{"id":96913,"date":"2019-10-14T06:33:20","date_gmt":"2019-10-14T13:33:20","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=96913"},"modified":"2025-06-02T19:52:31","modified_gmt":"2025-06-03T02:52:31","slug":"mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money\/","title":{"rendered":"McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Follow The Money"},"content":{"rendered":"

Episode 3: Follow the Money<\/span><\/h2>\n

This is the third installment of the McAfee Advanced Threat Research (ATR) analysis of Sodinokibi and its connections to GandCrab, the most prolific Ransomware-as-a-Service (RaaS) Campaign of 2018 and mid 2019. <\/em><\/p>\n

The Talking Heads once sang \u201cWe\u2019re on a road to nowhere.\u201d This expresses how challenging it can be when one investigates the financial trails behind a RaaS scheme with many affiliates, etc.<\/p>\n

However, we persisted, and we prevailed. By linking underground forum posts with bitcoin transfer traces, we were able to uncover new information on the size of the campaign and associated revenue; even getting detailed insights into what the affiliates do with their earnings following a successful attack.<\/p>\n

\"\"<\/p>\n

With the Sodinokibi ransomware a unique BTC wallet is generated for each victim. As long as no payment is made, no trace of the BTC wallet will be available on the blockchain. The blockchain operates as a public ledger of all bitcoin transactions that have happened. When no currencies are exchanged, no transactions are recorded. Although many victims hit the news, we understand that if they paid, sharing that with the research community is maybe a bridge too far. On one of the underground forums we discovered the following post:<\/p>\n

\"\"<\/p>\n

In this post the actors are expanding their successful activity and offering a 60 percent cut as a start and, after three successful payments by the affiliate (read successful ransomware infections and payments received from the victims), the cut increases to 70 percent of the payments received. This is very common as we saw in the past with RaaS schemes like GandCrab and Cryptowall.<\/p>\n

Responding to this post is an actor with the moniker of \u2018Lalartu\u2019 and his comments are quite interesting, hinting he was involved with GandCrab. As a site-note: \u201cLalartu\u2019 means \u2018ghost\/phantom\u2019. Its origins are from the Sumerian civilization where Lalartu was seen as a vampiric demon.<\/p>\n

Researching the moniker of \u2018Lalartu\u2019 through our data, we went back in time a month or so and discovered a posting from the actor on June 4th<\/sup> of 2019, again referencing GandCrab.<\/p>\n

\"\"<\/p>\n

We observe here a couple of transaction IDs (TXID) on the bitcoin ledger, however they are incomplete. More than a week later, on June 17th<\/sup>, 2019, \u201cLalartu\u201d posted another one with an attachment to it:<\/p>\n

\"\"<\/p>\n

 <\/p>\n

\"\"<\/p>\n

In this posting we see a screenshot with partial TXIDs and the amounts. With the help of the Chainalysis software and team, we were able to retrieve the full TXIDs. With that list we were able to investigate the transactions and start mapping them out with their software:<\/p>\n

\"\"<\/p>\n

From the various samples we have researched, the amounts asked for payment are between 0.44 and 0.45 BTC, an average of 4,000 USD.<\/p>\n

In the above screenshot we see the transactions where some of these amounts are transferred from a wallet, or bitcoins are bought at an exchange and transferred to the wallets associated with the affiliate(s).<\/p>\n

Based on the list shared by Lalartu in his post, and the average value of bitcoin around the dates, within 72 hours a value of 287,499.00 USD of ransom had been transferred.<\/p>\n

Taking the list of transactions as a starting point in our graph-analysis, we colored the lines red and started from there to investigate the wallets involved and interesting transactions:<\/p>\n

\"\"<\/p>\n

Although it might look like spaghetti, once you dive in, very interesting patterns can be discovered. We see victims paying to their assigned wallets; from there it takes an average of two to three transactions before it goes to an \u2018affiliate\u2019 or \u2018distribution\u2019 wallet. From that wallet we see the split happening as the moniker \u2018UNKN\u2019 mentioned in his forum post we started this article with. The 60 or 70 percent stays with the affiliate and the remaining 40\/30 percent is forwarded in multiple transactions towards the actors behind Sodinokibi.<\/p>\n

Once we identified a couple of these transactions, we started to dig in both directions. What is the affiliate doing with the money and where is the money going for the Sodinokibi actors?<\/p>\n

\"\"<\/p>\n

We picked one promising affiliate wallet and started to dig deeper down and followed the transactions. As described above, the affiliate is getting money transferred mostly through an exchange (since this is being advised by the actors in the ransom note). This is what we see in the example below. Incoming ransomware payments via Coinbase.com are received. The affiliate seems to pay some fee to a service but also sends BTC into Bitmix.biz a popular underground bitcoin mixer that is obfuscating the next transactions to make it difficult to link the transactions back to the \u2018final\u2019 wallet or cash-out in a (crypto) currency.<\/p>\n

We also observed examples where the affiliates were paying for services, they bought on Hydra Market. Hydra Market is a Russian underground marketplace where many services and illegal products are offered with payment in BTC.<\/p>\n

\"\"<\/p>\n

Tracing down the route of splits, we started to search for the 30 or 40 percent cuts of the ransom payments of 0.27359811 BTC or, if the price was doubled, 0.54719622 BTC.<\/p>\n

Using the list of amounts and querying the transactions and transfers discovered, we observed a wallet that was receiving a lot of these smaller payments. Due to ongoing research we will not publish the wallet but here is a graph representation of a subset of transactions:<\/p>\n

\"\"<\/p>\n

It seems like a spider, but many incoming \u2018split\u2019 transfers, and only a few outgoing ones with larger amounts of bitcoins, were observed.<\/p>\n

If we take the average of $2,500 – $5,000 USD as a ransom ask, and the mentioned split of 30\/40 percent for the actor maintaining the Sodinokibi ransomware and affiliate infrastructure, they make $700 – $1,500 USD per paid infection.<\/p>\n

We already saw in the beginning of this article that the affiliate Lalartu claimed to have made 287k USD in 72 hours, which is an 86k USD profit for the actor from one affiliate only.<\/p>\n

In episode 2, The All-Stars<\/a>, we explained how the structure is setup and how each affiliate has its own id.<\/p>\n

As far as we tracked the samples and extracted the amount of id-numbers, we counted over 41 affiliates being active. The data showed a in a relatively short amount of time the velocity and number of infections was high. Taken this velocity combined with a few payments per day, we can imagine that the actors behind Sodinokibi are making a fortune.<\/p>\n

Following the traces of one particular affiliate, we ended up seeing large amounts of bitcoins being transferred into a wallet which had a total value of 443 BTC, around 4,5 million USD with the average bitcoin price.<\/p>\n

We do understand that there are situations in which executives decide to pay the ransom but, by doing that, we keep this business model alive and also fund other criminal markets.<\/p>\n

Conclusion<\/span><\/h2>\n

In this blog we focused on insights into the financial streams behind ransomware. By linking underground forum posts with bitcoin transfer traces, we were able to uncover new information on the size of the campaign and associated revenue. In some cases, we were able even to get detailed insights into what the affiliates do with their earnings following a \u201csuccessful\u201d attack. It shows that paying ransomware is not only keeping the \u2018ransom-model\u2019 alive but is also supporting other forms of crime.<\/p>\n

In the next and final episode, \u201cCrescendo\u201d McAfee ATR reveals insights gleaned from a global network of honey pots.<\/p>\n","protected":false},"excerpt":{"rendered":"

Episode 3: Follow the Money This is the third installment of the McAfee Advanced Threat Research (ATR) analysis of Sodinokibi…<\/p>\n","protected":false},"author":1008,"featured_media":96448,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[5526],"coauthors":[5403,3576],"class_list":["post-96913","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs","tag-advanced-threat-research"],"acf":[],"yoast_head":"\nMcAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service - Follow The Money | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Episode 3: Follow the Money This is the third installment of the McAfee Advanced Threat Research (ATR) analysis of Sodinokibi and its connections to\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service - Follow The Money | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Episode 3: Follow the Money This is the third installment of the McAfee Advanced Threat Research (ATR) analysis of Sodinokibi and its connections to\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2019-10-14T13:33:20+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-03T02:52:31+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"768\" \/>\n\t<meta property=\"og:image:height\" content=\"432\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"John Fokker, Christiaan Beek\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@john_fokker\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"John Fokker, Christiaan Beek\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money\/\"},\"author\":{\"name\":\"John Fokker\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/d4dadad7c176dd7a73390cfce3ce5e41\"},\"headline\":\"McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Follow The Money\",\"datePublished\":\"2019-10-14T13:33:20+00:00\",\"dateModified\":\"2025-06-03T02:52:31+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money\/\"},\"wordCount\":1222,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432.jpg\",\"keywords\":[\"Advanced Threat Research\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money\/\",\"name\":\"McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service - Follow The Money | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432.jpg\",\"datePublished\":\"2019-10-14T13:33:20+00:00\",\"dateModified\":\"2025-06-03T02:52:31+00:00\",\"description\":\"Episode 3: Follow the Money This is the third installment of the McAfee Advanced Threat Research (ATR) analysis of Sodinokibi and its connections to\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432.jpg\",\"width\":768,\"height\":432},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Follow The Money\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/d4dadad7c176dd7a73390cfce3ce5e41\",\"name\":\"John Fokker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/8205fa3ae2b891a459426ee038d61bd4\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/04\/Screen-Shot-2019-01-31-at-11.50.11-96x96.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/04\/Screen-Shot-2019-01-31-at-11.50.11-96x96.png\",\"caption\":\"John Fokker\"},\"description\":\"John Fokker is a Principal Engineer and Head of Cyber Investigations for the Advanced Threat Research. Prior to joining the team, he worked at the National High Tech Crime Unit (NHTCU), the Dutch national police unit dedicated to investigating advanced forms of cybercrime. Within NHTCU he led the data science group, which focused on threat intelligence research. During his career he has supervised numerous large-scale cybercrime investigations and takedowns. Fokker is also one of the cofounders of the NoMoreRansom Project. He started his career with the Netherlands Police Agency as a digital forensics investigator within a task force against organized crime. Before joining the national police, he served in the special operations and counterterrorism group of the Royal Netherlands Marine Corps.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/john-fokker-95b614107\/\",\"https:\/\/x.com\/john_fokker\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/john-fokker\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service - Follow The Money | McAfee Blog","description":"Episode 3: Follow the Money This is the third installment of the McAfee Advanced Threat Research (ATR) analysis of Sodinokibi and its connections to","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service - Follow The Money | McAfee Blog","og_description":"Episode 3: Follow the Money This is the third installment of the McAfee Advanced Threat Research (ATR) analysis of Sodinokibi and its connections to","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2019-10-14T13:33:20+00:00","article_modified_time":"2025-06-03T02:52:31+00:00","og_image":[{"width":768,"height":432,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432.jpg","type":"image\/jpeg"}],"author":"John Fokker, Christiaan Beek","twitter_card":"summary_large_image","twitter_creator":"@john_fokker","twitter_site":"@McAfee","twitter_misc":{"Written by":"John Fokker, Christiaan Beek","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money\/"},"author":{"name":"John Fokker","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/d4dadad7c176dd7a73390cfce3ce5e41"},"headline":"McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Follow The Money","datePublished":"2019-10-14T13:33:20+00:00","dateModified":"2025-06-03T02:52:31+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money\/"},"wordCount":1222,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432.jpg","keywords":["Advanced Threat Research"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money\/","name":"McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service - Follow The Money | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432.jpg","datePublished":"2019-10-14T13:33:20+00:00","dateModified":"2025-06-03T02:52:31+00:00","description":"Episode 3: Follow the Money This is the third installment of the McAfee Advanced Threat Research (ATR) analysis of Sodinokibi and its connections to","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration-768x432.jpg","width":768,"height":432},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Follow The Money"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/d4dadad7c176dd7a73390cfce3ce5e41","name":"John Fokker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/8205fa3ae2b891a459426ee038d61bd4","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/04\/Screen-Shot-2019-01-31-at-11.50.11-96x96.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/04\/Screen-Shot-2019-01-31-at-11.50.11-96x96.png","caption":"John Fokker"},"description":"John Fokker is a Principal Engineer and Head of Cyber Investigations for the Advanced Threat Research. Prior to joining the team, he worked at the National High Tech Crime Unit (NHTCU), the Dutch national police unit dedicated to investigating advanced forms of cybercrime. Within NHTCU he led the data science group, which focused on threat intelligence research. During his career he has supervised numerous large-scale cybercrime investigations and takedowns. Fokker is also one of the cofounders of the NoMoreRansom Project. He started his career with the Netherlands Police Agency as a digital forensics investigator within a task force against organized crime. Before joining the national police, he served in the special operations and counterterrorism group of the Royal Netherlands Marine Corps.","sameAs":["https:\/\/www.linkedin.com\/in\/john-fokker-95b614107\/","https:\/\/x.com\/john_fokker"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/john-fokker\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/96913","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/1008"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=96913"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/96913\/revisions"}],"predecessor-version":[{"id":214948,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/96913\/revisions\/214948"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/96448"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=96913"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=96913"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=96913"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=96913"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}