Already one of the most dangerous forms of ransomware, now Sodinokibi looks like it could also be attempting to make money from stolen payment information too.
Sodinokibi – also known as REvil – emerged in April 2019 and it has gone onto be one of the most damaging families of ransomware in the world today.
But now researchers at Symantec have spotted a new element in recent campaigns, with the attackers scanning compromised networks for PoS software.
It's possible that the attackers could be looking to scrape this information as means of making additional money from campaigns, either by directly using the payment information themselves to raid accounts, or to sell it on to others on underground forums.
This wouldn't be the first time the hackers behind Sodinokibi have looked to exploit data they've compromised in attack; along with the Maze ransomware group, they've threatened to release information stolen from victims if they don't pay the ransom – and they're now auctioning it off to the highest bidder.
Sodinokibi's new PoS scanning technique has been spotted in a campaign targeting the services, food and healthcare sectors. Researchers describe the two victims in the food and services arena as large, multi-site organisations that would be seen by attackers as capable of paying a large ransom.
Therefore, one of the best ways an organisation can prevent itself from falling victim to Sodinokibi – and many other ransomware or malware attacks - is to ensure the network is patched with the most recent security updates to protect against known vulnerabilities.