Using a network of honeypots, researchers from McAfee examined the tools and tactics used by the Sodinokibi Ransomware (REvil) affiliates to infect their victims with ransomware and compromise other machines on the network.
As part of the Sodinokibi ransomware-as-a-service, ransomware executables are tagged with an affiliate's IDs and sub IDs in order to track who infected the victim and which affiliate should earn a commission for a payment.
At the same time, these affiliate IDs allow researchers to track their behavior as well and paint a picture of how they infect their victims and spread laterally throughout a network.
