Sodinokibi creators leak and sell data stolen from organizations

Hackers follow each others' techniques: Sodinokibi distributes data stolen from victims on hacker forums

Hackers sell and distribute data stolen from victims that decided not to pay the ransom. Data, possibly belonging to consultancy firm Brooks International got exposed online due to the refusal paying demanded ransom^[1] when Sodinokibi ransomware^[2] infected their system. Now developers release information on hacking forums and sell details about their victims that decided to not pay. Malicious actors published around 12 BG of stolen company data stating that it belongs to Brooks International for not meeting their demands.

The post was made public, and it may seem bad enough. However, it was discovered that besides the public site, information is distributed and sold on hacker forums. Links to stolen data are sold for eight credits – around 2 dollars, at least, on one of the platforms. The description for the purchase states that the database belongs to an award-winning firm Brooks International.^[3] The company hasn't confirmed any of the facts.

These reports come after the discovery that new techniques got adapted by many ransomware creators.^[4] Maze ransomware, Nemty ransomware, and other threat actors now state to victims that valuable data gets stolen and wiped from their machines before encryption processes, so actors can shame non-paying victims online and blackmail them yet again.

Valuable data including credentials and logins already breached

Allegedly these databases that got made public and the ones that are distributed for money include user names, passwords, credit card information, statements, tax details, and more personal or sensitive information. Unfortunately, some of the hackers and malicious actors have already purchased the package with alleged Brooks International data.

It seems that buyers got satisfied based on reviews and comments about the purchase that state:

It even has credit card number & a password. lol !!

To bad these W2 forms weren't Donald Trump's taxes.

Thank you for being the hero we may not deserve, but need.

Not the first Sodinokibi ransomware and stolen data exposure incident

In January 2020, Sodinokibi ransomware creators published stoled data from people who haven't paid the ransom demands.^[5] This virus has already affected many enterprises and companies, governments in various industries. Cybercriminals take serious steps to get more profit from people and take advantage of their victims even after the initial virus attack.

Authors threatened companies for a month and made stolen data publicly accessible when officials refused to transfer demanded funds. More than 337MB of gathered data got published on the Russian malware forum. Artech Information System – the company whose data allegedly was breached is one of the largest companies that staff IT professionals.

Right now, probably every new cryptovirus attack comes with the statement about stealing valuable information because criminals see that they can make money from the same target a few different ways. Sometimes it can be only a statement that scares more people into paying, but the risks are high due to silent info-stealers and similar malware.

Even though this blackmail campaign is a serious issue, you shouldn't consider paying the ransom when your data gets encrypted or differently affected by the malware actors. Stay away from such criminals no matter how large your business or valuable those files are because it can lead to bigger losses.