Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
The Sodin ransomware threat group is currently reporting that they have infected nine new organizations with their ransomware, Sodin (a.k.a. REvil and Sodinokibi), said global cybersecurity services provider, eSentire. The organizations the Sodin gang is claiming to have compromised are two law firms, an insurance company, an architectural firm, a construction company, and an agricultural co-op, all located in the U.S., as well as two large international banks (one in Mexico and one in Africa), and a European manufacturer. As evidence, the Sodin hackers have posted documents on the Dark web purporting to be from the victims including company computer file directories, partial customer lists, customer quotes, copies of contracts, and even what appears to be several official IDs, either belonging to an employee or a customer of the victim company. In reviewing several of the documents that the Sodin gang claims are from their new victims, many of them appear to be authentic. See images 1 and 2. Most of the documents that do include a timestamp are recently dated, and the documents, overall, appear to pertain to the business of each respective victim. However, there are a few documents relating to the bank in Africa and to the insurance firm that have older dates listed, which makes one question whether these two organizations are truly victims of the Sodin gang or somehow the threat actors have gotten access to some old files belonging to the organizations. What we do know is that the Sodin ransomware gang is highly capable and resourceful, and they have successfully compromised numerous entities, large and small.
Image 1: A screenshot of some computer folders purported to belong to the Mexican bank and stolen by the Sodin gang.
“These new ransomware incidents, which the Sodin gang is claiming, could certainly be plausible,” said Rob McLeod, Sr. Director of the Threat Response Unit (TRU) for eSentire. “These attacks come directly on the heels of an extensive and well-planned Drive-By-Download Campaign which was launched in late December. This malicious campaign’s sole purpose is to infect business professionals’ computer systems with the Sodin ransomware, the Gootkit banking trojan or the Cobalt Strike intrusion tool.”
eSentire’s security research team, (TRU), discovered in early January that the threat group behind the malware downloader, Gootloader, had compromised dozens of legitimate websites across the globe. Their goal was to lure English, German and Korean speaking business professionals to these sites, where victims thought they could get a copy of various sample business agreements. When the business professionals went to retrieve the agreement, they unknowingly downloaded Gootloader. Once Gootloader was on the victim’s computer, all it had to do was fetch the malicious payload-- which could be the Sodin ransomware, the Gootkit banking trojan or Cobalt Strike.
“The Gootloader campaign was designed to seed the Sodin ransomware, as well as the Gootkit banking trojan and the Cobalt Strike intrusion tool,” said McLeod. ”We know this campaign has had some success because not only have we seen reports from other security groups, but we have also discovered multiple incidents where business professionals have been duped and have downloaded Gootloader onto their work computers. Luckily, we were able to disrupt the activity in midstream, preventing numerous related malware infections within the employee organizations, two of which were law firms and one which was a professional consulting firm.”
If the Sodin gang’s claim that they have recently compromised a bank in Mexico is true, then it will be the second large bank in Mexico to fall victim to the Sodin threat group in the past eight months. On August 14, 2020, officials with Mexico’s CIBanco reported that they had been hit by the Sodin ransomware. Just 23 days later, on September 7, 2020, one of Chile’s three largest banks, BancoEstado, reported being hit ransomware. The attack forced the bank to close all its branches for a day, the alleged culprit was the Sodin ransomware threat group.
Among the new victim organizations Sodin claims to have compromised in 2021 are two U.S.-based law firms. In 2020, law firms seemingly became a frequent victim of the ransomware gangs, and thus far, this year seems like it will follow a similar trend. According to news sources, in early February the Jones Day law firm was the victim of a breach due to zero-day exploits, launched against the FTA file-sharing service from Accellion. Jones Day was a customer of Accellion. Forbes reported that the Clop ransomware group posted a large cache of the law firm’s stolen data in retaliation for the firm not meeting the cybercriminals’ payment demands. Jones Day counts former U.S. President Donald Trump as one of its clients.
However, equally as prominent, was the attack carried out by the Sodin gang against the law firm Grubman Shire Meiselas & Sacks in May 2020. The Sodin threat group claimed to have stolen sensitive data, including contracts, telephone numbers, email addresses and other personal correspondence relating to many of their high-profile clients. Their clients are reported to include: Lady Gaga, Madonna, Bruce Springsteen, Jessica Simpson, Mariah Carey, and Mary J. Blige, among others. The Sodin group demanded a ransom of $42 million for a return of the firm’s files. However, a ransom was not paid, and the threat actors threatened to auction off the data on the Dark Web.
The entities previously mentioned are just a few of the organizations reported to have been attacked by the Sodin ransomware gang. Some of the other notable victims include Travelex, CyrusOne, Artech Information Systems, Brown-Forman, Kenneth Cole and GEDIA Automotive Group. Unfortunately, eSentire believes that the Sodin ransomware gang will continue to be successful in their attacks, and of the nine new organizations they claimed to have compromised, quite a few of them could be real incidents.
Image 2. A screenshot of a computer file directory purported to be from the U.S.-based construction firm attacked by the Sodin gang.
In order to protect your company from ransomware attacks, the TRU recommends the following security steps: