loader gif

Sneak peek into Sodinokibi ransomware that poses risk for enterprises worldwide

Sneak peek into Sodinokibi ransomware that poses risk for enterprises worldwide
  • The ransomware is being actively distributed in the wild through Managed Service Providers, exploit kits and spam campaigns.
  • The ransomware has been designed to target systems running Windows operating system.

Sodinokibi, also known as Sodin or REvil ransomware affiliates are vastly increasing the attack vectors to infect victims. The ransomware is being actively distributed in the wild through Managed Service Providers, exploit kits, spam campaigns or by taking advantage of server flaws.

How does it operate?

Once the ransomware is installed, it creates a .txt file named ‘[PATH TO ENCRYPTED FILES]\[RANDOM EXTENSION]-HOW-TO-DECRYPT.txt’. Then it issues the following commands to delete Shadow Volume Copies and disable Windows Startup repair.

After this, Sodinokibi encrypts files on the compromised server and appends the encrypted files with random extension that is unique for each compromised computer.

The ransomware encrypts files with specific extensions that includes .Jpg, .Jpeg, .raw, .tif, .png, .bmp, .3dm, .max, .accdb, .db, .mdb, .dwg, .dxf, .cpp, .cs, .h, ,php, .asp, .rb, .java, .aaf, .aep, .aepx, .plb, .prel, .aet, .ppj, .gif and .psd.

Once the malware completes its encryption process, Sodinokibi changes the desktop wallpaper and drop a ransom note. The notes contain instructions about the decryption process. The ransom note also provides instructions on how to make the payment to have the files decrypted. These ransom notes contain unique keys and links to the payment site.

Propagation by exploiting vulnerabilities

Threat actors have also managed to distribute the ransomware by exploiting some well-known vulnerabilities:

CVE-2018-8453: This privilege escalation vulnerability exists in Win32k.sys component. The attackers exploited the vulnerability to infect victims in the Asia-Pacific region with the ransomware.

CVE-2019-2725: This remote code execution vulnerability impacts Oracle WebLogic Server. Attackers were spotted abusing the security flaw in the wild to spread the ransomware.

The ransomware has been designed to target systems running the Windows operating system.

loader gif