Sodinokibi Ransomware through the Lens of IR and Collaborative Threat Intelligence
Ransomware groups are increasingly collaborating for delivering Sodinokibi ransomware and making it more difficult for security agencies to act against them. To counter them, security researchers are using threat intelligence together for analyzing Sodinokibi ransomware’s behavior. According to them, the group which was shut temporarily is being suspected to resume its work again, possibly using a different name.
Note: Just a few days after releasing a report on Sodinokibi, some activity was observed on Sodinokibi’s websites and servers. Although it could not be confirmed whether it was done by the malware operators themselves or by the law enforcement agencies.
Sodinokibi analysis - The IBM’s way
IBM researchers have assorted Sodinokibi TTPs from many of its attacks and laid bare its activities in five stages as follows:
- In the first stage, the researchers observed that attackers gain initial access using QakBot/Valak that spreads via phishing email laden with a Microsoft Office attachment or URL.
- The second stage involves attackers behind QakBot/Valak selling access to a partner working with Sodinokibi ransomware. It happens after gaining persistence into targeted systems.
- In the third stage, after downloading other tools and gaining access to a targeted system, Sodinokibi operators carry out the system and Active Directory reconnaissance with living-off-the-land tools.
- The fourth stage includes performing data exfiltration to execute their double extortion tactic. For this, it leverages tools such as MegaSync, WinSCP MegaCmd, and Rclone. This is the phase where the operator spends most of their time performing data collection and exfiltration.
- In the final stage of the post-data exfiltration phase, ransomware is deployed for data encryption using domain credentials via PSExec, SMB, and GPO.
In the response, IBM Security has suggested using a joint, collective approach; which will have a multiplier effect in countering such threats.
How does the approach help?
If an attack happens, the IR process could be boosted by having additional investigative findings, which can be further used in notifying and prioritizing security.
- Intelligence analysts tried to pivot on some IOCs from various attacks, which can be used for further research and analysis. Along with IOCs, the X-Force threat intelligence team followed the TTPs linked with dozens of threat groups, such as ransomware groups and their partners or affiliates.
- Moreover, such TTPs are observed to be changing quickly depending upon the type of attack. Threat intelligence teams recognizing and notifying these changes quickly shall help IR consultants prioritize them.
- Intelligence insights can also be used to predict potential activity by Sodinokibi, even in the case of resurgence. For example, in one case, analysts were able to identify some IPs and use of RClone even before the malware was found.
Conclusion
Threat intelligence collected during ransomware investigations could greatly improve analysts’ understanding of ransomware gangs. It could help with how the threat actors collaborate and how to counter their attacks. Moreover, using this approach to diagnose threats such as Sodinokibi can help security professionals stay one step ahead and prepare a robust security strategy.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/296e_shutterstock_376837630_office_365.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/d6a0_shutterstock_1595037637.jpg)
