Sodinokibi and the Successful Tactics it Uses

Research by security firms places Ryuk and Sodinokibi as two of the prime ransomware threats facing enterprises today. While some reports illustrate ransomware infections across the board, ransom amounts have almost tripled from quarter to quarter for the first half of 2019. Sodinokibi is one of these prime agitators demanding increased ransoms, with the average demanded by its operators USD 2,500 and doubling to USD 5,000 after no payment has been received within 48 hours. By the second quarter of 2019, Sodinokibi was responsible for 12.5% of all reported instances of ransomware infections.

Sodinokibi, also sometimes referred to as Sodin or REvil, was first detected by researchers in April. It was not until June that infections really began to kick off. At the start of June, security firms saw a massive spike in detections targeting businesses by threat actors using the ransomware, hitting nearly 80 detections for one firm at the beginning of June. The number of detections slowly tapered off but spiked again at the start of July, clocking almost 50 in one day. This spike in activity coincided with the operators behind GandCrab supposedly retiring.

Crown Prince of Ransomware

GandCrab could be described as the King of ransomware when it was active. It went through numerous upgrades, perfected the ransomware-as-a-service (RaaS) business model and forged partnerships with other threat actors to make distribution of the ransomware far more effective and potent. Then, when GandCrab had risen to the top of everyone’s threat list, the perpetrators announced they were retiring and GandCrab would no longer be offered as a RaaS and operations ceased. As soon as operations ceased, several pretenders to the throne emerged looking to emulate the No. 1 choice in extorting Bitcoin from businesses and other users.

Most were pretenders, but Ryuk and Sodinokibi, in particular, seemed to rise to the challenge—so much so that researchers named Sodinokibi the Crown Prince of Ransomware. This title was bestowed not only because the ransomware was offered as a RaaS but it also shared several similarities with GandCrab. The similarities were so widespread that some researchers believe that Sodinokibi may be operated by the developers behind GandCrab. Similarities were noticed in how the code works, the infection process and URLs used by both ransomware families.

Initial Attack Vectors

Analysis done on Sodinokibi when it rose to prominence revealed that the ransomware was initially spread via spam emails containing a malicious link. When the link was clicked, a malicious .zip file was downloaded containing the malware. At this stage in the ransomware’s development cycle detections on anti-virus engines were minimal, as the maliciousness of the ransomware was yet widely unknown. This enabled Sodinokibi to effectively pass through security checks undetected. Within the .zip file was an obfuscated javascript file that would execute; if the infected computer passed certain checks, a PowerShell file would execute and the encryption process would begin.

To load the payload and encrypt data on the infected machine, the ransomware needed to escalate privileges on the machine. This was done by exploiting CVE-2018-8453, a vulnerability that when correctly exploited, allowed for the granting of privileges when the win32k component fails to handle objects in memory. The vulnerability was quickly patched, but given how slow people are to update software, a vulnerability discovered in 2018 could still be used to further the goals of hackers deploying Sodinokibi.

In less than four months from the time it was discovered, the ransomware had become one of the most prolific ransomware variants, as well as receiving a host of minor updates. This sounded the alarm that those trying to defend networks were dealing with a knowledgeable and highly skilled foe. This further led some to believe they were dealing with either a few or more of those behind GandCrab.

Another Vulnerability to Exploit

In July, researchers discovered that the ransomware was looking to exploit another newer vulnerability: CVE-2019-2725. Described as a deserialization vulnerability, when properly exploited it would allow for remote code execution. Threat actors were seen distributing the ransomware via spam email campaigns. What was interesting in this campaign was the code used to exploit the vulnerability—researchers determined that it was far more elegant and comprehensive than the ransomware itself, leading to the conclusion that the code was perhaps purchased.

In this campaign, the exploit code was used to leverage Go2Assist on a managed security service provider’s (MSSP) network to break into the MSSP’s client environment. The malware would then deploy another tool to steal password credentials, then exploit the vulnerability to establish a remote connection between the infected machine and the command and control server of the attacker. In a bid to avoid detection, it would check to see if the machine ran a specific anti-virus package; if detected, it would disable the server where the anti-virus was located as well.

Past campaigns where Sodinokibi has been distributed aren’t just reliant on exploiting vulnerabilities and spam email campaigns. In the past, the ransomware was distributed via malvertising campaigns that led to the download of exploit kits and the subsequent dropping of Sodinokibi once access to a vulnerable machine was achieved. This was also a popular tactic for GandCrab operators and affiliates. Targeting MSSPs has proved a popular and efficient tactic for hackers to further infect their end user clients via remote desktop protocol (RDP) abuse.

Sodinokibi and RIG

As mentioned above, Sodinokibi is no stranger to piggybacking on exploit kits to infect vulnerable machines. In mid-November, news articles reported the ransomware was using the RIG exploit kit to target users residing in Asia. Initially spotted by security researcher mol69, who specializes in exploit kits, analysis soon revealed that users namely in Malaysia, Korea and Vietnam were been targeted. Exploit kits are interesting as they only look to target users who use Internet Explorer. While the browser continues to see a decline in popularity, it is clear that it is still profitable enough for hackers to target it.

It was this decline in popularity in Internet Explorer that led to researchers seeing a decline in the use of exploit kits. The decline has been noticeable from 2016, but their use never seemed to completely disappear. Their use became far more specialized and the operators of GandCrab saw their use. Sodinokibi, too, seems to have learned the value of tools deemed outdated. Exploit kits can be defined as a collection of exploits proven to work on a number of vulnerabilities that are collected into one tool. Currently, exploit kits share the same strength and weakness in that they can only target Internet Explorer users. This means hackers bet that the browser favored by some is not updated correctly so they can leverage this to their advantage; however, they can’t target users of Chrome, Firefox or Safari. It should also be noted that Edge also cannot be targeted.

RIG is more often than not distributed via malvertising campaigns. Once a visitor lands on a compromised website, they are redirected, via a malicious iFrame, for example, to the exploit kit’s landing page. From there it scans for relevant vulnerabilities. If found, it will download the exploit kit, which then can be used to install other malware (in this case, Sodinokibi). RIG often makes use of known Flash vulnerabilities and, if successful, the user notices that Internet Explorer will begin to crash and display Windows Script Host errors.

These errors occur as a result of RIG running a Jscript command that, in turn, downloads a VBScript. It is the VBScript that contains Sodinokibi and once executed will begin to encrypt targeted file extensions and the ransom note is displayed. Currently, there is no freely available decryptor for Sodinokibi, so if those infected have not been making backups that data may be lost for good. Sodinokibi operators do have the infrastructure to decrypt files once a ransom is paid; however, some reports suggest that not all files get decrypted, so some loss of data is to be expected even if victims pay the ransom. Current advice from law enforcement and many security researchers is not to pay the ransom, as it funds criminal operations.

Sodinokibi’s Affiliate Model

The RaaS environment is competitive and when a ransomware variant is able to attract skilled affiliates, the danger posed by that ransomware is increased exponentially. This is something that those behind Sodinokibi have been successful in achieving. Researchers making use of networked honeypots have been able to uncover some of the tools and tactics used by the affiliates of Sodinokibi to create a better picture of the threat faced. Some of the affiliates favored the approach of first stealing credentials to networks and then infecting machines across the network with the ransomware. Others again looked to create connections to command and control servers via RDP connections. Others would look to drop coin-mining malware along with Sodinokibi to increase the money earned.

Given the wide array of tactics used by operators and affiliates, defending against Sodinokibi is a difficult and often thankless task. One attack vector may be secure only to have a vulnerability of a forgotten aspect. It is little wonder why certain researchers refer to Sodinokibi as the crown prince, as its impacts and threat continue to increase. As more skilled affiliates jump on board to swindle end users, its rise to prominence likely will increase. It is difficult to predict when and if we’ll see an end to Sodinokibi infection in the near future. If the path set by GandCrab is anything to go by, law enforcement and security firms have entered a game of cat and mouse with the ransomware’s operators. If it is proven that the GandCrab operators are behind Sodinokibi, we can expect a whole host of versions and upgrades to follow in anticipation of creating a ransomware empire.

Tomas Meskauskas

Avatar photo

Tomas Meskauskas

Tomas Meskauskas - Internet security expert, editor of pcrisk.com website, co-founder of Mac anti-malware application Combo Cleaner.

tomas-meskauskas has 22 posts and counting.See all posts by tomas-meskauskas