Tue, Sep 17, 2019
Through its cyber intake process, Kroll identified 23 ransomware incidents during the month of July 2019 that affected organizations across sectors, including service, retail and education.
Five of the incidents were attributed to Sodinokibi ransomware. Sodinokibi (also known as REvil or Sodin) is a newer ransomware strain that is packaged as ransomware-as-a-service (RaaS), much like its suspected predecessor GandCrab. (See GandCrab Connection discussion in this newsletter.)
According to the New Jersey Cybersecurity & Communications Integration Cell (NJCCIC), one foothold for Sodinokibi ransomware is a known zero-day vulnerability1 in the Oracle WebLogic Server component of Oracle Fusion Middleware (See CVE-2019-2725 Detail in the NIST National Vulnerability Database). The vulnerability allows malware to infect servers without relying on user interaction, as opposed to conventional methods of infection, such as malicious email attachments. Instead, the vulnerability allows attackers to gain access to a server using a web-based connection.
Another unique attribute of Sodinokibi is its effective use of managed service providers (MSPs) to spread the ransomware. Three of the five Sodinokibi cases Kroll identified in July involved the pushing of the ransomware from another vendor or IT provider into the clients’ networks. This is an efficient and effective way for ransomware to reach a large number of victims. In fact, the FBI released an alert in August 2019 noting “multiple U.S. companies suffering infection and encryption of file systems as the result of only one cyber intrusion.” MSPs that specialize in serving clients in specific industries, e.g., education or healthcare, can also unwittingly distribute the malware to a large swath of victims in a specific sector.
Associate Managing Director Thomas Brittain notes that many of the affected MSPs have been local or smaller vendors. “In the past, bad actors deploying ransomware were more opportunistic, conducting phishing campaigns hoping to encrypt the recipient. With Sodinokibi, however, cybercriminals are much more targeted, intentional and hands on. For example, in our casework we have seen two levels of reconnaissance in play. Once actors gain access to an MSP, they explore how many clients the MSP serves, the tools that the MSP uses for remote administration and patch management and the level of access in the client’s network. If the actors can gain access to the client’s network, they conduct a second phase of recon, enumerating the network to determine the total number of systems as well as any backups for deletion, and finally encrypt the available systems. The actors are then armed with knowledge on the number of clients and systems in each network served by the MSP, enabling them to assess the potential of the MSP or their clients to pay the ransom, usually driving a higher payout.
Figure 1 - Example of Sodinokibi Ransom Note
The GandCrab Connection
Since appearing on the scene in early 2018, GandCrab is estimated to have cornered a 50% share of the ransomware market at its height and likely affected more than 1.5 million victims globally, according to Europol. A June 2019 Europol press release described the GandCrab business model:
“Set as a ransomware-as-a-service licensing model, distributors could buy the ransomware on dark web markets and spread it among their victims. In exchange, they would pay 40% of their profit to the GandCrab developers and keep 60% for themselves.”
Sodinokibi ransomware made a splash at the end of May 2019 at the same time GandCrab ransomware brokers purportedly shut down their operations. On May 31, 2019, GandCrab actors announced their retirement in a dark web post, stating, “We have proved that by doing evil deeds, retribution does not come.”
The timing of these events led incident response teams to speculate that the GandCrab peddlers may have simply tinkered with their ransomware a bit and repackaged it into a new product. For example, according to the NJCCIC, “Some [Sodinokibi] attacks have followed up with an additional attack on the same target, distributing GandCrab v5.2.” The marketing of the variants is similar, and they are both used for RaaS and large-scale attacks.
Typical Observed Deployment Pattern
Figure 2 - Sodinokibi ransomware TOR site screenshot
Senior Director Scott Hanson provided the following attributes of Sodinokibi deployment that Kroll has observed in its cases. These techniques are also consistent with open-source reporting:
Figure 3 - Sodinokibi ransomware desktop wallpaper
Dark Web Sighting
A post on an open-source website noted the association of the RIG exploit kit with Sodinokibi. Palo Alto Networks defines exploit kit as “automated threats that utilize compromised websites to divert web traffic, scan for vulnerable browser-based applications, and run malware.”
Kroll searched the deep and dark web for references to the RIG exploit kit and discovered a post that advertises the sale of the RIG exploit kit for $60-$80 per day (Figure 4).
Figure 4 - RIG exploit kit for sale on dark web forum
One incident that Kroll investigated demonstrates an insidious way that Sodinokibi can spread. Kroll’s client had remotely connected to one of their servers after realizing their digital surveillance system was not online. They immediately observed unusual text files residing on the desktop in addition to the background displaying a ransom note. A further inquiry revealed all seven of their servers had been encrypted with Sodinokibi ransomware. The affected servers were remotely administered by a third-party digital surveillance company, who alerted the client they had also been infected with the ransomware.
Following are insights from Kroll experts Thomas Brittain, Scott Hanson, Michael Hill and Cole Manaster on how to better defend against Sodinokibi.
Key Considerations When Engaging an MSP
It’s important to have a sound understanding of how an MSP is protecting access to your environment and the full scope of their service offering. This knowledge will enable your team to plan a comprehensive security, crisis communications and disaster recovery strategy that includes securing external network access, patch management, online/offline backups and an incident response plan.
Source:
1 Oracle has since released a patch available here.
The article above was extracted from The Monitor newsletter, a monthly digest of Kroll’s global cyber risk case intake. The Monitor also includes an analysis of the month’s most popular threat types investigated by our cyber experts. Subscription is available below.
Email Address
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Proactively monitor, detect and respond to threats virtually anywhere – on endpoints and throughout the surface, deep and dark web.
Our expertise allows us to identify and analyze the scope and intent of advanced persistent threats to launch a targeted and effective response.