Rewterz Threat Alert – Elusive Ransomware Sodinokibi

Severity

High

Analysis Summary

An elusive ransomware package found and dubbed “Sodinokibi”. The Sodinokibi authors have been linked to the now retired GandCrab ransomware, which accounted for about 40% of all ransomware infections in its day. This may give some indications and warnings about the potential of Sodinokibi. First discovered in Asia, Sodinokibi has now spread to parts of Europe. Initial infections were from server vulnerabilities being exploited. Currently, infections are spreading through phishing attacks and exploit kits. URLs are provided in the phishing emails that downloads Sodinokibi.zip. Should the user click on the obfuscated JavaScript file in the ZIP archive, WScript (legitimate Windows application for running JavaScript) begins executing it. The JavaScript deobfuscates a PowerShell script embedded in the its code. Variations of Sodinokibi will sometimes download this PowerShell script instead of having it embedded in the JavaScript. This PowerShell script, in turn, decodes yet another script that, combined with a .NET module, is executed. If the privileges of the victim are not high enough, this last script will attempt to bypass the UAC (User Access Controls) to elevate its permissions. Once high enough privileges are acquired, infection begins. Sodinokibi actively searches for a South Korean anti-virus package called “Ahnlab V3 Lite”. If it exists, Sodinokibi attempts to inject itself in the Ahnlab process. If not, a separate instance of the current PowerShell becomes the injection target. Sodinokibi contains a list of languages to exclude from infection. If the current system is configured with one from this set, the malware shuts down. If the system is not saved by the default language, Sodinokibi begins to delete the shadow files to make recovery more difficult. Next comes the encryption of the files on the system, recursively searching each directory. Each directory with files encrypted receives its own copy of the ransom note. When complete, the desktop is modified to inform the victim of the attack.

Impact

File encryption

Indicators of Compromise

Malware Hash (MD5/SHA1/SH256)

• 2cc597d6bffda9ef6b42fed84f7a20f6f52c4756
• 5cd8eadcd70b89f6963cbd852c056195a17d0ce2
• 5dac89d5ecc2794b3fc084416a78c965c2be0d2a
• b751d0d722d3c602bcc33be1d62b1ba2b0910e03
• ee410f1d10edc70f8de3b27907fc10fa341f620a
• f9df190a616653e2e1869d82abd4f212320e9f4b
• 3e974b7347d347ae31c1b11c05a667e2
• 613dc98a6cf34b20528183fbcc78a8ee
• 7d4c2211f3279201599f9138d6b61162
• 8ea320dff9ef835269c0355ca6850b33
• b488bdeeaeda94a273e4746db0082841
• e402d34e8d0f14037769294a15060508

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the link/attachments sent by unknown senders.