Sodinokibi Ransomware Attackers Threaten to Release Data Stolen from Gedia Automotive Group

On January 23, Bleeping Computer reported that cyber-attackers using the Sodinokibi ransomware have threatened to release data that they say were stolen from German automotive supplier Gedia Automotive Group.  According to Bleeping Computer, the attackers made the threat after Gedia allegedly failed to contact the attackers and pay a ransom to release encrypted company data.

The attackers used Russian hacker and malware forum NoAvatar to post the following message regarding Gedia:

They didn’t get in touch. All computers on the network are encrypted.  More than 50 GB of data was stolen, including drawings, data of employees and customers.  All this is carefully prepared for implementation on the stock exchange of information. What they don’t buy, we’ll post it for free. 7 days before publication.

Gedia reportedly picked up indications of the initial attack quickly, but found it necessary to shut down its headquarters’ IT systems “to prevent the complete failure of Gedia’s IT infrastructure.”  It acknowledged that the shutdown ”is likely to have far-reaching consequences” for all of the Gedia group of companies because all of its locations in eight countries, including the United States, are connected to the group’s central IT infrastructure and depend on it.

The Sodinokibi atttackers’ post about Gedia also included a brief message regarding U.S. information-technology staffing company Artech Information System: “we begin to sell data on exchanges.”  That message, which referred to data exchange platforms that cybercriminals favor, stemmed from Sodinokibi attackers’ recently posting “download links to 337 MB worth of files supposedly stolen from Artech.”

Note:  Information-security and financial crimes teams in companies and government agencies should take note of these two Sodinokibi incidents in planning defenses for and responses to ransomware attacks.  Sodinokibi, a highly evasive form of ransomware that takes multiple measures to prevent its detection, has been called “the Crown Prince of Ransomware.”

Although evasive ransomware is not new, Bleeping Computer reported that ransomware attackers have only recently adopted the new tactic of “[e]xfiltrating data before encrypting ransomware victims’ systems and leaking the stolen data.”  Because some ransomware victims refuse to pay the ransom, this new tactic is evidently designed to create additional incentive for the victims to comply with the ransom demand promptly.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s