Cybersecurity In-Depth: Digging into data about the latest attacks, threats, and trends using charts and tables.

What does DNS activity look like surrounding the REvil/Sodinokibi ransomware threat?

Ben Nahorney, Threat Intelligence Analyst, Cisco Security

August 24, 2021

1 Min Read
DNS activity surrounding REvil/Sodinokibi
Cisco Security

Earlier this year year in a blog series about threat trends in DNS security, Cisco Security looked at the REvil ransomware, also known as Sodinokibi or Sodin. It noted how the ransomware compromised far more endpoints than Ryuk but had far less DNS communication. However, when revisiting these metrics, Cisco Security researchers noticed this changed in the beginning of 2021. What’s interesting in revisiting this data over an 18-month span is that while the number of endpoints didn’t rise dramatically in 2021, the amount of DNS activity did when comparing each month with the overall averages. In fact, the one noticeable drop in endpoints in December appears to coincide with the beginning of a dramatic rise in DNS activity. 

Read the full blog post to learn more.

About the Author(s)

Ben Nahorney

Threat Intelligence Analyst, Cisco Security

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights