The FBI has published a Private Industry Notification (PIN) advising that Sodinokibi ransomware actors have adopted new tactics with the potential to increase the number of victims. According to the PIN, these new tactics include examining data in compromised accounts for information that could provide leverage for extortion and searching for unpatched vulnerabilities in VPN servers to facilitate deployment of malware. These tactics mimic those of several other ransomware groups, including the one behind Maze. By threatening to pass the information, which could be sensitive or contain embarrassing details, to competitors or sharing it with the general public, the threat actors hope to motivate their victims to pay. The PIN also contains a list of actions to prevent organizations from becoming victims of this activity.

WaterISAC has previously reported on this new tactic and how it has been employed by the threat actors behind the Sodinokibi (aka REvil) and Maze ransomware variants. See its posting “When Ransomware Strikes, Assume Data Breach Too” from the February 11, 2020 Security and Resilience Update for additional background.