Sodinokibi

Sodinokibi, sometimes also called REvil, is a ransomware-type malware - it encrypts files on infected machines and demands a ransom from the victims to restore the files. Sodinokibi is distributed with a Ransomware-as-a-Service business model, allowing anybody who is able to pay can become an operator of the virus.

  • Type
    Ransomware
  • Origin
    ex-USSR
  • First seen
    1 April, 2019
  • Last seen
    20 November, 2019
Also known as
REvil
Sodin
Global rank
24
Week rank
20
Month rank
19
IOCs
0

What is Sodinokibi?

Sodinokibi, sometimes also called REvil, is a ransomware-type malware - it encrypts files on infected machines and demands a ransom from the victims to restore the files. Sodinokibi is distributed with a Ransomware-as-a-Service business model, allowing anybody who is able to pay can become an operator of the virus.

Sodinokibi is very sophisticated ransomware, seemingly developed by a group with vast experience in the field. It bears a lot of similarities to another malware called GandCrab - so much so, in fact, that it is believed to be created by the same group of cybercriminals. However, while GandCrab already was complicated and dangerous ransomware, Sodinokibi can be considered its much-upgraded version.

Sodinokibi is capable of encrypting files with curve25519/Salsa20 and encrypting keys with curve25519/AES-256-CTR. The malware uses 2 public keys to encrypt the private key of the user. In addition, this virus utilizes command and control server obfuscation and can operate using the asymmetric key scheduling algorithm, which allows the malware to function without connection to the C2.

General description of Sodinokibi

Sodinokibi first appeared on the radar of cybersecurity researchers in April of 2019, when the malware was featured in a campaign that exploited the Oracle WebLogic Server vulnerability.

The campaign began shortly before another similar malware called GandCrab was officially shut down for good. Some researchers believe that Sodinokibi is a “spiritual successor” of GandCrab, while others support the theory that it is, in fact, the next generation of the same virus. Some evidence suggests the theory to be correct.

Among such evidence are the vast similarities in code of both malware and the fact that in the early stages of Sodinokibi life cycle, criminals used to deploy GandCrab after running Sodinokibi on all infected machines as a precaution, likely because Sodinokibi wasn’t yet thoroughly tested in operation.

Another piece of evidence in favor of this theory is an attack that took place in February 2019, when GandCrab was used to infect victims by compromising Managed Service Providers. Sometime after, the same attack took place, but instead of GandCrab, it featured Sodinokibi ransomware.

In addition, the fact that Sodinokibi became popular as GandCrab started to cease operations can not be ignored and it would be strange to think about it as a coincidence. In addition to that both malware use very similar distribution methods - something we will explore later in the article.

Finally, it is thought that GandCrab authors started “feeling the heat” and while worried that their operation can be uncovered decided to go under the radar by terminating sales of the publicly available GandCrab in favor of a more advanced malware which could be sold to private parties.

Of course, neither of these points is solid evidence and we can only imagine that both viruses are the result of the work of the same people.

Let’s talk about the behavior of Sodinokibi.

At the beginning of the execution process, the malware generates a mutex which has a hardcoded name. Then, it decrypts a configuration which is embeded. At this stage, Sodinokibi tries to get system privileges by exploiting CVE-2018-8453. With some cases, this step can be omitted in configuration or may not be successful. Then, it tries to obtain privileges by running as an admin.

Following the privilege escalation stage, the ransomware collects basic system and user data. If it finds that the UI or keyboard layout is set to one of the pre-programmed languages, the execution will be terminated. Many of these languages originate from post-USSR territories which may suggest that the malware authors also come from ex-USSR lands.

In a case when the target PC lacks the specified UX or keyboard layout languages, the virus terminates processes by PRC value and proceeds to erase shadow copies. At this point, the data encryption process begins. The ransomware encrypts all user files unless some exceptions are found in the configuration. This is where an attacker can customize their campaign. An extension is then added to all encrypted documents and a README text is placed in directories. The wallpaper is changed to the ransom demand message.

The contents of the ransom note and the README file can be customized by the attackers in the config file which, once again, provides the malware with flexibility which allows it to operate as ransomware-as-a-service since different attackers can demand ransoms of various sums and provide custom instructions to victims.

Interactive analysis of Sodinokibi

ANY.RUN provides the ability to watch the Sodinokibi ransomware in action via an interactive virtual sandbox simulation.

sodiokibi execution process graph Figure 1: illustrates the processes launched by Sodinokibi during its life cycle.

workstation desktop after sodinokibi infection Figure 2: Wallpapers with ransom message set by Sodinokibi

Sodinokibi execution process

Sodinokibi won't run malicious activity on systems where UI and keyboard languages are set to a specific value, such as Russian, Ukrainian, and 18 others. Although Sodinokibi is a "qualitative" type of malware, its execution, and system infection process, in general, is quite straightforward and similar to another ransomware - it decrypts files, erases shadow copies and places ransom notes across the file system. Process tree also doesn't look very exciting because all main activities are provided by a single executable. For all infected files, the ransomware changes extensions to generated. The added extension is the same as an ID which is unique and made by combining the hash of the value given by CPUID instruction and the volume serial number. It should be noted that Sodinokibi will also try to encrypt files on network shares. After completion of the decryption process, the ransomware sets background wallpaper to a ransom message.

Interesting, that authors of Sodinokibi created a high-quality website available at the domain decryptor.top, where victims can use a trial decryptor and have the opportunity to decrypt three images for free. Besides the decryption function, this website provides various information such as the countdown (after time runs out, the ransom amount will be set to 5 000 dollars), instructions on how to buy bitcoins and where to send it, as well as information about the decryption process. If decryptor.top is not available, there is a possibility for victims to visit its .onion clone through the Tor web browser.

How does Sodinokibi spread?

To infiltrate the machines of its victims, Sodinokibi takes advantage of quite a number of infection vectors, most of which are very similar to its predecessor - GandCrab.

As such, the RAAS is known to utilize the CVE-2019-2725 vulnerability and use the RIG exploit kit. Additional, Sodinokibi also spreads via compromised managed service providers. And, like an icing on the cake, on top of the attack vectors mentioned above, this ransomware is often distributed in malicious spam campaigns.

Sodinokibi communication with C&C

Interestingly, while many ransomware need to connect to C2 for exchanging encryption keys, Sodinokibi uses something called asymmetric key scheduling algorithm.

It enables the RAAS to operate without any network connection and not giving the user any chance to get their hands on data that could help with file decryption. However, attackers can optionally establish a connection with the control server to retrieve general system data from infected machines by tweaking the config file.

System and user data then will be transmitted to a broad list of web domains many of which look completely real and legal - possibly compromised WordPress websites, many of which can be included to hide the real C&C web address. In return, Sodinokibi can receive and read the response from the server, but it is not being saved or used in any way during the operation.

How to prevent Sodinokibi attacks?

While the use of vulnerabilities allows this ransomware to infected machines without active user actions, basic rules of online hygiene can still greatly decrease the probability of “catching” this virus.

In particular, not downloading attachments in suspicious emails or emails that arrived from unknown senders and keeping the macros disabled in Microsoft Office completely guarantees that one won’t be infected with Sodinokibi via a malicious spam email campaign.

How to get more info from the analysis of Sodinokibi ransomware using ANY.RUN?

Since crooks behind Sodinokibi offer decryption of three images for free you can use the interactivity of ANY.RUN to take additional steps in your analysis. Open the website specified in a ransom note in the browser and follow all steps to decrypt images to get a bigger picture of a ransomware infection process.

Sodinokibi payment website Figure 3: Sodinokibi payment website

Conclusion

Since its introduction in 2019, thousands of computers were already infected with Sodinokibi and this malware is continuing to be an ongoing danger.

Borrowing much of the functionality from already quite powerful GandCrab ransomware, Sodinokibi improves on it even further to become a real powerhouse of ransomware. Unfortunately, evidence suggests that this malware is developed by experienced cybercriminals who know how to build and distribute a virus and its accessibility thanks to the malware as a service business model makes it a real threat to businesses and individuals all around the world.

Thankfully, interactive analysis services like ANY.RUN allow cybersecurity researchers to study such threats and prepare their defenses accordingly.

IOCs

IP addresses

No IP adresses found

Hashes
43aef9c8395cb4bebaed211e1a364cdf3074b80ff0a3150cd941a07977024b03
5a65e6460467fa6d872383162359b4d09e4a763c8e5568d9ca095a6f9aa1289b
a096e7ed6b4ac331fb64a81cce1ae13e9c8c64a442b28c1556f7015f3b0ed4f4
1d8d0ee5e83da80f119e53527577a2b70d8a65282b3f9d011f178e34d3582823
e27d59a013d5622fca19fa06ab0d875b0c273d9cd3f3f5efd3fec115b00688a4
a9bbf8012630dc6bcd8abac51e45ff9ea185f4ef5fea037a63cf36f1cced7281
e0c1117610ba1b5b355ea247d6204a615beac4b6e83004527f4de901292b3368
38aa7978de89a1f3474f3629a6623dc79e563a58d4db04371608d1b4d83e9452
78634adb3fc2eccb78e5969bc6195b9b9f084a06c11573569307cdae75dd47d5
ff3c758e3737f5f017102428ae1d1bb6cd3bf0805157d6b675976f41fd8188b9
bd034a6a4481ac8902e20f98350d47d06a035c57e5ea8a21d34bfe017edb13da
cc0d308fb6be12ce51a5c3732616c9ea756b538c7f61a53a452d41c497403df7
adef0855d17dd8dddcb6c4446e58aa9f5508a0453f53dd3feff8d034d692616f
e7f9c0229c0874c069c2f3dcf237e1ee334ac4f9bc955be8146d07941ff35790
82cff79cee78ec16ac0d34fbab8036ee48b0a82ee555b5fd8e6da079a1a28ce6
b53360d1e43230dc59f7ffafeb8e9c2fea1c9d5e15c17c2138b0a95c1b79dd23
c9fbe5fa6363031bd15dee006151ddf7d9921c415421479fec2e9732e451b584
a593e2cc6fe811d6bda7750806fdf4692624e4545aa6451036769455aa9c02ce
f450ef75377d132cd469ad569e97ae64dc0abc225a3755da32495c625141f3ab
fba829759d359dea91db09ac8b4674237d8dbc57ec8b76a3ebf227da9ae96535
Domains

No hashes found

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords and more.
Read More
AgentTesla screenshot
AgentTesla
agenttesla trojan rat stealer
Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.
Read More