One of the world's most prolific and successful ransomware groups is now scanning the networks of victims to check for credit card and point of sale (PoS) software in what looks to be an additional method of making money from attacks.
Sodinokibi – also known as REvil – emerged in April 2019 and it has gone onto be one of the most damaging families of ransomware in the world today.
Networks of a number of high-profile organisations have been encrypted in Sodinokibi campaigns, with the attackers demanding ransoms of hundreds of thousands – and sometimes millions – of dollars in exchange for the return of the decryption key.
SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
In a significant percentage of cases, the victim feels as if they've got no choice but to give into the demand in order to restore functionality.
But now researchers at Symantec have spotted a new element in recent campaigns, with the attackers scanning compromised networks for PoS software.
It's possible that the attackers could be looking to scrape this information as a means of making additional money from campaigns, either by directly using the payment information themselves to raid accounts, or to sell it on to others on underground forums.
This wouldn't be the first time the hackers behind Sodinokibi have looked to exploit data they've compromised in attack; along with the Maze ransomware group, they've threatened to release information stolen from victims if they don't pay the ransom – and they're now auctioning it off to the highest bidder.
"The scanning of victim systems for PoS software is interesting, as this is not typically something you see happening alongside targeted ransomware attacks," wrote Symantec researchers.
"It will be interesting to see if this was just opportunistic activity in this campaign, or if it is set to be a new tactic adopted by targeted ransomware gangs."
Sodinokibi's new PoS-scanning technique has been spotted in a campaign targeting the services, food and healthcare sectors. Researchers describe the two victims in the food and services arena as large, multi-site organisations that would be seen by attackers as capable of paying a large ransom.
SEE: Ransomware: 11 steps you should take to protect against disaster
The healthcare organisation is described as much smaller and the researchers suggest that the attackers may have scanned for payment information in this instance as a means of trying to figure out if there was another way of making money from the attack if the victim didn't pay.
Whatever the reason for Sodinokibi now scanning for credit-card and payment information, it still remains a highly effective form of ransomware and organisations are still falling foul of it.
"One thing that is clear is the actors using Sodinokibi are sophisticated and skilled and show no sign that their activity is likely to decrease any time soon," said researchers.
Sodinokibi spreads by exploiting a Windows zero-day vulnerability that was actually patched in October 2018.
Therefore, one of the best ways an organisation can prevent itself from falling victim to Sodinokibi – and many other ransomware or malware attacks – is to ensure the network is patched with the most recent security updates to protect against known vulnerabilities.