Malware spotlight: Sodinokibi
Introduction
Ransomware is not new at this point in time and will be with us for the foreseeable future, as new types of ransomware are constantly emerging. And sometimes, new ransomware makes a big impact fast.
Sodinokibi is one of these strains of malware that needs to be taken seriously. Within four months of its discovery, it had managed to become the fourth most common ransomware on the internet!
This article will provide you with a high-level view of the Sodinokibi ransomware. We’ll explore what it is, how it spreads, how it works and other useful information about this ransomware.
What is Sodinokibi?
Sodinokibi was originally discovered in April 2019 by Cisco Talus and is sometimes referred to as Sodin and REvil. This ransomware-as-a-service (RaaS) targets Windows operating systems. It was originally discovered exploiting an Oracle WebLogic vulnerability and has been observed only affecting countries outside of the former states of the USSR.
Part of what makes Sodinokibi so interesting is its origin. This goes back to the end of the GandCrab campaign, which has earned the notoriety of being responsible for 40% of all ransomware infections worldwide. This ransomware, like Sudinokibi, was a RaaS, and the cybercriminal gang behind it boasted earnings of over $2 billion dollars collected from victim ransom payments.
Administrators of GandCrab had announced their retirement, which was apparently a retirement of GandCrab itself and not their campaigns for ill-gotten wealth. Instead, they shifted their focus to Sodinokibi, which has been described as being a “lucrative in the extreme” scheme for its authors.
It should be noted that whether Sodinokibi is the creation of the GandCrab gang is technically still not known, but there are some key indicators that it indeed is. To start, researchers have observed a clear code overlap between Sodinokibi and GandCrab. This has led researchers at security firm Secureworks to conclude that the groups behind the two ransomware families “overlap or are linked.”
Another interesting connection is that past affiliates of GandCrab have been identified as spending Bitcoin they received from Sodinokibi ransom payments at Hydra Market. Hydra is an infamous Russian cybercrime marketplace where cybercriminals trade illicit goods and services for Bitcoin. While this still is not definitive proof that the authors of the two ransomware are the same, these connections are likely not mere coincidence.
How does Sodinokibi spread?
This ransomware is spread via many different methods, including spam campaigns, exploit kits, managed service providers, remote desktop protocols and unpatched VPNs. Several instances were discovered in April 2019 to have been dropped onto compromised servers and systems with zip files containing malicious script (JavaScript) via a malicious link in emails, which sheds light on a rather conventional ransomware-spreading method that required user interaction.
Fast-forward just a few months and Sodinokibi is most notably spread via its RaaS affiliate network that does not require user interaction. It should be noted that as of this writing, Sodinokibi does not currently self-propagate.
The effectiveness of Sudinokibi stems in part from the fact that Sodinokibi zip files have a very low rate of detection on VirusTotal. This means that most antivirus products will not flag initial payloads as being malicious. As such, the first level of defense for most organizations will be bypassed completely, which may be all it needs to establish the proverbial beachhead on a machine.
How does Sodinokibi work?
After Sodinokibi is installed, it immediately gets to work. The ransomware begins by creating a .txt file with the path of the encrypted files, with a random extension followed by -HOW-TO-DECRYPT.txt. Commands are then issued for Shadow Volume Copies to be deleted, as well as to disable Windows Startup Repair.
Sodinokibi then encrypts files on a compromised computer and adds a random extension on each encrypted file that is unique to the computer. These extensions include a sizeable list of extensions such as .Jpeg, .Jpg, .tif, .raw, .bmp, .png, .max, .3dm, .db, .accdb, .mdb, .dxf, .dwg, .cs, .cpp, .asp, .php, .java, .gif and more. This process is done without the user having any knowledge of it until what happens next.
When encryption is complete, that’s when the user’s world is upended. Sodinokibi changes the desktop background to a ransom note that tells the user how much Bitcoin will be required to decrypt their important files; this amount can vary, but anywhere from .32 to .41 Bitcoin can be expected. Sometimes they go into the millions of dollars if the victim organization is well-established with deep pockets. This ransom note also contains instructions about how the user can decrypt their files, including links to a website where they can make their ransom payment and unique keys.
Vulnerabilities it exploits
As mentioned earlier, Sodinokibi can propagate by exploiting vulnerabilities. While this is not an exclusive list, some of its favorite ones to exploit are:
- CVE-2019-2725: A vulnerability impacting Oracle WebLogic Server
- CVE-2018-8453: This a vulnerability of a Win32k.sys component involving privilege escalation
Conclusion
Sodinokibi is a prolific instance of ransomware that has quickly established itself as one of the most common ransomware families on the internet today, and if you consider its ability to sidestep the first layer of information security protection used by many organizations, we are looking at potentially the internet’s top ransomware threat relatively soon.
The good thing is that standard cybersecurity training measures will go the distance in preventing this ransomware from impacting you and forcing your organization to have to pay thousands or even millions of dollars to decrypt your important files.
Sources
- Dissecting the threat from Sodinokibi ransomware, Cyware News
- Sodinokibi: The Crown Prince of Ransomware, Cybereason
- Unpatched VPN makes Travelex latest victim of “REvil” ransomware, Ars Technica
- Sodinokibi Ransomware Gang Appears to Be Making a Killing, Bank Info Security
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- Malware spotlight: Sodinokibi
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis