Sodinokibi Ransomware Gang Launch An Auction Site To Sell Stolen Data

Selling stolen data is now becoming a common tactic of cyber groups. In recent times, Ransomware threats threaten users to upload the data on some website if they fail to pay the ransom fee.

In a recent campaign, the hackers leaked the database of Dark Web Hosting Providers.

Starting A New Trend, the Sodimokibi or REvil ransomware have up their game of extortion.The gang came up with a new way of earning profit from the stolen data of the victims.

Leaving behind the extortion tactics, this gang has launched a new auction site to sell the personal data of their victims to the highest bidder on the dark web platforms.

The Sodimokibi ransomware gang also runs a website named as “Happy Blog,” where they often upload the samples of data stolen from the victims. This is done to threaten the victims to make the files public if ransom is not paid.

Sodinokibi Ransomware Gang Launch An Auction Site To Sell Stolen Data

Sodinokibi Ransomware Gang Launch An Auction Site To Sell Stolen Data

Sodinokibi Ransomware New Auction Tactic

As leaking the data on the website was not gaining them any money, they curated a plan aiming double-extortion.

  • The underground website is updated with the feature for holding auctions. This way they can monetize the stolen files by selling them to the highest bidder, instead of releasing them for free.
  • The auction first started operating in June, when the accounting information, files and databases of a Canadian agricultural company was put up for sale. The starting auction price was kept at $50,000. The payments were accepted in Monero cryptocurrency.
  • The next victim was a US food distributor whose primary auction price was $100,000. The information from a US law firm was set for auction at 30,000.
  • What grabbed people’s attention was the recent incident, when the gang had set up sensitive information for auction. The data belong to an entitled US legal firm, Grubman Shire Meiselas & Sacks. This firm deals with high profile clients including Elton John, David Letterman, Christina Aguilera, Barbra Streisand, John Mellencamp, Robert DeNiro, Bruce Springsteen and Madonna lots more.
  • Reports claim that this gang has made $1 million by selling information linked to US President, Donald Trump.
  • A new auction schedule for July, which will be revealing information about Mariah Carey, Nicki Minaj, LeBron James, Bad Boy Records, MTV and Universal.

How it all started?

You may have heard about the ‘Naming and Shaming‘ tactic which gained people’s attention in November 2019. Started by Maze ransomware operators influencing 12 other ransomware gangs.

This tactic was triggered when organisations and individual victims denied paying the ransom.

Although, the maze Ransomware mainly targets the corporate, who will be able to pay a huge amount of ransom. They exploit the software vulnerability and network breach to attack the system. After which they encrypt the victim’s files and data.

When their demands were not satisfied, so they introduced a “leak site” . The sites contained the samples and proofs of the stolen data to terrify the victims. It is even used to leak the whole stolen files when the victim denies making payments.

By the end of January, Maze released a lot of data of multiple clients to earn its revenue. However, this trend did not satisfy enough as their greed is ever-rising.

So, Maze decided to team up with the gang behind Ragnar Locker and LockBit ransomware, who recently rose to popularity. The motive of this partnership was to share the common leak platform, brought into existence by Maze Gang, TA2101.

Unfortunately, this partnership may destabilize the privacy of corporations. As the compiled resources and intelligence is perceived to bring more frequent attacks.


Ransomware operators are no longer ready to settle for companies paying them off to return their data. They are now new extortion tactics make the RAAS (ransomware-as-a-service) business model more successful.

As we now know that auction tactic is not only limited to Maze and Sodinokibi anymore. In fact, the Security Boulevard also reported Ako, DoppelPaymer Mespinoza, Clop, Nefilim, Ragnar, NetWalker, Nemty and Snatch are too adopting this new trend.

In such a case, organizations and individuals should will to the fact that, ransomware is not going anywhere. This is to stay with us, taking advantage of system/network flaws to compromise the devices. Further, encrypting the highly sensitive data to extort money.

So, the it is better we stay vigilant to ransomware threats and adopt precautionary and safety guild lines to protect our private data.

Protect your computer with HitmanPro.Alert Now

While, threat actors can exploit the vulnerabilities any time, so it is necessary to have an active anti-virus protection always running on the system. The best one we recommend is HitmanPro.Alert, that will guard your system against all odds.

HitmanPro.Alert step 4

HitmanPro.Alert step 4

Guard Your System Against Ransomware With Ransomware Defender

More From Unboxhow