[BreachExchange] Sodinokibi Ransomware to stop taking Bitcoin to hide money trail

Destry Winant destry at riskbasedsecurity.com
Tue Apr 14 10:23:51 EDT 2020


The Sodinokibi Ransomware has started to accept the Monero
cryptocurrency to make it harder for law enforcement to track ransom
payments and plans to stop allowing bitcoin payments in the future.

In a 2019 webinar titled "The functionality of privacy coins", Europol
stated that the use of both Tor and Monero made it impossible to trace
the funds or the actors who received them.

“Since the suspect used a combination of TOR and privacy coins, we
could not trace the funds. We could not trace the IP addresses. Which
means, we hit the end of the road. Whatever happened on the Bitcoin
blockchain was visible and that’s why we were able to get reasonably
far. But with Monero blockchain, that was the point where the
investigation has ended. So this is a classical example of one of
several cases we had where the suspect decided to move funds from
Bitcoin or Ethereum to Monero," Europol's Jerek Jakubcek said in a

Last month, the ransomware operators behind the Sodinokibi/REvil
ransomware posted to a hacker and malware forum that they are starting
to accept the Monero cryptocurrency to make it harder for law
enforcement to trace them.

"This principle has led to allegations that Monero could be used for
drug trafficking, the dissemination of child pornography and more. In
this regard, Europol in 2017 expressed concern about the growing
popularity of Monero. In 2020, Europol made an official statement -
Monero is impossible to track.

Due to CryptoNote and the obfuscation added to the protocol, passive
mixing is provided: all transactions in the system are anonymous, and
all participants in the system can use plausible denial in case of

The combination of an anonymous browser Tor and Monero can quite
successfully make a person’s financial activity completely invisible
to the police and government agencies. We are extremely worried about
the anonymity and security of our adverts, so we began a “forced”
transition from the BTC to Monero."

The operators go on to say that they will eventually remove bitcoins
as a payment option and that victims need to start to learn more about
Monero and how to acquire it.

"In this regard, we inform you that after a while the BTC will be
removed as a payment method. Victims need to begin to understand the
new cryptocurrency, as well as other interested parties who work with
us," the threat actors warned.

Tor ransom payment site uses Monero by default

On the Sodinokibi Tor payment site, the ransomware operators have
already started to move away from bitcoin by making Monero the default
payment currency.

If a victim wants to use bitcoin to make a ransom payment, the amount
is increased by 10%.

Tor payment site accepting Monero

The ransomware operators are also offering "partners" who help victims
pay the ransom a discount that will make them "pleasantly surprised".

"Companies that assist our victims in acquiring the decryptor will be
pleasantly surprised by the% discount on the amount of the ransom. In
order to start working with us, it is enough to write in a chat and
introduce yourself as a company of this type of activity. Our
collaboration is completely anonymous. We do not disclose the data of
our partners," the ransomware operators offered.

Many of these "data recovery" companies add a significant surcharge to
victims they help, and with this additional discount, they stand to
make a much larger profit by helping Sodinokibi switch to Monero.

More information about the BreachExchange mailing list