Sodinokibi Ransomware 101: Origin, Victims, Prevention Strategies

[harlan4096]

Sodinokibi Ransomware Is One of the Most Distributed Ransomware Strains in the World. Don’t Let Your Company Be Its Next
Victim!

Cyberattacks have become a part of our reality, but have you ever wondered what might happen if your company gets targeted? You probably imagine that you would lose some money and a great deal of time, maybe fire an employee or too, lose a few clients and have your reputation tainted or eventually even deal with a lawsuit. If these aren’t serious and bad enough for you to take cybersecurity seriously, let me tell you this: cyberattacks have just turned deadly. It happened this month in Germany,  where “A person in a life-threatening condition passed away after being forced to go to a more distant hospital due to a ransomware attack.” Speaking of ransomware…you should pay particular attention to Sodinokibi ransomware. 

Sodinokibi ransomware is a perfect example of Ransomware-as-a-Service, a cybercrime that involves two groups teaming up for the hack: the code authors who develop the ransomware and the affiliates that spread it and collect the ransom. 

As SecurityBoulevard says, Sodinokibi is “the apparent heir to a strain known as GandCrab. The security community believes GandCrab is responsible for 40 per cent of all ransomware infections globally. It has taken in around $2 billion in ransom. Then, earlier this year, the creators of GandCrab announced the malware’s retirement.” 

Discovered in April 2019, Sodinoki is a highly evasive and upgraded ransomware, which uses a special social engineering move – the ones who spread it threaten to double the ransom if not paid within a certain number of days. This aspect makes Sodinoki ransomware dangerous for companies of all sizes. Also known as Sodin or REvil, Sodinokibi shortly became the 4th most distributed ransomware in the world, targeting mostly American and European companies. 

How does Sodinokibi ransomware work?

Most of the times, Sodinokibi ransomware is spread by brute-force attacks and server exploits, but it’s not uncommon either to get infected through malicious links or phishing. Exploiting an Oracle WebLogic vulnerability and often bypassing antivirus software, Sodinokibi downloads a .zip file with the ransom code, written in JavaScript, moves through the infected network and encrypts files, appending a random extension to them. Particularly dangerous is the fact that Sodinokibi may reinstall itself as long as the original ransom code is not deleted. 

Does Sodinokibi ransomware steal data?

Stealing data from ransomware victims before encrypting devices and using the stolen files as leverage to get paid is a tactic that the Maze Ransomware operators have started to bring into force. Since then, Sodinokibi, DoppelPaymer and Nemty followed their lead. 

According to BleepingComputer, until March 2020, the Sodinokibi ransomware operators had published over 12 GB of stolen data “allegedly belonging to a company named Brooks International”. Moreover, “other hackers and criminals have started to distribute and sell this data on hacker forums”, as you can see in the image below “where a member is selling a link to the stolen data for 8 credits, which is worth approximately 2 Euros”: 
...

Continue Reading