A recent campaign targeting financial sector linked to the REvil/Sodinokibi ransomware family is identified. Often refered to Ransomware-as-a-Service (RaaS), the TTPs used in each campaign may vary from one another. Threat actors of REvil/Sodinokibi often uses techniques as lateral movement and gaining access to the domain controller/ active directory.
In a recent campaign, bank in Latin America was targeted with REvil/Sodinokib malware when users were targeted via phishing campaign with malicious attachment or a link. The attachment was likely opened and accessed which gave the way in for threat actors to the victim network. The access was used to move laterally within the network to the domain controller and eventually deployed the REvil/Sodinokibi ransomware from the domain controller to connected systems.