Posted: 4 Min ReadThreat Intelligence

Affiliates Unlocked: Gangs Switch Between Different Ransomware Families

The demise of Sodinokibi has led to a surge in LockBit activity, while there’s evidence affiliates are using multiple ransomware families to achieve their goals.

The shutdown of the Leafroller ransomware gang (aka Sodinokibi/REvil) has resulted in a surge in LockBit activity, as some ex-Sodinokibi affiliates move to that ransomware. Meanwhile, there is also more evidence that some attackers are affiliated to more than one ransomware group and are switching between ransomware families mid-attack if the initial ransomware they attempt to deploy fails to execute.

These are just the latest developments Symantec, part of Broadcom Software, has seen as ransomware actors continue to evolve their tactics to make their attacks more dangerous and effective.

Sodinokibi shutdown leads to LockBit surge

Attacks involving the LockBit ransomware have increased markedly over the past month, with some indications that the group behind it is attempting to fill the gap left by the Sodinokibi ransomware.

Sodinokibi’s infrastructure and websites disappeared on July 12, 2021, shortly after the group had carried out a major ransomware attack in which it encrypted approximately 60 managed service providers (MSPs) and more than 1,500 individual businesses using a zero-day vulnerability in the Kaseya VSA remote management software. It’s unclear why exactly the gang’s operations shut down, but it has been speculated that the gang shuttered their activity following either pressure or action by law enforcement.

Symantec researchers have seen evidence that at least one former Sodinokibi affiliate is now using LockBit. Symantec has observed an attacker using consistent tactics, tools, and procedures (TTPs) attempting to deliver Sodinokibi to victims until July of 2021, when the payload switched to LockBit.

LockBit (aka Syrphid) was first seen in September 2019, and launched its ransomware-as-a-service (RaaS) offering in January 2020, however, there was a marked increase in its activity in the last month as it seemingly attempted to recruit former Sodinokibi affiliates.

This recent attack began with a file named mimi.exe, which is an installer that drops a number of password-dumping tools. Immediately prior to the ransomware being launched, a large number of commands were executed to disable various services, block access to remote desktop protocol (RDP), and delete shadow copies. This is activity we typically see before ransomware is deployed on a system. The actor behind this attack consistently named their ransomware payload as svhost.exe and this practice was maintained following their transition to LockBit.

The actors behind recent LockBit campaigns were seen using a variety of different TTPs before deploying the ransomware payload, including:

  • DefenderControl.exe – disables Windows Defender
  • NetworkShare – scans infected network
  • Nsudo-dropper – file dropper
  • Credential Stealing – collecting credentials from infected machines
  • Mimikatz – credential dumper, used for lateral movement across networks
  • Defoff.bat 
  • DelSvc.bat 
  • Netscan – retrieves information about services running on infected machines
  • PasswordRevealer – shows obfuscated passwords

The numerous password-dumping tools used by these attackers indicates that harvesting credentials is a key part of their attack chain.

Splitting allegiances

In another ransomware attack that occurred in June 2021, it appears that attackers who usually encrypt networks using the Conti ransomware switched payloads and used the Sodinokibi ransomware instead.

Initial activity in this attack followed the attackers’ usual playbook, deploying Cobalt Strike, an off-the-shelf remote access tool commonly seen used in ransomware attacks. This would usually be followed by them delivering Conti. Conti first appeared in December 2019 and has been seen used in some high-profile recent ransomware attacks, many targeting healthcare providers, including a May 2021 ransomware attack that crippled Ireland’s public health service provider, the HSE.

However, in this recent attack, instead of deploying Conti, the attackers switched payloads and deployed Sodinokibi to encrypt several hundred machines on the network. Before Sodinokibi was deployed we saw the attackers use BitsAdmin when moving across the victim network, while they also carried out some other preliminary activity before deploying the ransomware, including disabling Microsoft Defender, disabling RealTime Monitoring, and deleting shadow copies.

The attackers maintained a presence on the victim network for approximately three weeks before the Sodinokibi ransomware was deployed.

While not common up to now, this isn’t the first time we have seen evidence of affiliates appearing to have access to more than one ransomware family at the same time. In the attack we talked about in our blog Ransomware: Growing Number of Attackers Using Virtual Machines, there was evidence the attacker had access to both the Mount Locker and Conti ransomware, and may have attempted to run one payload on a virtual machine and, when that didn’t work, ran Mount Locker on the host computer instead.


Affiliates switching between different ransomware families like this is yet another attempt by ransomware actors to increase the chances of their attacks succeeding, and it will be interesting to see whether or not this is a tactic we start to increasingly observe during ransomware attacks.

Having access to multiple ransomware families increases the likelihood of affiliates being able to encrypt machines, increasing the dangers posed by these already dangerous attacks. This is just the latest development we have seen from ransomware actors, who are constantly refining their tactics in order to maximise their profits. The use of virtual machines was another example of attackers tweaking their approach in order to carry out a ransomware attack, while the emergence of double-extortion ransomware attacks last year, where attackers steal data and threaten to release it while also encrypting machines in ransomware attacks, led to one of the biggest shifts we saw in the ransomware landscape in recent times.

The surge in LockBit activity that we have seen also shows that while some big ransomware names have shut down their operations in recent times, there are many other ransomware operators waiting to fill the space that has been left.

Ransomware actors continue to change and refine their tactics in an effort to evade the security steps taken by organizations to stop these types of attacks, which is why ransomware remains one of the biggest threats on the cyber crime landscape in 2021.   


For the latest protection updates, please visit the Symantec Protection Bulletin.

Indicators of Compromise (IoCs)

File hashesDescriptionsDetection Names
66b4a0681cae02c302a9b6f1d611ac2df8c519d6024abdb506b4b166b93f636a Mimikatz Hacktool.Mimikatz
c667c916b44a9d4e4dd06b446984f3177e7317f5f9cff91033d580d0cc617eaa LockBit Ransom.LockBit
f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446 Alias: NetworkShare Hacktool
c4f3f4bd9ebd180388ed1812df0cd48e02a2393bccee822410cf28b44c44a382 LockBit Heur.AdvML.B
7e97f617ef7adbb2f1675871402203c245a0570ec35d92603f8f0c9e6347c04a LockBit Heur.AdvML.B
659ce17fd9d4c6aad952bc5c0ae93a748178e53f8d60e45ba1d0c15632fd3e3f Alias: Nsudo-dropper Trojan Horse
ad9e1593f9d992ddb9d21495f06bd31a7e39ee7746510d66f0596c5dfbc4e8ab PasswordDumper PasswordRevealer
bce5c2583c32efc411dddaaee8b63a36fe8010c284ddeb558246e81a62179323 LockBit Heur.AdvML.B
dae5fbdaa53b4f08876e567cf661346475ff4ae39063744ca033537d6393639a LockBit Ransom.LockBit
068D94A8AD277637412AE710AB431789A5E6F020B6FB412FC2C06D5C00E5342A DelSvcBAT Trojan Horse
0A9E09A970E6E0EDEE2D9120F6E5020F7C1B75CCF7AD1A0C720A63E914099CF5 LockBit Trojan Horse
2DDDFD3FF13F0CAF9644E95F93F008590D54B521DCBC4DEFC9EB37801498DD51 Netscan Trojan Horse
5D74EFDF9062FE052E8676F9CA9AFB4BFF770B55AC98F51210E502061E706DB8 DelSvcBAT Trojan Horse
6C76C93867B28C070E32E17312B1FD1E01FC7BA2D7DC0AE2A0B96CD615F643F9 Unknown Trojan Horse
A398C70A2B3BF8AE8B5CEDDF53FCF6DAA2B68AF2FADB76A8EA6E33B8BBE06F65 DefoffBAT Trojan Horse
36E33EB5280C23CBB57067F18514905E42F949250F95A5554F944180FCD5FE36 Mimikatz Trojan Horse
net stop MSSQL$MSFW
net stop MSSQL$ISARS
net stop MSSQLServerADHelper100
net stop MSSQLServerADHelper100
net stop SQLAgent$ISARS
net stop MSSQL$MSFW
net stop MSSQL$ISARS
net stop MSSQLServerADHelper100
net stop SQLAgent$MSFW
net stop SQLAgent$ISARS
net stop MicrosoftDependencyAgent
net stop Veeam.Archiver.Service
net stop "Microsoft Storsimple Management Service" /y
net stop VeeamFilesysVssSvc
net stop Veeam.Archiver.Proxy
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
Symantec Enterprise Blogs
You might also enjoy
4 Min Read

Ransomware: Growing Number of Attackers Using Virtual Machines

Tactic hides ransomware payload and lowers the risk of discovery while encryption process is underway.

About the Author

Threat Hunter Team


The Threat Hunter Team is a group of security experts within Symantec whose mission is to investigate targeted attacks, drive enhanced protection in Symantec products, and offer analysis that helps customers respond to attacks.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.