Sodinokibi

Threat actors are actively exploiting a zero-day vulnerability found in Oracle WebLogic (CVE-2019-2725), which allows attackers to easily gain full access to the server using an HTTP connection. Sodinokibi ransomware does not use traditional means of distribution that generally require some sort of user interaction to begin download. It instead uses the Oracle WebLogic vulnerability to cause an affected server to download a copy of the ransomware. Some attacks have followed up with an additional attack on the same target, distributing GandCrab v5.2. This variant has been observed appending a five or six-digit number-letter combo to the end of encrypted files. These extensions appear to change per victim.

Technical Details and Reporting

·         Cisco Talos provides details of this ransomware variant here.

·         Bleeping Computer provides IOC’s here.

UPDATE 5/31/2019: A malspam campaign targeting potential German victims is actively distributing Sodinokibi ransomware via spam emails disguised as foreclosure notifications with malicious attachments which pose as foreclosure notifications. Prevention, decryption, and removal tools are available here.

UPDATE 6/21/2019: Sodinokibi has expanded tactics, beginning a new wave of attacks. Three newly identified distribution campaigns include: the hacking of legitimate sites and replacing a download with GandCrab, hacking into managed service providers (MSPs) to push Sodinokibi to managed endpoints, and by utilizing spam campaigns for a wide net. Some of the attacks were executed by accessing networks via RDP (remote desktop protocol) and then utilizing MSP’s (Managed Service Provider) console to drop Sodinokibi installers on end points by means of a file called 1488.bat.

UPDATE 6/24/2019: Sodinokibi, sporting a new moniker, REvil, has been observed using malvertising to redirect victims to a RIG exploit kit.

UPDATE 7/8/2019: A new variant of Sodinokibi, dubbed Sodin by researchers, is using a former Windows zero-day vulnerability CVE-2018-8453 to elevate itself to admin access on infected systems. The vulnerability had previously been used by a state-sponsored hacking group known as FruityArmor since August 2018. The Sodin variant uses the ‘Heaven’s Gate’ technique to execute 64-bit code in a 32-bit process allowing malicious code to run without triggering antivirus detection. Furthermore, Sodin uses a hybrid scheme, applying both symmetric and assymetric encryption (Salsa20), which stores a public key in the registry to encrypt data, and a private key for decrypting files. Researchers noted that this private key is also encrypted with another public key, nicknamed the public skeleton key, and is likewise stored in the registry, concluding that files may be decrypted if both the private key and the public skeleton key are known. Detailed research and technical analysis can be found here.