Sodinokibi ransomware, also known as Sodin and REvil, is hardly three months old, yet it has quickly become a topic of discussion among cybersecurity professionals because of its apparent connection with the infamous-but-now-defunct GandCrab ransomware.

Detected by Malwarebytes as Ransom. Sodinokibi, Sodinokibi is a ransomware-as-a-service (RaaS), just as GandCrab was, though researchers believe it to be more advanced than its predecessor. We’ve watched this threat target businesses and consumers equally since the beginning of May, with a spike for businesses at the start of June and elevations in consumer detections in both mid-June and mid-July. Based on our telemetry, Sodinokibi has been on the rise since GandCrab’s exit at the end of May.

ANALYSIS OF THE ATTACK

The initial infection vector used by the threat actor is a phishing email containing a malicious link. When pressed, the link downloads a supposedly legitimate zip file that is actually malicious. Sodinokibi zip files have a very low detection rate on Virus Total, which signals that the majority of antivirus vendors do not flag the initial payload as malicious. Since the initial Sodinokibi payload is able to pass undetected, the first layer of defense for many organizations is immediately bypassed. The zip file contains an obfuscated JavaScript file. When the user double clicks on the JavaScript file, WScript executes it. The JavaScript file deobfuscates itself by rearranging characters from a list called eiculwo, which is located in the JavaScript file. The variable vhtsxspmssj, located in the JavaScript file, is an obfuscated PowerShell script that will be deobfuscated by the attackers later on in the attack.

Type and source of infection

Ransom. Sodinokibi is ransomware that encrypts all the files on local drives except for those that are listed in their configuration file.

Targeted files have the extensions .jpg, .jpeg, .raw, .tif, .png, .bmp, .3dm, .max, .accdb, .db, .mdb, .dwg, .dxf, .cpp, .cs, .h, ,php, .asp, .rb, .java, .aaf, .aep, .aepx, .plb, .prel, .aet, .ppj, .gif, and .psd.

For more Cyber Security Information Contact us at help@theweborion.com