valerybrozhinsky - stock.adobe.c
The highly dangerous Sodinokibi ransomware is being exploited by affiliated groups from multiple countries, using multiple targeted distribution methods, according to evidence produced by McAfee’s Advanced Threat Research (ATR) team.
Since it was first identified in Cisco Talos’ lab in April 2019, Sodinokibi, which is also known as ReVIL, has emerged as one of the most active and dangerous ransomware threats in the wild.
In September, researchers at SecureWorks asserted with a high degree of confidence that it was being created and run by the same group responsible for the GandCrab ransomware, saying that it had them “pretty much bang to rights”. This confirmed earlier investigations by security researcher Brian Krebs.
In a series of blog posts in recent weeks, McAfee’s ATR team has been sharing insight into the methods used by the affiliates using Sodinokibi, and, according to analyst Jessica Saavedra-Morales, found that groups were drawn to its network of honeypots “like moths to a flame”.
These included distributing Sodinokibi through spear-phishing and weaponised documents; batch files downloading payloads from Pastebin and injecting them into processes on the target OS; compromising remote desktop protocols (RDPs) and using script files and password cracking tools to distribute it over the target network; and compromising IT managed service providers (MSPs) used by victims and using their systems to spread it.
The ATR team ran several RDP honeypots between June and September 2019, and observed several groups compromising them, which it could then monitor – disconnecting the actors the moment criminal actions were prepared or about to be executed.
Its honeypots drew in actors from IP addresses all over the world, but the ATR team observed that, like GandCrab, Sodinokibi blacklists both the Persian (Farsi) and Romanian languages, meaning it will not execute if it finds either of those two languages installed on a victim’s machine. This would suggest that large numbers of affiliates are located in both Iran and Romania.
The supplier also shared some insight into what Sodinokibi’s developers have been doing with the ransom money by linking posts on underground forums with bitcoin transfer traces – in the process uncovering more evidence of their relationship with GandCrab – and followed the transactions seen from one promising affiliate wallet.
McAfee found that Sodinokibi ransoms ranged from between 0.44 and 0.45 bitcoin, averaging $4,000 (€3,580/£3,080). Within one 72-hour period, it generated $287,499 worth of ransom payments, a statistic based on a list shared online by one actor.
It found that the targeted affiliate was getting money transferred through the Coinbase exchange, as advised by the ransom note, following which they paid some fees to a service but also sent some bitcoin into an underground mixer called Bitmix.biz, to obfuscate the following transactions, making it harder to link it back to the final wallet.
It said it had also observed some examples where affiliates were buying services on Hydra Market, an underground Russian marketplace that offers a number of services and illegal products, including drugs, paid for in bitcoin.
Saavedra-Morales offered some guidance on how to protect your business from Sodinokibi, highlighting the importance of a layered defence strategy.
“As demonstrated, the actors we are facing either buy, brute-force or spear-phish themselves into your company or use a trusted-third party that has access to your network,” she wrote.
“Some guidelines for organisations to protect themselves include employing sandboxing, backing up data, educating their users, and restricting access.
“As long as we support the ransomware model, ransomware will exist as it has for the past four years. We cannot fight alone against ransomware and have to unite as public and private parties. McAfee is one of the founding partners of NoMoreRansom.org and are supporting Law Enforcement agencies around the globe in fighting ransomware.”
Read more about ransomware
- Ransomware has seen a resurgence since the start of 2019, with cyber criminals changing code and tactics to target enterprises and local authorities for higher ransom payments.
- Apparent links between an emerging ransomware family known as REvil and GandCrab suggests the GandCrab authors are keeping busy despite having “retired” in June.
- Vectra 2019 Spotlight report shows recent ransomware attacks cast a wider net to ensnare cloud, datacentre and enterprise infrastructures.