The ransomware known as Sodinokibi, also known as REvil, is setting up a team of ‘all-star affiliates’, criminals who distribute the ransomware for a share of the profits. The Sodinokibi Ransomware was discovered at the end of April, when it tried to enter vulnerable WebLogic servers.

Experts are convinced that the REvil ransomware was created by the group behind GandCrab, which was the most popular form of ransomware for a year. According to its creators, it raised 2.5 million dollars a week.

The new strain of ransomware has already caused major problems at hundreds of dental practices in the US and for 22 municipalities in the American state of Texas. Two new reports from McAfee show that associates of GandCrab are switching to REvil, writes Bleeping Computer.

Affiliates of GandCrab

Ransomware affiliates are cybercriminals or groups that are given the ‘opportunity’ to distribute ransomware in exchange for part of the ransom paid by victims. Affiliates that achieve more infections (and ransom payments) are paid more money.

McAfee discovered that affiliates use ID numbers that are incorporated into the ransomware they distribute. Affiliates could also generate sub-IDs. By analyzing hundreds of GandCrab samples, it was established that there were about 292 affiliates. Not all of these were actually active. The one that used number 99 was the most active, followed by 15, 41 and 170.

A month before Sodinokibi became active, McAfee discovered that some of those suddenly disappeared from the last build of the ransomware, version 5.2. Not long after that, a relatively new ransomware-as-a-service (RaaS) appeared without a name. On forums like exploit.in, a member named UNKN has been recruiting affiliates.

All-star team

The recruitment process was very selective and only a small proportion of the participants was actually selected. Not long after that, Sodinokibi was rife with distributions that were very similar to the GandCrab attacks. Therefore, it is possible that the affiliates were then moved to Sodinokibi, or that they continued their malicious activities on their own initiative. In any case, least ID’s and SubID’s are used again, in the same way as GandCrab affiliates did.

Affiliates must be taken offline

McAfee argues that the police should not only try to combat the ransomware itself, but also the distributors. By disrupting the distribution, the RaaS distributive network quickly disintegrates as a whole. The income generated by that network depends on the best performing affiliates, to a large extent.