Blog
06.05.2020

Sodinokibi Ransomware Is Storming Organizations

2019 was a significant year for…what? Does anybody even remember 2019? 2020 has all but eclipsed most memories of last year. Few may remember that a new treatment became available for peanut butter allergy, or that an albino panda was found in China.

But in the world of ransomware, a few things happened in 2019 that are still significant. And one of them was a ransomware called Sodinokibi, known also as REvil ransomware.

Sodinokibi ransomware emerged on April 17, 2019, identified by the Cybereason Nocturnus research team. Sodinokibi ‘s threat group, Gold Southfield, sends malware out in a variety of ways, running on Windows systems. RDP servers, exploit kits, and backdoor software installers to name a few.

Ransomware Mayhem In Motion Stays in Motion

Developed by the same creators of previous ransomware known as GandCrab, Sodinokibi easily evades antivirus and many other malware detectors.

GandCrab ransomware first appeared in January 2018. A year and a half later, the authors announced they were retiring operations, an unusual and unexpected move. Versions of GandCrab can take credit for involvement in 40% of ransomware globally, so the authors were walking away from a money-making machine. Or were they?

If the connection between GandCrab and Sodinokibi is true, GandCrab’s track record is simply rolling forward into Sodinokibi. In the last few years, GandCrab and now Sodinokibi (REvil) have done a tremendous amount of damage to organizations.

Sodinokibi Strikes MSPs, CSPs, and Recently, Celebrities

Sodinokibi malware has struck a variety of companies with noteworthy attacks occurring against MSPs and CSPs (providers of managed IT and cloud services). Over the holidays last Christmas, a hosting provider in upstate New York was hit by a REvil ransomware attack. Later, an airport’s IT system was impacted. The FBI issued warnings to MSPs and their relevant partners.

In April of this year, hackers struck a town in Florida, Jupiter, disabling many of their digital services. Fortunately, the town had backups that allowed them to avoid paying the ransom.

Sodinokibi (REvil) ransomware made news again last month in an attack that stole key information from a list of celebrities we all know. Several possibly included were Lady Gaga, Madonna, Bruce Springsteen, Christine Aguilera, Bette Midler, Mariah Carey, and others. The thieves took phone numbers, email addresses, contracts, NDAs, and other information housed at the Grubman Shire Meiselas & Sacks law firm.

The hackers released some celebrity information as a means of pressure to pay the ransom. They also claimed to have some dirt (in their words, ‘dirty laundry’) on President Trump. They demanded $42 million in ransom (the highest ransom ever) to prevent them from publishing Trump’s info. This caused the FBI to categorize the hack as an act of terrorism and instruct that paying any ransom would violate federal law.

The ‘terrorist’ label annoyed the REvil cybercriminals, who then appeared to have made good on their threat to publish 169 Trump emails. The info was reportedly relatively harmless, meant to prove they had stolen information. A day later, they claimed they sold the remaining data to “an interested party.”

Who’s Responsible for Sodinokibi?

It’s unconfirmed how many may be behind the Sodinokibi or the GandCrab ransomware. But a young Russian man has been identified as being in charge of recruiting for the malware, operating under the nickname “Oneillk2.” Using various means of tracking, the nickname was shown to be associated with a 29-year-old Russian man, Igor Vladimirovich Prokopenko from Magnitogorsk. “Oneillk2” was also used as a personal account of a Lada drivers’ group in January 2018. That person and the malware recruiter are the same.

What Sodinokibi (REvil) Ransomware Does

It was noted above that Sodinokibi is responsible for participating in close to half of all ransomware infections. The first attacks were seen in Asia and recently, Europe is showing significant numbers of attacks.

Sodinokibi ransomware initially exploited server and asset vulnerabilities, as well as software vulnerabilities in antivirus programs, particularly in Ahnlab from South Korea. Malware attacks can be launched into the software, so machines with this A/V are particularly sought out. Infections are also launched through phishing attacks and exploit kits.

After initial infections of Sodinokibi inside a victim’s system, eight hours later the ransomware operators can attack another vulnerability – CVE-2019-2725. The attackers could then inject GandCrab v5.2, a different ransomware. Perhaps they were covering their bases in case the first attempt failed. When executed, Sodinokibi disables the Windows startup repair function with this command, as well as deletes shadow volume copies.

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet &

 bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

The next step is as expected, which is encrypting server files. Similar to other ransomware practices, a random file extension is added to the encrypted files, unique for each affected machine. And ransom demands will soon be forthcoming.

The Impact of GandCrab Ransomware

Before it was retired in favor of Sodinokibi, GandCrab v4 and v5 are believed to have struck somewhere close to 500K victims globally. It began in January/February 2018 and became the most popular ransomware that year. The popularity was based on the desire to make ransomware more profitable by encrypting victims’ data. Ransoms went as high as $600-700K per victim.

After encryption, a ransom note is dropped. The message gives details about the ransom, bitcoin payment, and a threat that if they don’t pay the ransom on time, the ransom doubles.

GandCrab ransom note

GandCrab and Sodinokibi ransomware are highly desirable to malware operators, at least in part because of their Ransomware as a Service (RaaS) characteristic. RaaS is a business model that provides cyber criminals with everything they need to use their malware of choice. They can implement any features and call upon whatever support they might need around the clock. Would-be ransomware criminals can even hire operators to perform implementation services.

(See our article, If It Wasn’t Illegal, RaaS Would Be a Practically Perfect Business Model)

Sodinokibi wasn’t the only ransomware to begin its extortion career in 2019. Maze ransomware was also unleashed in 2019. Together, these ransomware dynamos have been tormenting organizations since.

Organizations Can Take Defensive Steps to Avoid Being a RaaS Victim

Ransomware attacks continue thriving because they are hugely successful, which makes them one of the largest threats organizations face today.

There’s much businesses can do to defend themselves before a ransomware attack strikes.

Businesses must always be on high alert, especially during this global health crisis where cyber criminals are especially manipulative. Pragmatic organizations are using this time to be more aggressive in revamping their security strategy.

Learn more about Virsec's ransomware defense below.

Further Resources:

Solution Brief: Protection Against the Ransomware Epidemic

White Paper: Making Applications Truly Self-Defending

2-Minute Virsec Video