Sodinokibi Ransomware Begins to Exploit Previous Windows Zero-Day

Reports point to Sodinokibi ransomware for using exploits from a previous Microsoft Windows zero-day vulnerability.

Sodinokibi ransomware

In the Spring of 2019, a new ransomware variant dubbed Sodinokibi (also known as REvil, Sodi, Sodin) started infecting computers with malware, encrypting user data and demanding a ransom in the form of Bitcoin. Sodinokibi first began by capitalizing on an Oracle WebLogic deserialization vulnerability in which allowed remote code execution over a network without the need for proper authentication such as usernames and passwords. Now, the ransomware is beginning to use much more complex and dynamic attack vectors such as newly discovered Windows zero-day.

Zero-day exploit and ransomware

One of the newer attack vectors of the Sodinokibi ransomware is the use of a Windows zero-day exploit that spreads the encryption process and begins locking user data. A zero-day exploit can be described as a vulnerability that a software or hardware manufacturer is unaware in which threat actors utilize to gain access to data and other important network administrative settings. As a result, these vulnerabilities can prove to be significant in effect once the attack vector is executed. 

The zero-day in question, CVE-2018-8453, allows a high-level of privileged access for unauthorized users. Although the vulnerability was patched in October 2018, many businesses and consumers still fail to properly apply the update across their networks which has left them exposed to the Sodinokibi ransomware attack. Sodinokibi ransomware also uses a variety of encryption techniques (such as Heaven’s Gate) which helps the trojan process execute a higher level of encryption at the 32-bit level.

Below is an example ransom note that victims of Sodinokibi will find on their computer:

The ransomware distribution model

The Sodinokibi ransomware variant has a striking similarity to the GandCrab ransomware in that the threat actors are using organized distribution campaigns to target their victims and begin the extortion process. As previously stated, Sodinokibi ransomware was first executed through vulnerabilities in Oracle WebLogic Servers. Then, in late June, reports began circulating that Sodinokibi had targeted Managed Service Providers (MSPs) via back-door entry through Remote Desktop Protocol (RDP) ports that allowed the installation on endpoints where the ransomware then took over. Threat actors also used hacked websites to replace software download links that ran the ransomware code once downloaded. 

Later that week, malware researchers pointed out that Sodinokibi ransomware was pushed through popular RIG exploit kits advertised on underground hacking forums and malvertisements (online ads that promote the usage of certain ransomware as a service [RaaS]). This type of aggression is very similar to the GandCrab ransomware distribution model, where threat actors used multiple attack vectors and a wide range of vulnerabilities to operate the extortion campaign. GandCrab ransomware might be the inspiration and backbone behind these Sodinokibi ransomware models. 

Steps to stop Sodinokbi ransomware

Keep software up to date

Software and operating systems that have not been updated to the latest firmware run the risk of being exploited through security vulnerabilities undiscovered by the programmers. Many of these exploit kits depend on users who are unable to perform these updates. Ensure better security against Sodinokibi ransomware by selecting the automatic update setting on major operating systems, company software, and endpoint solutions such as anti-malware programs. 

Enforce data backup schedule

It’s important to have a strong data backup schedule where employees are regularly protecting business documents and data are being stored on external sources (both locally and in the cloud). In the case that your organization is infected with Sodinokibi ransomware, these backups can become one of the methods in which the business can recover without experiencing major downtime in operations. 

We recommend disconnecting storage devices after the backup is complete, as Network Attached Storage (NAS) data can become encrypted if the ransomware spreads to other systems on the network.

Enforce quality endpoint software solutions

With professional software solutions in place such as endpoint detection and response (EDR), the network systems will be more resilient to cyber attacks and prevent the Sodinokibi ransomware from moving laterally within a business and encrypting the files. Major security vendors are working diligently to ensure their software solutions are able to detect these incoming threats and provide the latest technology to combat the ransomware. 

Consult with a security professional to establish a security framework if you’re unsure of how to proceed with the proper software solutions that fit the needs of your organization.

Need help with Sodinokibi ransomware?

Learn more about ransomware recovery and what it

Ransomwre Recovery Help