Go to listing page

Sodinokibi Gang Starts a New Trend Among Ransomware Operators by Launching an Auction Site

Sodinokibi Gang Starts a New Trend Among Ransomware Operators by Launching an Auction Site
The mantra of having a data backup to protect oneself from ransomware attacks has gone for a toss. Today, ransomware gangs have upped their tactics by stealing their victims’ data and in some cases auctioning it off on dark web markets with an intent to make quick money.

It all started with the ‘Naming & Shaming’ tactic

Initiated by Maze ransomware operators in November 2019 and followed by 12 other ransomware gangs, the ‘Naming and Shaming’ tactic came into action when many victim organizations denied paying ransom after being targeted.

This tactic involved creating more pressure, by threatening the targeted organizations to dump their data online if they did not pay the ransom. By the end of January, the Maze gang was releasing the data of multiple victims in an effort to extort payment.

This pattern took a new shape when the Maze gang teamed up with the gang behind Ragnar Locker and LockBit ransomware. The partnership involved the shared use of the data-leaking platform created by TA2101, the gang behind Maze ransomware.

With the collective sharing of resources and intelligence, Maze attackers, along with other ransomware gangs, are expected to launch more effective attacks against victims.

Sodinokibi’s new attribute

  • The REvil aka Sodinokibi group recently revamped its double-extortion game by adding an auction feature to its underground website.
  • As reported by Threatpost, the auction capability appeared at the beginning of June, with the first lot containing accounting information, files, and databases stolen from a Canadian agricultural company.
  • Other victims whose data went up for sale in the auction included a US food distributor (with a starting price of $100,000) and a U.S law firm (between $30,000 and $50,000).
  • The tactic grabbed attention when the attackers began auctioning the sensitive information stolen from the US legal firm Grubman Shire Meiselas & Sacks. The firm represents John Mellencamp, Elton John, David Letterman, Robert DeNiro, Christina Aguilera, Barbra Streisand, Bruce Springsteen, and Madonna to name a few, as well as numerous high-profile corporate entities.
  • The gang claimed to have made $1 million by selling data pertaining to US President Donald Trump.
  • Later, it had laid out an auction schedule beginning from July 1, to sell stolen documents of Mariah Carey, Nicki Minaj, Lebron James, Bad Boy Records, MTV, and Universal.


With ransomware operators looking to diversify their revenue streams by making money from stolen data via auctions, the threat posed to organizations has increased significantly. Not only are Maze and Sodinokibi releasing and auctioning off stolen data, currently Ako, Clop, DoppelPaymer, Mespinoza, Nefilim, Nemty, NetWalker, Ragnar, Locker, and Snatch also have adopted similar tactics, Security Boulevard reported.

Cyware Publisher