Sodinokibi Ransomware

Who is Sodinokibi?

In April 2019, Cybereason Nocturnus met and analysed a new type of ransomware called Sodinokibi. Sodinokibi (also known as Sodin or Sodi or REvil) has become the fourth most common ransomware after 4 months of its first appearance. It is responsible -together with GandCrab- for the huge damage of multiple organisations. Initially, Sodinokibi administrators usually attack Asia. However, its administrators lately chose their victims from Europe.

It is one of the most frequently attacking viruses. Moreover, its authors are constantly updating it and further development is expected.  Its important advantage is that organisation’s antivirus systems and additional protective measures cannot easily detect it.

In particular, it acts as a RaaS, meaning that its authors raise money in every way. That is, either from ransom they ask for, or by selling a kit. In this way the attacker can create and attack with his own ransomware. Another particular feature is that it exploits vulnerability on Oracle WebLogic servers.

When Ransomware first appeared, it exploited vulnerabilities on servers and other critical media assets. Afterwards, we identified other methods of contamination, like phishing or spam mail.

All these features ranked him as the most lucrative ransomware. It should be noted that profit from Sodinokibi attacks, exceeded those of Ryuk by 8%.

Summarizing Sodinokibi Features and characteristics

Sodinokibi Ransomware:

  • Prevents data recovery and deletes volume shadow copies
  • Exploits CVE-2018-8453 to perform privilege escalation
  • Uses curve25519/Salsa2 for file encryption
  • Does key encryption through curve25519/AES-256-CTR
  • Uses of two public keys to encrypt the victim’s private key
  • Uses of pseudo-random generation algorithm based on AES for encryption keys, IVs and URLs
  • C2 obfuscation via large domain list (1079 domains)
  • Asymmetric key scheduling algorithm prevents need for C2
  • Uses “Heaven’s Gate” method to execute 64-bit exploit code under a 32-bit process (on 64-bit operating systems)
  • Avoids executing on certain systems depending on the language code (largely related to former USSR countries)

Sodinokibi ransom

In particular, in 2020 the average amount of ransom that Sodinokibi attackers request was $180,763. In general, during the same year,  the average ransom amount that ransomware attackers demanded was between $25,000 and $2,000,000. It is also worth noting that Sodinokibi administrators will ask twice as much ransom, if the initial amount is not paid within 7 days.

Finally, Sodibokini attackers demand the ransom payment in Monero cipher. In case the victim chooses to pay in bitcoin, they charge an additional 10% .

This is a real execution of Sodinokibi ransomware process:

How does Sodinokibi ransomware work?

Sodinokibi Ransomware Decryption

Sodinokibi usually targets and exploits vulnerabilities such as the following:

1. Windows Desktop Unsafe Protocol (RDP) (65%)
2. Oracle WebLogic vulnerability allows executing remote code via a network by bypassing identification (8%)
3. Spam or e-fishing messages (18%), containing malicious attachments or links
4. Malvertising campaigns using RIG exploitation
5. Undermined networks of MSP management service providers.

Illegal trafficking by Sodinokibi administrators

It is known that Sodinokibi attackers choose blackmail as a method to derive higher profit from ransom. Indeed, they are further blackmailing victims by threatening to leak stolen data. Victims cannot easily deal with this double blackmail practice, as this put at risk intellectual property and organisation’s reputation.

Even if an organization keep backups, there is still a risk that the data will be published on a public portal or on the dark web.

The Sodinokibi method

Initial invasion

In particular, when the attacker invades the network, it follows the powershell.exe -e process {base-64 encoded command}. It also terminates and blocks the following services: Mepocs, vss, memtas, sql, veeam, sophos, backup, svc$

More specifically, in already contaminated systems, it blocks and pauses the following services: Winword, ocssd, sql, encsvc, oracle, outlook, thebat, tbirdconfig, powerpnt, onenote, dbeng50, dbsnmp, ocomm, xfssvccon, mspub, msaccess, infopath, visio, steam, isqlplussvc, wordpad, agntsvc, excel, synctime, mydesktopservice, ocautoupds, mydesktopqos, thunderbird, firefox, sqbcoreservice.

Additionally, the original means of contamination used by the attacker is a phishing e-mail containing a malicious link. When the victim clicks on it, then the link downloads a so-called legal but actually malicious file .zip. This file contains an unclear JavaScript file. When the user double clicks the JavaScript file, WScript performs it.

More generally, an attacker with Sodinikibi ransomware prepares the ground before the final attack.

In particular, it deletes all backups retained by the victim in parts of the network and its systems.

It also overwrites them with random bytes in order to eliminate the possibility of recovery from the victim. In addition, it deletes the shadow copies from the apparatus using vsadmin.exe.

Hardcore Sodinokibi Keys

When the attacker gains access to the victim’s systems, he upgrades the user rights to facilitate the dispersal of malware. Unfortunately, this is how organisation’s resources are finally exposed in danger.

In particular, in the first stage Sodinokibi attacker creates a basic pair of keys 25519 for the victim. The public key from this pair will later be used to extract Salsa20 keys to encrypt files.

The secret/private decryption key starts using a fairly sophisticated PRNG algorithm based on AES, and is then encrypted with AES-256.

Ransomware not only encrypts and/or deletes back-up files directly, but also immediately exploits badly the company’s data. In particular, Sodinobiki also applies code detection techniques in order to avoid detection through antivirus software.

More specifically, Sodinokibi or Revil disseminates the following data:

  • Files and documents
  • System architecture
  • User Name
  • Name of the computer
  • Working group
  • Information on the processor

What is the new format of encrypted files?

Data encryption

Sodinokibi is the ransomware that encrypts all files on local disks, except those mentioned in their configuration file.
(File extension: .java, .aaf, .aep, .aepx, .plb, .prel, .aet, .ppj, .gif .psd. .bmp, .3dm, .max, .accdb, .db, .mdb, .dwg, .dxf, .cpp, .cs, .h,, php, .asp, .rb, .jpg, .jpeg, .raw, .tif, .png.)

If the encryption is successful, Sodinokibi changes the desktop so that the victim realizes that there is a ransomware attack. Usually, the message “You are infected! Read 9781xsd4-HOW-TO-DECRYPT.txt! “is placed at the top center of the screen, in white text.

If the attacker invades the system, he will encrypt the victim’s files. Each file will acquire a new name extension.

The new extension consists of 5-8 characters, randomly awarded by the encryption tool.

In particular, the Sodinokibi attacker uses the I/O completion port to succeed a fast file encryption process. Files are finally encrypted with algorithm Salsa20, each provided with a unique encryption key. A complex key system protects encryption keys.  So, the victim cannot decrypt the files without the private key that belongs to attackers.

Sodinokibi ransom note

The victim finds a ransom note as a .txt file in each computer folder. Through this file, the victim receives the necessary instructions that will enable him to retrieve his files.

Furthermore, this file has the words “readme” and an alphanumeric code with a hyphen e.g. 62n7paf43.-readme.txt. Also, each such ransom note includes a unique ID key and the address of the Tor browser portal.  As expected this portal is different for each victim and shows:

  • The remaining time for the ransom payment, so that attackers do not double it.
  • The height of the ransom in Monero cipher (XMR)
  • Online chat to communicate with attackers

Also, the victim can upload in the portal a sample of an encrypted file in order to be decrypted. So, the victim gets proof that the attacker can actually recover the files. It is worth noting that once the victim enters the TOR portal, the 7-day deadline for the payment of ransom counts vice versa.

In conclusion, if all the information is contained in this ransom note, the victim must in no way delete it.

Can I stop the spread of Sodinokibi?

If the victim disconnects infected devices, it prevents further encryption in other devices. Then, once this separation is done, then you can start the scanning with an antivirus software. This will remove malware and possible open ports that leave organization’s network exposed.

How much does the recovery cost after a Sodinokibi Ransomware attack?

Indeed, there are several factors that may influence the total cost of recovering encrypted files. In particular, the cost of recovery depends on the:

  • number of encrypted systems
  • amount of ransom requested
  • assessment costs
  • selected priority of the service

Tictac has considerable experience in helping negotiate lower ransom. Surely, Sodinokibi administrators shape the requested ransom according to the size and type of business.

What is the time needed to recover from a Sodinokibi attack?

There are many factors that contribute to recovery time, such as:

  • Cleaning the environment from malware
  • Recognition and protection of vulnerabilities
  • Negotiation time
  • Compliance checks and the ransom payment procedure
  • Concerning decryption of files: The size of the network, number, type and size of files, backup and data confirmation

For a network with 1-3 servers and 10-15 workstations, it takes about 1-3 working days for the full recovery process.

How to decrypt Sodinokibi Ransomware

If your files are encrypted by Sodinokibi ransomware, you try to see what ransom options are available to decrypt the data.

Unlock encrypted files

Sodinokibi attackers use an AES and Salsa20 encryption algorithm, making it particularly difficult to break. Moreover, there are still no known defects in this malware. Therefore, this leaves ransom payment as the only option for victims.
As with many other variants of ransomware, we can help by retrieving certain types of files without paying the ransom. Contact a representative of Tictac.

Sodinokibi Ransomware Decryption

The fact is that the files encrypted by ransomware REvil Sodinokibi Ransomware cannot be decrypted. There are currently no decryption keys to restore the data to simple text. As mentioned above, Sodinokibi creates two different public keys, one as part of the JSON configuration and the other embedded in the binary itself. These public keys will be used to encrypt the locally produced private key.

Protection against Sodinokibi attack

Cyber security systems equipped with Soc have been identified as capable of preventing a Sodinokibi attack. However, when the organization has not adopted an appropriate cyber-attack security framework, Revil Sodinokibi detects the presence of terminals such as: Azerbaijani Latin, Georgian, Tartar, Romanian, Azeri, Kazakh, Kyrgyzstan, Turkmen, Uzbek Latin, Uzbek, Ukrainian, Russian, Belarusian, Tajik, Armenian, Syriac, Syrian Arab

Prevention against Sodinokibi

An organization should effect a technological and human risk analysis, so as to be prepared for a Sodinokibi attack, or even to avoid it. In particular, every organization should often scan its network and identify vulnerabilities and weaknesses and a penetration test must take place.

In addition, the staff of the organization should be trained and continuously informed about cyber threats. It is particularly important to select simulation tests for Phishing and Smishing cases.

More generally, at the level of organizational risk analysis, organization should carry out an assessment of compliance concerning GDPR and ICT .

Security advice

Every organization should keep copies of its files, both locally and via cloud. In any case, staff should not download files from suspicious sites, or click on suspicious links.

Advanced cyber security to combat ransomware

We have seen that ransomware attacks target victims from whom they can obtain high amounts in the form of ransom.

It is important, in view of these new cybercrime tactics, that even if the victim pays the ransom, there is no guarantee that it will be possible to decrypt and retrieve his data.

It is also not certain that any information will not be used for other malicious purposes.

You can contact our specialized Ransomware Incident Response team.

In order to prevent such complex situations, an organization should use advanced endpoint protection systems, with advanced EDR capabilities.

The truth is that ransomware is a real threat and it is difficult to deal with if there is no proper protection or guidelines.

Contact Tictac to inform you on the possibilities for effective protection against ransomware attacks.