Sodin ransomware exploiting Windows zero-day, Kaspersky warns

Security researchers are warning that a recently discovered type of ransomware is now exploiting a zero-day Windows vulnerability, and does not require user interaction to trigger an infection

Stealthy ransomware that first appeared in 2019 is using a new exploit and can be triggered remotely, based on attacks in Asia, Europe and North and Latin America, according to security researchers.

The Sodin ransomware, also known as Sodinokibi and REvil, was initially distributed by exploiting a vulnerability in Oracle Weblogic, but is now exploiting a recently discovered zero-day Windows vulnerability (CVE-2018-8453), according to researchers at security firm Kaspersky.

This exploit enables Sodin to get elevated privileges in an infected system and takes advantage of the architecture of the central processing unit (CPU) to avoid detection.

This functionality is rarely seen in ransomware, the researchers said, and in certain cases, Sodin requires no user interaction, but is simply saved to vulnerable servers by the attackers.

While most security software will detect well-known versions of ransomware using established attack vectors, the researchers warned that sophisticated approaches such as those exhibited by Sodin that involve the exploitation of a recently discovered zero-day vulnerability might go undetected for a while.

In addition, the Sodin ransomware uses a technique known as “Heaven’s Gate”, which allows a malicious program to execute 64-bit code from a 32-bit running process, making it even more difficult to detect.

The researchers said they believe the Heaven’s Gate technique is used in Sodin to make analysis of the malicious code more difficult because not all debuggers (code examiners) support this technique and are therefore unable to identify it.

In addition, the technique also enables the ransomware to evade detection by emulation-based detection, widely used to discover previously unknown threats by launching code that is behaving suspiciously in a virtual environment that resembles (emulates) a real computer.

 According to the researchers, Sodin appears to be part of a ransomware as a service (RaaS) scheme, which means its distributors are free to choose the way in which the encryption malware propagates.

There are also signs that the ransomware is being distributed through an affiliate programme, which typically means that affiliates pay a cut of their earnings to the operators of the RaaS scheme.

“We expect a rise in the number of attacks involving the Sodin encryptor, since the amount of resources that are required to build such malware is significant. Those who invested in its development definitely expect it to pay off handsomely”
Fedor Sinitsyn, Kaspersky

However, the researchers found that Sodin includes functionality that allows the malware authors to decrypt files without their affiliates knowing by using a master key that is independent of the distributor’s key that is normally used to decrypt the files of those organisations that pay the ransom.

This feature might be used by the malware authors to control the decryption of victim data or the distribution of the ransomware by, for example, cutting certain distributors out of the affiliate programme by making the malware useless, the researchers said.

Unlike most ransomware that requires some form of user interaction – such as opening an attachment to an email message or clicking on a malicious link – the researchers said Sodin ransomware appears to have an executable file that is downloaded to a vulnerable server and executed.

The operators of the Sodin ransomware are demanding bitcoin worth $2,500, with most targets found in the Asia-Pacific region, including Taiwan (17.6%), Hong Kong (9.8%) and the Republic of Korea (88%), but attacks have also been observed in Europe, North America and Latin America.

“Ransomware is a very popular type of malware, yet it’s not often that we see such an elaborate and sophisticated version that uses the CPU architecture to fly under the radar,” said Fedor Sinitsyn, a security researcher at Kaspersky.

“We expect a rise in the number of attacks involving the Sodin encryptor, since the amount of resources that are required to build such malware is significant. Those who invested in the malware’s development definitely expect it to pay off handsomely,” he said.

To avoid falling victim to Sodin, Kaspersky researchers advised companies to ensure that all their software is regularly updated to the most recent versions because the Windows vulnerability exploited by the ransomware was patched by Microsoft in October 2018 after Kaspersky detected it being exploited in the wild by a threat actor believed to be the FruityArmor hacking group.

Read more about ransomware


Read more on Hackers and cybercrime prevention

Data Center
Data Management