Sodinokibi

Sodinokibi, also called Revil is a dangerous ransomware-type malware. Among other tools, it uses advanced encryption techniques and can operate without connection to control servers. Sodinokibi is among the most complex Ransomware in the world.

Type
Ransomware
Origin
ex-USSR
First seen
1 April, 2019
Last seen
17 January, 2020
Also known as
REvil
Sodin
Global rank
23
Week rank
16
Month rank
16
IOCs
0

What is Sodinokibi?

Sodinokibi, sometimes also called REvil, is a ransomware-type malware - it encrypts files on infected machines and demands a ransom from the victims to restore the files. Sodinokibi is distributed with a Ransomware-as-a-Service business model, allowing anybody who is able to pay can become an operator of the virus.

Sodinokibi is a very sophisticated ransomware, seemingly developed by a group with vast experience in the field. It bears a lot of similarities to another malware called GandCrab - so much so, in fact, that it is believed to be created by the same group of cybercriminals. However, while GandCrab already was complicated and dangerous ransomware, Sodinokibi can be considered its much-upgraded version.

Sodinokibi ransomware is capable of encrypting files with curve25519/Salsa20 and encrypting keys with curve25519/AES-256-CTR. The malware uses 2 public keys to encrypt the private key of the user. In addition, this virus utilizes command and control server obfuscation and can operate using the asymmetric key scheduling algorithm, which allows the malware to function without connection to the C2.

General description of Sodinokibi

Sodinokibi first appeared on the radar of cybersecurity researchers in April of 2019, when the malware was featured in a campaign that exploited the Oracle WebLogic Server vulnerability.

The campaign began shortly before another similar malware called GandCrab was officially shut down for good. Some researchers believe that Sodinokibi is a “spiritual successor” of GandCrab, while others support the theory that it is, in fact, the next generation of the same virus. Some evidence suggests the theory to be correct.

Among such evidence are the vast similarities in code of both malware and the fact that in the early stages of Sodinokibi life cycle, criminals used to deploy GandCrab after running Sodinokibi on all infected machines as a precaution, likely because Sodinokibi wasn’t yet thoroughly tested in operation.

Another piece of evidence in favor of this theory is an attack that took place in February 2019, when GandCrab was used to infect victims by compromising Managed Service Providers. Sometime after, the same attack took place, but instead of GandCrab, it featured Sodinokibi ransomware.

In addition, the fact that Sodinokibi malware became popular as GandCrab started to cease operations can not be ignored and it would be strange to think about it as a coincidence. In addition to that both malware use very similar distribution methods - something we will explore later in the article.

Finally, it is thought that GandCrab authors started “feeling the heat” and while worried that their operation can be uncovered decided to go under the radar by terminating sales of the publicly available GandCrab in favor of a more advanced malware which could be sold to private parties.

Of course, neither of these points is solid evidence and we can only imagine that both viruses are the result of the work of the same people.

Let’s talk about the behavior of Sodinokibi ransomware.

At the beginning of the execution process, the malware generates a mutex which has a hardcoded name. Then, it decrypts a configuration which is embeded. At this stage, Sodinokibi tries to get system privileges by exploiting CVE-2018-8453. With some cases, this step can be omitted in configuration or may not be successful. Then, it tries to obtain privileges by running as an admin.

Following the privilege escalation stage, the ransomware collects basic system and user data. If it finds that the UI or keyboard layout is set to one of the pre-programmed languages, the execution will be terminated. Many of these languages originate from post-USSR territories which may suggest that the malware authors also come from ex-USSR lands.

In a case when the target PC lacks the specified UX or keyboard layout languages, the virus terminates processes by PRC value and proceeds to erase shadow copies. At this point, the data encryption process begins. The ransomware encrypts all user files unless some exceptions are found in the configuration. This is where an attacker can customize their campaign. An extension is then added to all encrypted documents and a README text is placed in directories. The wallpaper is changed to the ransom demand message.

The contents of the ransom note and the README file can be customized by the attackers in the config file which, once again, provides the malware with flexibility which allows it to operate as ransomware-as-a-service since different attackers can demand ransoms of various sums and provide custom instructions to victims.

Sodinokibi malware analysis

ANY.RUN provides the ability to watch the Sodinokibi ransomware in action via an interactive virtual sandbox simulation.

sodiokibi execution process graph Figure 1: illustrates the processes launched by Sodinokibi during its life cycle.

workstation desktop after sodinokibi infection Figure 2: Wallpapers with ransom message set by Sodinokibi

Sodinokibi execution process

Sodinokibi won't run malicious activity on systems where UI and keyboard languages are set to a specific value, such as Russian, Ukrainian, and 18 others. Although Sodinokibi is a "qualitative" type of malware, its execution, and system infection process, in general, is quite straightforward and similar to another ransomware - it decrypts files, erases shadow copies and places ransom notes across the file system. Process tree also doesn't look very exciting because all main activities are provided by a single executable. For all infected files, the ransomware changes extensions to generated. The added extension is the same as an ID which is unique and made by combining the hash of the value given by CPUID instruction and the volume serial number. It should be noted that Sodinokibi will also try to encrypt files on network shares. After completion of the decryption process, the ransomware sets background wallpaper to a ransom message.

Interesting that authors of Sodinokibi created a high-quality website available at the domain decryptor.top, where victims can use a trial decryptor and have the opportunity to decrypt three images for free. Besides the decryption function, this website provides various information such as the countdown (after time runs out, the ransom amount will be set to 5 000 dollars), instructions on how to buy bitcoins and where to send it, as well as information about the decryption process. If decryptor.top is not available, there is a possibility for victims to visit its .onion clone through the Tor web browser.

How does Sodinokibi spread?

To infiltrate the machines of its victims, Sodinokibi takes advantage of quite a number of infection vectors, most of which are very similar to its predecessor - GandCrab.

As such, the RAAS is known to utilize the CVE-2019-2725 vulnerability and use the RIG exploit kit. Additional, Sodinokibi also spreads via compromised managed service providers. And, like an icing on the cake, on top of the attack vectors mentioned above, this ransomware is often distributed in malicious spam campaigns.

Sodinokibi communication with C&C

Interestingly, while many ransomware need to connect to C2 for exchanging encryption keys, Sodinokibi uses something called asymmetric key scheduling algorithm.

It enables the RAAS to operate without any network connection and not giving the user any chance to get their hands on data that could help with file decryption. However, attackers can optionally establish a connection with the control server to retrieve general system data from infected machines by tweaking the config file.

System and user data then will be transmitted to a broad list of web domains many of which look completely real and legal - possibly compromised WordPress websites, many of which can be included to hide the real C&C web address. In return, Sodinokibi can receive and read the response from the server, but it is not being saved or used in any way during the operation.

How to prevent Sodinokibi attacks?

While the use of vulnerabilities allows this ransomware to infected machines without active user actions, basic rules of online hygiene can still greatly decrease the probability of “catching” this virus.

In particular, not downloading attachments in suspicious emails or emails that arrived from unknown senders and keeping the macros disabled in Microsoft Office completely guarantees that one won’t be infected with Sodinokibi via a malicious spam email campaign.

How to get more information from Sodinokibi analysis?

Since crooks behind Sodinokibi offer decryption of three images for free you can use the interactivity of ANY.RUN to take additional steps in your analysis. Open the website specified in a ransom note in the browser and follow all steps to decrypt images to get a bigger picture of a ransomware infection process.

Sodinokibi payment website Figure 3: Sodinokibi payment website

Conclusion

Since its introduction in 2019, thousands of computers were already infected with Sodinokibi and this malware is continuing to be an ongoing danger.

Borrowing much of the functionality from already quite powerful GandCrab ransomware, Sodinokibi improves on it even further to become a real powerhouse of ransomware. Unfortunately, evidence suggests that this malware is developed by experienced cybercriminals who know how to build and distribute a virus and its accessibility thanks to malware as a service business model makes it a real threat to businesses and individuals all around the world.

Thankfully, malware analysis services like ANY.RUN allow cybersecurity researchers to study such threats and prepare their defenses accordingly.

IOCs

IP addresses

No IP adresses found

Hashes
0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d
d74cd044351030290f6ad8f70f91d51b6c39675ca3c70c45b5b0c5bd09589ff6
720fbe60f049848f02ba9b2b91926f80ba65b84f0d831a55f4e634c820bd0848
d5982c82a57b1ad88c963f514b6d2d2fb76bcbceac72fe143e51165ccd7f1172
2e5cdd2f031089c296ffe239e40c5b58ed3863d771088d2dcb43460e3db6bf0b
331068dcb56db8d25311ad1da15851aeaface7a0f2ba3389f5b0e145bfdc06ad
d0cd1e7490ea297df114be9620953141483779d16df017946e476188cff99411
67cd75a0e5e0885bb6d59b6747747473ebdef00f2870ca3eb3a4e144ae283dd9
e776de801b898c65cbef480ccec47a60c1436e4ba1ea11f99ef2b90ab05961ff
412e951a350b84f8c0d0a2db79029b4bbd6be624656f2a739db0fc00c6dbb52f
c6e3765bf0c6d1b4a3772ec6b72b60d688d96f7edd86607dd7e110f11ce2101c
e4e83d2787545c363c909247592fa5513f6a9f330c13586a14b99d6b7bb60a99
bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9
94b52dfe3a0b8a4bdd8c18e779b4a887cec4492c06c3ef6981dc0a7786929c5b
fb601d6a4b7d02035eb310c080302e27e3de3a50a093de4879d85a6deb617431
7be57f5067bb6da0ef6804a49c8f4ba951e3e668e4b9c51ad492df16c925a1b7
34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160
8c7e451f9d41ab36361ad516af1afc7ed985b7595fa77b6606775cb4686f9d1f
bb663585a677c1ba57fd8604ded0a3693a736325ca26898706199788ae459024
5deb8db611178e0858435460fc7cff9e3f2ca23766cd5f023155c1eb6cf3e58e
Domains

No hashes found

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.
Read More