Correlate

Level 8
After a Sodinokibi ransomware affiliate posted partial transaction IDs for ransomware payments, researchers were able to use that information to follow the money trail for affiliates and in some cases, how they spend their illicit earnings.
Earlier this month, McAfee provided a look at the GandCrab Ransomware-as-an-Affiliate operation and how the Sodinokibi Ransomware recruited the top performers to build an all-star team of affiliates after GandCrab was shut down.
As part of this reporting, it was shown how an affiliate named Lalartu was vouching for the Sodinokibi Ransomware RaaS on an underground malware and hacker forum.