Ransomware strains increase and decrease in popularity, but one type whose usage has been growing in frequency is the infamous Sodinokibi Ransomware. Sodinokibi ransomware is a malware threat that has gained traction in cybercriminal circles and has taken up the place of GandCrab ransomware after it was discontinued. The criminals that developed GandCrab offered it as a Ransomware-as-a-Service and decided to retire after allegedly raking in $2 billion in ransom payments.
Ransomware-as-a-service (or RaaS) is a type of software-as-a-service or platform-as-a-service where cybercriminals sell to other cybercriminals malware capable of launching ransomware attacks. This “ransomware delivery model” has taken ransomware attacks to a whole new level. Cybercriminals offer their ransomware-as-a-service – from delivery to taking ransom payments – for hire as a service or via web platforms, typically for a portion of the ransom gains or a fixed fee.
Sodinokibi ransomware appears to not only be following the same Ransomware-as-a-Service path, but according to cybersecurity analysts, it may be distributed by the same group of people as GandCrab. Although Sodinokibi ransomware is not necessarily a direct continuation of GandCrab ransomware, there’s evidence connecting the two ransomware threats together such as coding and behavioral similarities.
Sodinokibi ransomware was first detected in April of 2019 when it was used in an attack that exploited a zero-day Oracle WebLogic Server vulnerability. The severity of the zero-day exploit couldn’t be understated as it allowed the remote execution of code without any of the otherwise required authentication credentials. Oracle issued a patch on April 26, outside of their regular patch cycle, to fix it.
Through the exploit the attackers were able to download the Sodinokibi ransomware payload to the endpoint machines without the need of any user input. Usually, ransomware threats require at least some interaction from victims before the infection can begin. Once inside, Sodinokibi ransomware starts encrypting files with popular extensions that include:
.jpeg, .gif, .png, .xlsx, and many others.
For each infected system, Sodinokibi ransomware generates a distinct alphanumeric string that can be between 5 and 9 characters long and appends it as a new extension to every successfully encrypted file. The ransomware then creates a text or HTA file with the ransom note in every folder containing encrypted files.
Sodinokibi ransomware is particularly insidious, in that this strain of ransomware also has the functionality to prevent the users from restoring the encrypted files through the default Windows backup mechanisms.
Getting Access to Your Files
Instead of putting their instructions and demands in the body of the ransom note, the cybercriminals behind Sodinokibi ransomware direct all affected users towards two websites − a .onion site hosted on the TOR network and one on the public part of the Internet at the domain “decryptor[.]top.” The full text of the note, which shows evidence that it is created by non-English speakers based on issues with grammar and spelling.
Reads in part:
–=== Welcome. Again. ===—
Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion ———-.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you can’t return your data (NEVER).
Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
If you will not cooperate with our service – for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise – time is much more valuable than money.
In order to access either of the sites listed in the note, users have to input a specific key that can be found in the text file of the ransom note. Once the code has been entered, they will be taken to the following landing page that will display the specific extension ID code for the computer system and a countdown timer showing that in two days the ransom sum will double in size − from $2500 to $5000, payable in the Bitcoin cryptocurrency. The website recalculates the Bitcoin/USD rate every 3 hours and updates the shown numbers.
Sodinokibi Ransomware Expands Its Reach
Following the patch that shut down the Oracle WebLogic zero-day, researchers observed variations − an expansion of the methods employed to distribute the Sodinokibi ransomware. In fact, nearly all of the possible distribution methods have now been attempted, most notably:
Spam Email Campaigns, when German users were targeted via a spam email campaign that carried the Sodinokibi ransomware payload in compromised email attachments posing as urgent foreclosure notifications.
Another email campaign pretended to be a “New Booking” from Booking.com. In order to access the supposed booking information, users have to open the attached word file and then allow the execution of macros. Doing so initiates the Sodinokibi ransomware infection.
There are certain steps that could help all users build a strong defense against Sodinokibi ransomware. One of the most reliable methods is to create a system backup that is stored on a drive that isn’t connected to your network. By having access to such a backup, users can simply restore the files that have been taken hostage by the malware with minimal loss of data. In addition, using a legitimate anti-malware program and keeping it up-to-date could mean that some ransomware threats are stopped even before they have had the chance to execute their malicious code.
If you are still having trouble, consider contacting remote technical support options.