It has only been a couple of months since we heard of the official departure of GandCrab ransomware. And now, another related ransomware is seemingly here to replace GandCrab.

The emerging Sodinokibi ransomware has made it to the news over the past three months. And, it certainly continues to execute high-level ransomware attacks on businesses and consumers alike.

Sodinokibi Ransomware

Right after the departure of GandCrab, there was a rise in ransomware attacks by a new malware. Researchers identified this ransomware with various names, such as Sodin and REvil. Later, it became famous (rather infamous) as ‘Sodinokibi’. Malwarebytes has briefly reviewed the ransomware in one of their recent blog posts stating about its potential to replace GandCrab.

The Sodinokibi ransomware attacks started off since May 2019, which then reached a peak in June, targeting numerous customers and businesses on the whole. The same ransomware was found responsible for the active exploitation of the Oracle WebLogic zero-day CVE-2019-2725 (distinct from the other actively exploited zero-day CVE-2019-2729). The threat actors also distributed this ransomware via a malspam campaign targeting German victim in May 2019.

The ransomware can also spread via phishing and spam emails, compromised Managed Service Providers (MSPs).

Attack Scenario

Upon reaching the victim device, the Ransom.Sodinokibi encrypts all local files with Salsa20 encryption algorithm. This is evident by the change of files names to include a pre-generated 5 to 8 character long alphanumeric extension generated pseudo-randomly. The system’s desktop wallpaper changes to plain blue background with a ransom note similar to the following one,

“All of your files are encrypted!
Find {5-8 alpha-numeric characters}-readme.txt and follow instructions”

The 5-8 alpha-numeric characters are the same as those included in the file name. It contains all the instructions directing the user to pay the ransomware as well as the attackers’ website.

The malware usually looks for media files, or files with extensions .jpg, .jpeg,.tif, .raw, .bmp, .gif, .png, .3dm, .max, .db, .mdb, .accdb, .dxf, .dwg, .cs, .cpp, .h,.asp, .php, .java, .rb, .aaf, .aepx, .aep, .plb, .aet, .prel, .ppj, and .psd.

Alongside locking the files, the ransomware also deletes shadow copy backups and disables the Startup Repair Tool in Windows, preventing the users from restoring the encrypted files.

Moreover, it can exploit a zero-day Windows vulnerability CVE-2018-8453 to further escalate user privileges and induce more damages.

Possible Protection

The main reason why users fall prey to malware attacks and phishing scams is their ignorance of cybersecurity. Most users neglect to protect their systems with a robust antimalware. So, when they click on malicious ads, open untrusted emails, and browse carelessly without validating the authenticity of a URL, they quickly encounter such malicious attacks.

Like always, having robust antimalware protection is the key to fend off Sodinokibi ransomware. Besides, make sure to have a separate backup of your data to avoid any losses. You can keep the data backed up on an external drive, but make sure to keep it detached from your system to avoid potential infection. You can also copy your data to clouds storage.

Moreover, make sure to keep your system firmware and your apps updated with the latest security patches to stay protected from the potential exploit.