Dissecting the threat from Sodinokibi ransomware

• The ransomware is being actively distributed in the wild through Managed Service Providers, exploit kits and spam campaigns.
• The ransomware has been designed to target systems running the Windows operating system.

Sodinokibi, also known as Sodin or REvil is the new king of ransomware. The ransomware which believed to make huge profits as GandCrab is still actively used against organizations across the globe. The malware leverages vulnerable Managed Service Providers, exploit kits, spam campaigns or flawed servers to propagated across systems.

Who is behind the malware?

The notorious ransomware is likely being distributed by attackers affiliated with those that distributed the infamous GandCrab ransomware family, which is supposed to have retired on the underground forum.

How does it operate?

Once the ransomware is installed, it creates a .txt file named ‘[PATH TO ENCRYPTED FILES]\[RANDOM EXTENSION]-HOW-TO-DECRYPT.txt’. Then it issues the following commands to delete Shadow Volume Copies and disable Windows Startup repair.

After this, Sodinokibi encrypts files on the compromised server and appends the encrypted files with random extension that is unique for each compromised computer.

The ransomware encrypts files with specific extensions that includes .Jpg, .Jpeg, .raw, .tif, .png, .bmp, .3dm, .max, .accdb, .db, .mdb, .dwg, .dxf, .cpp, .cs, .h, ,php, .asp, .rb, .java, .aaf, .aep, .aepx, .plb, .prel, .aet, .ppj, .gif and .psd.

Once the malware completes its encryption process, Sodinokibi changes the desktop wallpaper and drop a ransom note. The notes contain instructions about the decryption process. The ransom note also provides instructions on how to make the payment to have the files decrypted. These ransom notes contain unique keys and links to the payment site.

Propagation by exploiting vulnerabilities

Threat actors have also managed to distribute the ransomware by exploiting some well-known vulnerabilities:

CVE-2018-8453: This privilege escalation vulnerability exists in Win32k.sys component. The attackers exploited the vulnerability to infect victims in the Asia-Pacific region with the ransomware.

CVE-2019-2725: This remote code execution vulnerability impacts Oracle WebLogic Server. Attackers were spotted abusing the security flaw in the wild to spread the ransomware.

The ransomware has been designed to target systems running the Windows operating system.

Characteristics

• REvil avoids infecting computers from Iran, Russia and other countries that were formerly part of the USSR.
• It uses AES and Salsa 20 algorithm to encrypt user’s files. While AES is used to encrypt session keys and data that is sent to the control server, user files are encrypted using Salsa20 encryption.
• The malware uses an Elliptic-curve Diffie-Hellman key exchange algorithm to generate and propagate encryption keys.
• Currently, Sodinokibi demands 0.32806964 BTC to provide decryption keys to victims. The operator claim that the ransom should be paid within four days or the amount will be doubled.

The final word

To protect against ransomware, users are recommended to follow basic security tips such as using an advanced anti-ransomware solution and maintaining an updated anti-virus solution. Having a backup of files also helps victims to an extent by preventing them from paying the ransom.