• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – DocuSign Themed Phishing Using Cloud Storage
August 13, 2019
Rewterz Threat Alert – New Mirai Variants could enable DDoS Attacks
August 13, 2019

Rewterz Threat Alert – Elusive Ransomware Sodinokibi

August 13, 2019

Severity

High

Analysis Summary

An elusive ransomware package found and dubbed “Sodinokibi”. The Sodinokibi authors have been linked to the now retired GandCrab ransomware, which accounted for about 40% of all ransomware infections in its day. This may give some indications and warnings about the potential of Sodinokibi. First discovered in Asia, Sodinokibi has now spread to parts of Europe. Initial infections were from server vulnerabilities being exploited. Currently, infections are spreading through phishing attacks and exploit kits. URLs are provided in the phishing emails that downloads Sodinokibi.zip. Should the user click on the obfuscated JavaScript file in the ZIP archive, WScript (legitimate Windows application for running JavaScript) begins executing it. The JavaScript deobfuscates a PowerShell script embedded in the its code. Variations of Sodinokibi will sometimes download this PowerShell script instead of having it embedded in the JavaScript. This PowerShell script, in turn, decodes yet another script that, combined with a .NET module, is executed. If the privileges of the victim are not high enough, this last script will attempt to bypass the UAC (User Access Controls) to elevate its permissions. Once high enough privileges are acquired, infection begins. Sodinokibi actively searches for a South Korean anti-virus package called “Ahnlab V3 Lite”. If it exists, Sodinokibi attempts to inject itself in the Ahnlab process. If not, a separate instance of the current PowerShell becomes the injection target. Sodinokibi contains a list of languages to exclude from infection. If the current system is configured with one from this set, the malware shuts down. If the system is not saved by the default language, Sodinokibi begins to delete the shadow files to make recovery more difficult. Next comes the encryption of the files on the system, recursively searching each directory. Each directory with files encrypted receives its own copy of the ransom note. When complete, the desktop is modified to inform the victim of the attack.

Impact

File encryption

Indicators of Compromise

Malware Hash (MD5/SHA1/SH256)

  • 2cc597d6bffda9ef6b42fed84f7a20f6f52c4756
  • 5cd8eadcd70b89f6963cbd852c056195a17d0ce2
  • 5dac89d5ecc2794b3fc084416a78c965c2be0d2a
  • b751d0d722d3c602bcc33be1d62b1ba2b0910e03
  • ee410f1d10edc70f8de3b27907fc10fa341f620a
  • f9df190a616653e2e1869d82abd4f212320e9f4b
  • 3e974b7347d347ae31c1b11c05a667e2
  • 613dc98a6cf34b20528183fbcc78a8ee
  • 7d4c2211f3279201599f9138d6b61162
  • 8ea320dff9ef835269c0355ca6850b33
  • b488bdeeaeda94a273e4746db0082841
  • e402d34e8d0f14037769294a15060508

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/attachments sent by unknown senders.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.