Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
News broke on June 1 that the world’s largest meatpacker, JBS SA, was hit by a ransomware attack which disrupted meat production in the company’s North American and Australian facilities. Late on June 2, JBS was quoted as saying that most of their operations resumed on Wednesday, including all of their pork, poultry and prepared foods facilities around the world, in addition to the majority of their beef facilities in the U.S. and Australia. The FBI and several top news outlets are reporting that the Sodin/REvil ransomware group is the cybercriminal gang behind the ransomware attack. Interestingly, eSentire’s TRU team, who has been tracking the Sodin ransomware group since its inception, found that the Sodin gang claims to have hit another large meat manufacturer in France in the past two weeks.
“It is certainly plausible that the Sodin/REvil ransomware group launched the attack against meat packer and producer JBS, as well as another company in the same industry,” said Rob McLeod, Sr. Director of eSentire’s security research team, the Threat Resistance Unit (TRU). The TRU has been tracking the top ransomware groups for several years, and the Sodin/REvil gang ranks in the number one or number two spot, amongst all the ransomware gangs. The Sodin group is only rivaled by the Ryuk/Conti ransomware organization when it comes to high profile attacks, ransoms collected and news coverage. “The Sodin/REvil gang has all the technical capabilities, the infrastructure and the criminal network to pull off the attack against JBS, ” continued McLeod.
Sodin/REvil Number of Victims Listed | New Since Jan. 1, 2021 –April 31, 2021 | Recent Victim Profiles |
161 | 52 |
|
In tracking the activities of the Sodin/REvil ransomware group, eSentire found that the Sodin group reports to have compromised 161 victims since inception until April 31, 2021, and 52 in the first four months of 2021. These numbers do not include JBS or the other victims they have named on their blog/leak site Happy Blog since April 31. Many of the businesses the Sodin gang has been confirmed to have compromised and the businesses it claims to have compromised are manufacturers.
Some of the manufacturers that have publicly confirmed that they have suffered a ransomware attack by the Sodin group this year include Quanta Computer, Tata Steel, Acer, Pierre Fabre, Asteelflash and Evraz. Other manufacturers the Sodin group claims to have compromised this year on their blog/leak site, titled Happy Blog, include a Virginia-based manufacturer of comfort cushioning products, a Virginia-based manufacturer of motors, a Swiss manufacturer of hand tools, a California-based manufacturer of packaging for the beauty industry, e.g., makeup, perfume; a France-based manufacturer of paints and resins and a Hong Kong-based manufacturer of beauty products.
And the Sodin ransomware gang is, not surprisingly, targeting other types of lucrative organizations. In the past two weeks, the threat group reports that they have compromised new victims including: a large U.S.-based manufacturer of steel and aluminum for the auto industry, a court system in southeastern U.S. , a large chain of luxurious resorts in Mexico; a 70-year-old, established London-based accounting firm; one of the largest and oldest maritime logistics providers in Brazil; a U.S.-based luxury clothing line; a law firm based in Florida and one in California; and a large meat producer in France.
While we don’t know if all these incidents reaped any ransom money for Sodin/REvil, we do know that ransomware operators are making plenty of money. Cybersecurity company Emisoft estimates that the true global cost of ransomware, including business interruption and ransom payments in 2020, was a minimum of $42bn and a maximum of nearly $170bn. A survey by Veritas Technologies found that 66 percent of victims admitted to paying part or all of the ransom.
"The ransomware attacks reported in the media are just the tip of the iceberg," continued McLeod. "The deep dive report our TRU Team did in May has exposed a veritable hornet's nest of attacks perpetrated by not just Sodin/REvil but other top ransomware gangs.”
With so many ransomware incidents being reported by the press and by the hackers themselves on their personal blog/leak sites, it’s tempting to think you’re fully aware of just how pervasive this threat has become. The reality is that the victim organizations we hear about publicly are a mere drop in the bucket compared to the actual incidents. One ransomware incident, which occurred in April 2021 but was never made public, involved a small private U.S. company. The threat actors demanded $12 million, and the company paid it, according to a high-ranking employee of the organization who asked not to be named.
Added McLeod: "Underestimating your risk of falling prey to ransomware is a dangerous game for companies. Increasingly, threat actors are widening their scope and have put manufacturers, transportation and logistics companies, and construction firms in their crosshairs. With so much at stake from both a financial and reputational standpoint, companies can't afford not to secure their networks, as we have seen with Meatpacker JBS, Quanta Computer, Acer and Tata Steel.”
Sodin, like the Darkside ransomware group (the ransomware gang behind the Colonial Pipeline incident), also utilizes an affiliate model. The Sodin threat actors are known to selectively recruit other cybercriminal groups to work with them, and these are known as affiliates. The affiliates recruited often run large botnets (networks of compromised business computers, which are totally under the threat actors’ control). The affiliates will infect their bots with the Sodin ransomware, and whichever victim companies and/or organizations pays the ransom then the Sodin leaders will take a percentage of the ransom monies collected.
Compromised Manufacturers. Publicly announced in 2021 and late 2020. |
Ransomware Group | Month of Disclosure | Ransom Amount Requested |
Quanta Computer — Taiwan-based manufacturer of next-generation MacBook and other computer hardware. Threat actors claimed to have leaked purported schematics of Apple hardware. |
Sodin/REvil |
April 2021 |
$50 million demanded from Quanta, then Apple |
Tata Steel — India-based steel maker. |
Sodin/REvil |
April 2021 |
$4 million |
Acer — Taiwan-based. One of the industry’s largest computer manufacturers. |
Sodin/REvil |
March 2021 |
$50 million |
Pierre Faber — France-based. Large pharmaceutical and dermocosmetics company. |
Sodin/REvil |
April 2021 |
$25 million, originally. Increased to $50 million after the victim didn’t respond to extortion |
Asteelflash — French electronics manufacturer. |
Sodin/REvil |
March 2021 |
$12 million, originally. Increased to $24 million after victim didn’t respond to extortion |
EVRAZ — One of the world's largest steel manufacturers and mining operations. |
Sodin/REvil |
Feb. 2021 |
|
A Partial List of Compromised Manufacturers. These companies are just a few of the victims named on Sodin/REvil blog/leak site, Happy Blog. Please note: eSentire does not name victims unless already made public. |
Ransomware Group |
Disclosed during 2021 |
|
Virginia, U.S. — Manufacturer of comfort cushioning products. Switzerland — Manufacturer of hand tools. California, U.S. — Manufacturer of packaging for beauty industry, e.g., makeup, perfume. France — Manufacturer of paints and resins. Virginia, U.S. — Manufacturer of motors. Hong Kong/China — Manufacturer of beauty products. |
Sodin/REvil |
Sodin Group Behind Two of the Biggest Attacks Against Manufacturers in 2021
Two of this year’s most notable ransomware attacks against manufacturers involved the Sodin threat group. In March, the group hit computer and electronics manufacturer Acer and demanded a $50 million ransom. Quanta Computer, which manufactures the Notebook computer, was another victim. The Sodin gang demanded $50 million from Quanta. The company refused to negotiate, and the Sodin criminals reportedly turned to Apple for the ransom. The Sodin hackers posted on their blog “Happy Blog,” a warning stating that if they did not get paid, they would publish what they claimed were technical details for current and future Apple hardware. The website 9to5Mac.com published several images of blueprints, which the Sodin threat actors claim is from Quanta. See images 1-3.
Image 1: Technical design of Apple hardware stolen from hardware manufacturer Quanta, according to Sodin.
Image 2: Technical design of Apple hardware stolen from hardware manufacturer Quanta, according to Sodin.
Image 3: Technical design of Apple hardware stolen from hardware manufacturer Quanta, according to Sodin.
The Sodin gang threatened to publish new data from Quanta every day leading up to May unless Apple agreed to pay the $50 million ransom in exchange for deleting the files. As of May 10, no additional documents appearing to be related to the Apple products had been leaked on Sodin’s website. Interestingly, all images relating to the Quanta incident have been removed from Sodin’s website, as well as any mention of the Quanta breach.
One writer was quoted as saying: “Historically, Sodin isn't known for bluffing and routinely posts stolen documents if its victims don't pay up, so it's unclear why the group has failed to follow through on this occasion, and Apple has not commented on the breach thus far.”
For more information about this threat and how to protect against it go to https://www.esentire.com/get-started