Sodinokibi is a ransomware that has gained prominence recently. As we blogged about last year, it turned out to be an evolution of GandGrab, which was responsible for incidents in thousands of organizations through phishing campaigns. In this case, Sodinokibi is a ransomware for Windows operating systems that follows the RaaS (Ramsonware as a Service) model: malicious code that its creators customize for other subscribing “clients”.

REvil blackmail_

Now the group responsible for Sodinokibi (also known as REvil) is back in the news: a few weeks ago, the Bloomberg news agency reported that it got hold of compromised information from Quanta, a Taiwanese company that is one of Apple’s key component suppliers.

Although Quanta is a company with significant value in its own right and works as a supplier to other large technology companies such as Facebook and HP, the hackers specifically targeted the information they had on their customer Apple, which demonstrates that the nature of this incident was a supply chain cyberattack.

In fact, the group obtained 15 images and blueprints of what appeared to be future Macbook models that included specific serial numbers, sizes and features, all with a high level of detail. It then posted a (now deleted) letter on its Dark Web blog demanding a $50 million ransom from the company under threat of publishing new confidential information every day. However, Bleeping computer reported that the ransom deadline was extended to this May and the amount was lowered to $20 million as part of negotiations with the company, which is now also threatening to release information about the new iPad and the company’s new logos.


Extortion message from REvil to Quanta. Source: Bleeping Computer

Essential backups_

So far, although negotiations appear to be underway, there is no official confirmation as to whether Quanta has agreed or will agree to pay the ransom. However, statistics show that many organizations do not achieve their goal by making these payments: 92% of those that agree to do so do not recover their data, according to a study by cybersecurity analysts. Yet many continue to do so: according to the same report, the number of organizations paying ransom has grown by 32% this year compared to last year.

Nonetheless, before taking this action, organizations should take measures to prevent ransomware from succeeding. In this regard, as we illustrated in the Ryuk incident with the Spanish Public Employment Service (SEPE), it is very important to have frequently updated backups that are separate from the main systems in order to restore data as quickly as possible.

Zero Trust and end-to-end solutions_

The Quanta case provides further lessons: the fact that such sensitive Apple information has been compromised through a supplier after a cyberattack on the supply chain demonstrates that the Zero Trust approach is essential: legitimate partners, their files and activities could be the entry vector for a threat: another recent example of this is Sunburst as the malware responsible for the cyberattack on Solarwinds, a software used by many large companies. It is therefore necessary for organizations to have advanced cyber-security tools that are always based on the Zero Trust premise, in order to be suspicious by default of any file or network activity and analyze it before it is executed on systems. This is the case with Cytomic, as Zero Trust is a key pillar of its Endpoint security solutions.

In addition, to be prepared for the threats that can come from sophisticated groups like REvil, you need a solution that is as comprehensive and complete as possible: Cytomic Covalent is the solution to this need, combining all the preventative capabilities of Cytomic EPDR with the Threat Hunting capabilities of Cytomic Orion to speed up incident response and malwareless threat hunting. This makes blackmail such as that suffered by Quanta as an Apple supplier much less likely to happen.