More drama in the world of ransomware? Was Vard Group victimized twice?

Now what happened here?  The Sodinokibi (“REvil”) ransomware operators have a new post that seems to claim that one of their victims was defrauded by a recovery company to the tune of $5.5 million.

Vard Group, a Norwegian unit of shipbuilder Fincantieri SpA, was attacked in June 2020. But what happened next? It sounds like the company was snookered by a firm who took advantage of REvil’s standard offer to decrypt one archive to obtain a decrypted archive to show Vard as “proof” that they could recover their data for them…..I think?  Here is REvil’s actual post, sans the encrypted and decrypted proof:

ATTENTION! The fact of fraudulent recovery company is there! After encryption of all files and servers inside the company Vard Group AS with all their affiliates(screenshot of all their servers are attached), the owners of Vard Group AS paid $5,500,000 to fraudulent recovery company which asked from Revil Ransomware Team for a test decryption of encrypted archive (encrypted and decrypted archives are attached). That’s why we publicly give 72 hours to the owners to contact with us directly, or the price will be doubled.

So how does REvil know that the victim paid some company $5.5 million? Did Vard tell them that in some follow-up communications?  And who is this company that REvil is accusing of fraud?

But it raises a good point:  do you know who you are dealing with? Part of your planning includes having your forensic consultants and any negotiators lined up in advance. Was Vard approached by an unscrupulous company or fraudsters?

If anyone knows more about this or if REvil would like to provide more details or more of an explanation, please contact me via email to breaches[at] or via Signal +1-516-776-7756.


About the author: Dissent

Comments are closed.