data. This code exploits a vulnerability with Oracle software and automatically injects itself into the terminal. Unlike traditional ransomware that only creates a local cryptolocker (local encryption of files), this ransomware sends copies of the files directly to the hackers. hack thief

This ransomware is akin to that swift museum thief that sneaks in and out of a building completely undetected with a valuable artifact in hand.

If the thief then shares photos of that artifact on public forms and further threatens to ruin the reputation of the museum, by publicly sharing details how the lack of care the museum takes in protecting their entrusted assets, then it may sound like something aligned with what these hackers are chatting about in public forms:


Today an Oracle software vulnerability, tomorrow what?

Since the Oracle software vulnerability, we have already witnessed a exploit in Internet Explorer reaping havoc and the phone of Jeff Bazos, CEO of Amazon, was hacked by a Saudi Prince (for real).

Being okay with not being able to fully eliminate cyber risk at your company.

The cyber landscape is like the Wild West. We need to utilize technology to effectively operate our business, but we have no idea what is going to be hijacked next. This is not intended to scare you, it’s just the reality we live in right now.

We care about businesses staying in business because businesses are essential to building a great community and society. There is a good chance the corporate victims of the Sodinokibi ransomware will struggle to remain in business. If they do stay in business this attack has crippled their future.

We strongly encourage you to have a conversation with us. In the cyber risk conversation, we are the risk transfer specialists. Our goal is to ensure your business continues to thrive when the unexpected occurs. We naturally work with you to explore your current business practices and often highlight quick wins to enhance your risk mitigation plan as well.

It is important to have a professional cyber risk mitigation team. See if we fit on your team as your cyber risk transfer specialists.

Why should my business care about Ransomware-as-a-Service?

Ransomware is not a new threat for businesses. It is one of the most commonly talked about cyber security issues facing companies today. This comes with good reason. It is very profitable for cyber criminals and the barrier of entry is getting smaller and smaller. Because of the ability to make money fast, many online criminals have grown curious on how to get in on the action but did not know where to start.

As any entrepreneur would tell you, where there is a business problem there is a creative entrepreneur developing a solution. Enter Ransomware-as-a-Service (RaaS).

“Ransomware will continue to both dominate headlines and cause havoc in 2020. The complexity of the attacks and the packaging of Ransomware-as-a-Service will continue to increase, while organizations grapple with both prevention and implementing practices to respond appropriately. Responses by organizations will be split between those who recover from backups, and those with more limited options who opt to pay the ransom”—Danny Allan, Vice President of Product Strategy, Veeam *Source Forbes

ransomware as a serviceRansomware-as-a-Service is similar in ways to the Software-as-a-Service (SaaS) model in that users pay a subscription fee for use of the platform (think above board SaaS products like Salesforce, Dropbox, DocuSign, Zendesk, Adobe).

RaaS’s subscription-based malicious model enables rookie cybercriminals to launch ransomware attacks without the difficulty of having to know how to code. RaaS allows non-technical cybercriminals the ability to create their own ransomware with ease. RaaS users can set the ransom amount, payback terms, deadlines and other features.

Once ready, the cybercriminal can focus on having the right person in a company take the wrong action.

How does the RaaS game work?

The object of the game is to successfully launch a ransomware attack on a small-to-medium sized business, hold sensitive and critical information hostage and get paid.

The game is won when the victim pays the ransom.

Within this game we have four players.

  • Cybercriminal #1 – role is to write the ransomware code
  • Cybercriminal #2 – role is to distribute (sell/rent) the ransomware code
  • Cybercriminal #3 – role is to choose a ransomware code and launch an attack (there can be hundreds of Cybercriminal #3 players in this game for every Cybercriminal #1)
  • Company employees – role is to defend their company’s survival

Cybercriminal #1 and #2 can be the same player and for the sake of this scenario it is easier to keep them as one player now known as Chief Cybercriminal.

The Chief Cybercriminal is like a franchisor. Beyond writing and selling the ransomware code, RaaS Modelthey also provide cybercriminal #3 with technical know-how and step-by-step information on how to launch a ransomware attack. Once the attack is successful and the game is won (meaning the victim paid the ransom) the collected money is split between the Chief Cybercriminal (coder & service provider) and cybercriminal #2 (the attacker).

Like other Software-as-a-Service providers, the real difference in this game is that there can be many cybercriminal #3s utilizing the platform at the same time. This is one of the key factors leading to the continued exponential growth in ransomware attacks on small and medium sized businesses.

Now those proficient at utilizing the ransomware attack weaponry can focus on their craft of phishing and exploit kits, allowing the Chief Cybercriminals focus on their craft of coding. Specialization is another factor increasing the success rate and number of ransomware attacks.

What weapons does Cybercriminal #3 (the attacker) deploy?

The cybercriminal is a real person sitting behind an actual computer somewhere in the world. Because this person is a specialist, they have the time to study and research before deploying their attack. Consider a salesperson prospecting their future client. This individual may check out the company’s website, look at LinkedIn profiles of key employees, read articles and posts from employees and about the company… really build an understanding of who they are building a relationship with. The cybercriminal’s early approach in this game may look quite similar.

If the cybercriminal #3 deploys a highly targeted strategic approach they will most likely leverage a phishing strategy. With these attacks they will write enticing (both written and visual) emails to employees with the purpose of gaining important information to support the attack, or to have the malware activated in the employee’s computer.

If the cybercriminal #3 deploys a spray and pray approach they will invest some of their future game winnings in an exploit kit. An exploit kit is designed to automatically and silently exploit vulnerabilities on the victim’s machines while the victim is browsing the web.

The most effective cybercriminal #3s will deploy a mix of both strategies simultaneously.

The future of Ransom-as-a-Service

“In 2020, we will see, at minimum, a 300% increase in RYUK-related ransomware attacks, and most of those attacks will be focused on U.S. small businesses. Ransoms on small businesses will jump to $150,000 to $300,000 per event on the low end, causing a spike in U.S. small business bankruptcies and closures. About 2 out of every 10 small businesses attacked will have no choice but to halt operations for financial reasons. Another reason we'll see a spike in attacks on small U.S. businesses is the sheer volume of these businesses running outdated windows servers with known vulnerabilities”—Zohar Pinhasi, CEO, MonsterCloud Cyber Security *Source Forbes

This vicious model is wildly profitable for the Chief Cybercriminal, so much so that there are advertisements populating on the dark web for RaaS solutions.

Any business owner can see why this model is growing in popularity. Instead of having to be the product developer, builder and lead salesperson, this model allows for specialization and leads to economy of scales.

Each of the code writer, ransomware platform provider and attacker can focus on what they do best. And once a product is built and available on the platform, there can be hundreds of attackers utilizing the product instead of the original writer of the code.

What should businesses do?

There have been countless articles suggesting tactics and strategies to reduce the risk of cyber crime on a company’s operations. We wrote this one on protecting your company assets and this one on understanding and recognizing phishing scams. Will implementing all of this end the threat for good? No.

Here is the pain point and reality: malicious coders, some of the best in the world, are spending their time writing attack commands specifically designed to exploit vulnerabilities in the very best company IT plans.

Training staff is critical, investing intelligently in IT will drastically reduce risk… but there is almost no way to eliminate the risk without rendering your business operation ineffective (you could cease emails, digital file storage and computers/smart phones but that will probably cease your business operation too).

Cyber insurance is a risk transfer tool designed to compliment your IT strategy. It is in no way intended to replace investing in IT and security, employee awareness training or any other risk mitigation strategy.

Except for very specific circumstances, cyber insurance should be a standalone policy and it should be purchased through an insurance brokerage that specializes in cyber insurance wordings and coverage.

I invite you to have a conversation with us on cyber insurance. By knowing the price of insurance, what cyber insurance covers and how it works compared to other insurance solutions (for example, you get access to a breach coach as soon as a breach occurs) companies can make an informed decision.