June 25, 2019
Attackers behind a relatively new ransomware family called Sodinokibi (detected by Trend Micro as RANSOM.WIN32.SODINOKIBI.A) have been continuously exploring different delivery vectors since April: malicious spam, vulnerable servers, and even managed server providers (MSPs). Given the aggressive experimentation with distribution, this ambitious new player in the ransomware landscape seems to be trying to gain momentum and spread quickly. On June 23, threat analyst nao_sec found the ransomware using another new delivery technique — it was being distributed by malvertising that also directs victims to the RIG exploit kit.
Nao_sec reported to Bleeping Computer that the malicious advertisements pushing Sodinokibi were on the PopCash ad network, and certain conditions would redirect users to the exploit kit. The analyst was also able to demonstrate how the ransomware was installed via malvertising.
Past Sodinokibi incidents
In late April, it was reported that a hacking group was trying to abuse a critical vulnerability in Oracle’s WebLogic server to spread the Sodinokibi ransomware. This was particularly dangerous because the ransomware didn’t require user interaction — it usually involves tricking a victim into enabling a malicious macro or click a link to download the ransomware. In this case, the hackers simply used the vulnerability to push the ransomware onto WebLogic servers. In May, a malicious spam campaign was seen targeting German victims. The spam was camouflaged as foreclosure statements. The urgency of the mail pressures victims into enabling macros to access a malicious attachment which downloads the ransomware.
Earlier this month, a hacking group abused MSPs to deploy the ransomware onto customer networks. According to reports, three major MSPs were breached through exposed remote desktop endpoints (RDPs). From these compromised endpoints, the hackers were able to move further into the compromised systems. They were able to uninstall AV products and abuse the management software (used by MSPs to oversee workstations) to execute malicious script on remote workstations and install the Sodinokibi ransomware.
How to defend against ransomware
Sodinokibi is now using an array of vectors to infect victims. Patching and updating is important in defending against this ransomware, particularly because most of the vulnerabilities they are abusing already have available fixes. Users need to update their systems and equip themselves with the latest versions of their software and hardware.
Since Sodinokibi also relies on other techniques, such as sending spam or phishing emails, and continues to add more delivery methods to their arsenal, it is important for organizations to implement security best practices:
All of the organization’s users should back up their data regularly to ensure that data can be retrieved even after a successful ransomware attack.
Users should be wary of suspicious emails; avoid clicking on links or downloading attachments unless the recipient is certain that it came from a legitimate source.
Restrict the use of system administration tools to IT personnel or employees who need access.