Hacking group behind Sodinokibi embraces Monero

The Sodinokibi ransomware had begun accepting the Monero (XMR) digital currency in place of BTC, according to a BleepingComputer report. This watershed moment is significant because it highlights how privacy coins are being co-opted by well-organized cybercrime groups to evade law enforcement.  

The operators behind the Sodinokibi/REvil ransomware indicated as much in their posting to a hacker and malware forum. They mention that the embrace of the digital currency makes it harder for law enforcement to track ransom payments and identify who is behind the attack.   

Ransomware is a malware that locks the user out of their data or their device, then demands a payment to restore access to it. It is a growing threat within the cybersecurity field. A recent report told the story of how a U.K.-based firm recently paid hackers almost $2.3 million in BTC after being infected by the Sodinokibi ransomware.

The hackers behind Sodinokibi further say that they will eventually remove BTC as a payment option and that their victims need to learn more about Monero and how to obtain it. On the Sodinokibi Tor payment drop-off site, the cybercriminals have already moved away from BTC by making Monero the default payment currency. If a victim tries to use BTC to make a ransom payment, the amount demanded is increased by 10%.

The distributors of the malware further note that because of the privacy features such as “obfuscation added to the protocol, passive mixing is provided,” the anonymous protocols of Monero give all participants in the network plausible deniability in case of capture by authorities. They encourage “other interested parties who work with us” to learn more about the token. If these “data recovery” accomplices help the victims pay the ransom, they will get a discount.

“Companies that assist our victims in acquiring the decryptor will be pleasantly surprised by the% discount on the amount of the ransom…Our collaboration is completely anonymous. We do not disclose the data of our partners,” the forum post read. These “data recovery” teams typically add a surcharge to the victims who hire them. With the additional discount, they will make an even more substantial profit by helping the hackers switch over to Monero.

In a 2019 webinar titled “The functionality of privacy coins”, Europol’s strategy analyst, Jerek Jakubcek, confirmed that the use of both Tor and Monero made it impossible to trace the funds or the perpetrators who received them. Jakubcek went on to say that “Since the suspect used a combination of TOR and privacy coins, we could not trace the funds. We could not trace the IP addresses. Which means, we hit the end of the road.” 

For law enforcement, an activity that happened on the BTC blockchain is visible. This helps them further their investigation. But with Monero blockchain, this is the point where the investigation typically would end. This is an example from several cases where Jakubcek says the suspect decided to move funds from BTC or Ethereum to Monero.  

New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.

[10]
[10]
[id^="_form"]
[id^="_form"]
[id$="_submit"]
[id$="_submit"]
[^;]
[^;]
['on' + event]
['on' + event]
[?&]
[?&]
[^&#]
[^&#]
[(d+)]
[(d+)]
[i]
[i]
[results[1]]
[results[1]]
[elem.name]
[elem.name]
[+_a-z0-9-'&=]
[+_a-z0-9-'&=]
[+_a-z0-9-']
[+_a-z0-9-']
[a-z0-9-]
[a-z0-9-]
[a-z]
[a-z]
[el.name]
[el.name]
[10]
[10]
[id^="_form"]
[id^="_form"]
[id$="_submit"]
[id$="_submit"]
[^;]
[^;]
['on' + event]
['on' + event]
[?&]
[?&]
[^&#]
[^&#]
[(d+)]
[(d+)]
[i]
[i]
[results[1]]
[results[1]]
[elem.name]
[elem.name]
[+_a-z0-9-'&=]
[+_a-z0-9-'&=]
[+_a-z0-9-']
[+_a-z0-9-']
[a-z0-9-]
[a-z0-9-]
[a-z]
[a-z]
[el.name]
[el.name]