Sodinokibi, also known as Sodin or REvil is the new king of ransomware. The ransomware which believed to make huge profits as GandCrab is still actively used against organizations across the globe. The malware leverages vulnerable Managed Service Providers, exploit kits, spam campaigns or flawed servers to propagated across systems.
Who is behind the malware?
The notorious ransomware is likely being distributed by attackers affiliated with those that distributed the infamous GandCrab ransomware family, which is supposed to have retired on the underground forum.
How does it operate?
Once the ransomware is installed, it creates a .txt file named ‘[PATH TO ENCRYPTED FILES]\[RANDOM EXTENSION]-HOW-TO-DECRYPT.txt’. Then it issues the following commands to delete Shadow Volume Copies and disable Windows Startup repair.
After this, Sodinokibi encrypts files on the compromised server and appends the encrypted files with random extension that is unique for each compromised computer.
The ransomware encrypts files with specific extensions that includes .Jpg, .Jpeg, .raw, .tif, .png, .bmp, .3dm, .max, .accdb, .db, .mdb, .dwg, .dxf, .cpp, .cs, .h, ,php, .asp, .rb, .java, .aaf, .aep, .aepx, .plb, .prel, .aet, .ppj, .gif and .psd.
Once the malware completes its encryption process, Sodinokibi changes the desktop wallpaper and drop a ransom note. The notes contain instructions about the decryption process. The ransom note also provides instructions on how to make the payment to have the files decrypted. These ransom notes contain unique keys and links to the payment site.
Propagation by exploiting vulnerabilities
Threat actors have also managed to distribute the ransomware by exploiting some well-known vulnerabilities:
CVE-2018-8453: This privilege escalation vulnerability exists in Win32k.sys component. The attackers exploited the vulnerability to infect victims in the Asia-Pacific region with the ransomware.
CVE-2019-2725: This remote code execution vulnerability impacts Oracle WebLogic Server. Attackers were spotted abusing the security flaw in the wild to spread the ransomware.
The ransomware has been designed to target systems running the Windows operating system.
The final word
To protect against ransomware, users are recommended to follow basic security tips such as using an advanced anti-ransomware solution and maintaining an updated anti-virus solution. Having a backup of files also helps victims to an extent by preventing them from paying the ransom.