Researchers at Symantec have discovered that the Sodinokibi ransomware group is now scanning for PoS softwares in the victim’s network to cash even further. Any vulnerabilities found in the PoS softwares, that handle the financial transactions between customers and businesses, can be exploited for scraping more sensitive details, that can be further exploited directly or sold in the dark web to others.
An Extra Source of Income
Sodinokibi, also known as REvil ransomware is infamous for attacks on Travelex, GEDIA automotive, and many other companies in the past. It’s active since April 2019 and has been following the footsteps of Maze ransomware gang like attacking enterprises over individuals and leaking stolen data of victim fails to pay on time. All these acts have earned Sodinokibi much fame in a short span among the ransomware industry.
And now, the group’s found to be doing an extra activity on its victims that could garner even more money. According to Symantec, Sodinokibi has been scanning the Point of Sale (PoS) software in the victim’s network to scrape sensitive data like credit card details. These can be used for direct exploitation of victims or grouping them and selling in underground forums. Either way earns money to operators.
Besides earning from ransom, Sodinokibi is trying to find yet another way of squeezing money from its victim. Symantec researchers said that food, services, and healthcare industries were targeted on these new operations, with the former two targeted more severely. The attackers here were exploiting zero-day vulnerabilities in Windows, that was addressed back in 2018. Yet, many companies neglect to patch and fall prey for ransomware gangs.