สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency

Report

Home > List all groups > List all tools > List all groups using tool Sodinokibi

Threat Group Cards: A Threat Actor Encyclopedia

Tool: Sodinokibi

Names	Sodinokibi Sodin REvil
Category	Malware
Type	Ransomware, Big Game Hunting
Description	(Cybereason) The ransomware iterates through all folders on the machine, encrypts all files, and drops a ransom note in each folder. Once it has finished encryption, it changes the desktop wallpaper to help inform the user of the attack.
Information	<https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack> <https://blog.intel471.com/2020/05/04/changes-in-revil-ransomware-version-2-2/> <https://www.bleepingcomputer.com/news/security/revil-ransomware-scans-victims-network-for-point-of-sale-systems/> <https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/revil-ryuk-tycoon-ransomware/> <https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/> <https://www.tripwire.com/state-of-security/featured/revil-ransomware-what-you-need-to-know/> <https://www.cybereason.com/blog/cybereason-vs.-revil-ransomware> <https://www.bleepingcomputer.com/news/security/revil-ransomwares-new-linux-encryptor-targets-esxi-virtual-machines/> <https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version> <https://www.databreaches.net/still-think-you-can-negotiate-with-revil-and-get-your-files-back-read-this-first/> <https://www.cybereason.com/blog/cybereason-vs-revil-ransomware-the-kaseya-chronicles> <https://www.bankinfosecurity.com/blogs/theres-clear-line-from-revil-ransomware-to-russia-p-3065> <https://www.mcafee.com/blogs/other-blogs/mcafee-labs/revil-ransomware-uses-dll-sideloading/> <https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment> <https://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/> <https://www.flashpoint-intel.com/blog/possible-universal-revil-master-key-posted-to-xss/> <https://blogs.cisco.com/security/threat-protection-the-revil-ransomware> <https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/> <https://www.bleepingcomputer.com/news/security/free-revil-ransomware-master-decrypter-released-for-past-victims/> <https://www.malvuln.com/advisory/7d7ee58c2696794b3be958b165eb61a9.txt> <https://www.secureworks.com/blog/revil-development-adds-confidence-about-gold-southfield-reemergence>
MITRE ATT&CK	<https://attack.mitre.org/software/S0496/>
Malpedia	<https://malpedia.caad.fkie.fraunhofer.de/details/win.revil>
AlienVault OTX	<https://otx.alienvault.com/browse/pulses?q=tag:Sodinokibi>
Playbook	<https://pan-unit42.github.io/playbook_viewer/?pb=revil-ransomware> <https://www.nomoreransom.org/uploads/REvil_documentation.pdf>

Last change to this tool card: 30 December 2022

Download this tool card in JSON format

All groups using tool Sodinokibi

Changed	Name	Country	Observed
APT groups
	Pinchy Spider, Gold Southfield		2018-May 2022

1 group listed (1 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Report incidents

+66 (0)2-123-1227

[email protected]