Menu
Browse

Cyber Threat Actor: Sodinokibi Affiliates

Actor Type Location Known Incidents
 Icon
Crime Syndicate
Italy
1 incident
Profile

The threatactor known as Sodinokibi Affiliates operates under the alias Sodinokibi Affiliates and has been associated with the Sodinokibi ransomware ecosystem. Public reporting indicates a possible base in Italy, though the exact location remains uncertain. The group functions as an affiliate network that distributes the Sodinokibi ransomware in exchange for a share of the ransom proceeds. Their primary objective, as observed in reported incidents, is financial gain achieved through encrypting victims' files and demanding payment for decryption.

Targeting observed in the documented activity is not limited to a specific industry or region; the affiliates have shown the ability to compromise a variety of targets through multiple channels. Initial access frequently involves exploiting managed service provider management consoles to push malicious payloads, as well as sending spam emails that impersonate Booking.com to lure recipients into opening malicious attachments. Additional vectors include weaponized Word documents that deliver PowerShell scripts and the hijacking of legitimate websites to redirect visitors to malware-hosting sites. The malware family employed in these operations is Sodinokibi ransomware, which is deployed after initial access to encrypt files and display ransom notes.

A representative example of their activity occurred on June 19, 2019, when the Winrar.it distributor site was compromised to serve Sodinokibi ransomware as part of a broader campaign that combined hacked MSP tools, malicious spam, and compromised software distribution platforms. This incident illustrates how the affiliates leveraged trusted software channels and email lures to reach a wide audience, resulting in widespread file encryption and ransom demands across diverse victims. The operation highlights the affiliate model’s reliance on varied infection techniques to maximize impact and revenue.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources