{"id":15833,"date":"2019-07-18T11:10:09","date_gmt":"2019-07-18T19:10:09","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/07\/18\/news-9580\/"},"modified":"2019-07-18T11:10:09","modified_gmt":"2019-07-18T19:10:09","slug":"news-9580","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/07\/18\/news-9580\/","title":{"rendered":"Threat Spotlight: Sodinokibi ransomware attempts to fill GandCrab void"},"content":{"rendered":"<p><strong>Credit to Author: Jovi Umawing| Date: Thu, 18 Jul 2019 17:58:26 +0000<\/strong><\/p>\n<p>Sodinokibi, also known as Sodin and REvil, is hardly six months old, yet it has quickly become a topic of discussion among cybersecurity professionals because of its apparent connection with the infamous-but-now-defunct <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/01\/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"GandCrab (opens in a new tab)\">GandCrab<\/a> ransomware.<\/p>\n<p>On May 31, the threat actors behind GandCrab formally announced their retirement, detailing their plan to cease selling and advertising GandCrab in a dark web forum post.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" data-attachment-id=\"39591\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-spotlight\/2019\/07\/threat-spotlight-sodinokibi-ransomware-attempts-to-fill-gandcrab-void\/attachment\/gandcrab-farewell-by-damian\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/gandcrab-farewell-by-damian.png\" data-orig-size=\"1885,613\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"gandcrab-farewell-by-damian\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/gandcrab-farewell-by-damian-300x98.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/gandcrab-farewell-by-damian-600x195.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/gandcrab-farewell-by-damian-600x195.png\" alt=\"\" class=\"wp-image-39591\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/gandcrab-farewell-by-damian-600x195.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/gandcrab-farewell-by-damian-300x98.png 300w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><figcaption>\u201cWe are leaving for a well-deserved retirement,\u201d a GandCrab RaaS administrator announced. (Courtesy of security researcher <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/twitter.com\/Damian1338B\/\" target=\"_blank\">Damian<\/a> on Twitter) <\/figcaption><\/figure>\n<p>While many may have heaved sighs of relief, some expressed <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/gandcrab-threat-actors-retire.html\" target=\"_blank\">skepticism<\/a> over whether the GandCrab team would truly put behind their widely successful money-making scheme. What followed was bleak anticipation of another ransomware operation\u2014or a re-emergence of the group peddling new wares\u2014taking over to fill the hole GandCrab left behind. <\/p>\n<p>In a way, they were all right.<\/p>\n<h3>Enter Sodinokibi<\/h3>\n<p>Putting a spin on an old product is a concept not unheard of in legitimate business circles. Often, spinning involves creating a new name for the product, some tweaking on its existing features, and finding new influencers\u2014&#8221;affiliates&#8221; in the case of <a rel=\"noreferrer noopener\" aria-label=\"ransomware-as-a-service (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/glossary\/ransomware-as-a-service\/\" target=\"_blank\">ransomware-as-a-service<\/a> operations\u2014to use (and market) the product. In addition, threat actors would initially limit the new product\u2019s availability and follow with a brand-new marketing campaign\u2014all without touching the product standard. In hindsight, it seems the GandCrab team has taken this route.<\/p>\n<p>A month before the GandCrab retirement announcement, Cisco Talos researchers <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/blog.talosintelligence.com\/2019\/04\/sodinokibi-ransomware-exploits-weblogic.html\" target=\"_blank\">released<\/a> information about a new ransomware called Sodinokibi. Attackers manually infected the target server after exploiting <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/www.oracle.com\/technetwork\/security-advisory\/alert-cve-2019-2725-5466295.html\" target=\"_blank\">a zero-day vulnerability<\/a> in its Oracle WebLogic application.<\/p>\n<p>To date, six versions of Sodinokibi has been seen in the wild.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" data-attachment-id=\"39592\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-spotlight\/2019\/07\/threat-spotlight-sodinokibi-ransomware-attempts-to-fill-gandcrab-void\/attachment\/sodin-versions-with-dates\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/sodin-versions-with-dates.png\" data-orig-size=\"508,158\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"sodin-versions-with-dates\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/sodin-versions-with-dates-300x93.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/sodin-versions-with-dates.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/sodin-versions-with-dates.png\" alt=\"\" class=\"wp-image-39592\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/sodin-versions-with-dates.png 508w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/sodin-versions-with-dates-300x93.png 300w\" sizes=\"(max-width: 508px) 100vw, 508px\" \/><figcaption>Sodinokibi versions, from the earliest (v1.0a), which was discovered on April 23, to the latest (v1.3), which was discovered July 8. <\/figcaption><\/figure>\n<p>Based on our telemetry, Sodinokibi has spread wide to both businesses and consumers since GandCrab\u2019s exit.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" data-attachment-id=\"39593\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-spotlight\/2019\/07\/threat-spotlight-sodinokibi-ransomware-attempts-to-fill-gandcrab-void\/attachment\/mwb-telemetry-sodinokibi\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/mwb-telemetry-sodinokibi.png\" data-orig-size=\"918,478\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"mwb-telemetry-sodinokibi\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/mwb-telemetry-sodinokibi-300x156.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/mwb-telemetry-sodinokibi-600x312.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/mwb-telemetry-sodinokibi-600x312.png\" alt=\"\" class=\"wp-image-39593\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/mwb-telemetry-sodinokibi-600x312.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/mwb-telemetry-sodinokibi-300x156.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/mwb-telemetry-sodinokibi.png 918w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><figcaption>Business and consumer detection trends for Sodin\/REvil, which Malwarebytes detects as <a href=\"https:\/\/blog.malwarebytes.com\/detections\/ransom-sodinokibi\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"Ransom.Sodinokibi (opens in a new tab)\">Ransom.Sodinokibi<\/a>. <\/figcaption><\/figure>\n<h3>Sodinokibi infection vectors <\/h3>\n<p>Like GandCrab, the Sodinokibi ransomware-as-a-service (RaaS) follows an affiliate revenue system, which allows other cybercriminals to spread it through several vectors:<\/p>\n<ul>\n<li>Active exploitation of a vulnerability in Oracle WebLogic, officially named CVE-2019-2725<\/li>\n<li>Malicious spam or phishing campaigns with links or attachments<\/li>\n<li><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/glossary\/malvertising\/\" target=\"_blank\">Malvertising<\/a> campaigns that lead to the RIG exploit kit, <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/01\/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits\/\" target=\"_blank\">an avenue that GandCrab used before<\/a><\/li>\n<li>Compromised or infiltrated managed service providers (MSPs), which are third-party companies that remotely manage the IT infrastructure and\/or end-user systems of other companies, to push the ransomware en-masse. This is done by accessing networks via a remote desktop protocol (RDP) and then using the MSP console to deploy the ransomware.<\/li>\n<\/ul>\n<p>Although affiliates used these tactics to push GandCrab, too, many cybercriminals\u2014<a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/www.cvent.com\/events\/awareness-briefing-chinese-cyber-activity-targeting-managed-service-providers\/archived-4b6946484ee141ac8ebe76047f198e1c.aspx\" target=\"_blank\">nation-state actors included<\/a>\u2014have done the same to push their own malware campaigns.<\/p>\n<h3>Symptoms of Sodinokibi infection <\/h3>\n<figure class=\"wp-block-image\"><img decoding=\"async\" data-attachment-id=\"39594\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-spotlight\/2019\/07\/threat-spotlight-sodinokibi-ransomware-attempts-to-fill-gandcrab-void\/attachment\/sodinokibi_infected\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/Sodinokibi_infected.png\" data-orig-size=\"2998,1777\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Sodinokibi_infected\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/Sodinokibi_infected-300x178.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/Sodinokibi_infected-600x356.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/Sodinokibi_infected-600x356.png\" alt=\"\" class=\"wp-image-39594\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/Sodinokibi_infected-600x356.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/Sodinokibi_infected-300x178.png 300w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/figure>\n<p>Systems infected with Sodinokibi ransomware show the following symptoms:<\/p>\n<p><strong>Changed desktop wallpaper.<\/strong> Like any other ransomware, Sodinokibi changes the desktop wallpaper of affected systems into a notice, informing users that their files have been encrypted. The wallpaper has a blue background, as you can partially see from the screenshot above, with the text:<\/p>\n<blockquote class=\"wp-block-quote\">\n<p>All of your files are encrypted!<br \/>Find {5-8 alpha-numeric characters}-readme.txt and follow instructions<\/p>\n<\/blockquote>\n<p><strong>Presence of ransomware note.<\/strong> The <em>{5-8 alpha-numeric characters}-readme.txt<\/em> file it&#8217;s referring to is the ransom note that comes with every ransomware attack. In Sodinokibi\u2019s case, it looks like this:<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" data-attachment-id=\"39595\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-spotlight\/2019\/07\/threat-spotlight-sodinokibi-ransomware-attempts-to-fill-gandcrab-void\/attachment\/sodi_rnote-2\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/Sodi_rnote-1.png\" data-orig-size=\"1967,1692\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Sodi_rnote\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/Sodi_rnote-1-300x258.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/Sodi_rnote-1-600x516.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/Sodi_rnote-1-600x516.png\" alt=\"\" class=\"wp-image-39595\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/Sodi_rnote-1-600x516.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/Sodi_rnote-1-300x258.png 300w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/figure>\n<p>The note contains instructions on how affected users can go about paying the ransom and how the decryption process works.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" data-attachment-id=\"39596\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-spotlight\/2019\/07\/threat-spotlight-sodinokibi-ransomware-attempts-to-fill-gandcrab-void\/attachment\/sodi_tor-2\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/Sodi_tor-1.png\" data-orig-size=\"1508,1410\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Sodi_tor\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/Sodi_tor-1-300x281.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/Sodi_tor-1-600x561.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/Sodi_tor-1-600x561.png\" alt=\"\" class=\"wp-image-39596\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/Sodi_tor-1-600x561.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/Sodi_tor-1-300x281.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/Sodi_tor-1.png 1508w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><figcaption>Screenshot of the TOR-only accessible website Sodinokibi victims were told to visit to make their payments <\/figcaption><\/figure>\n<p><strong>Encrypted files with a 5\u20138 character extension name.<\/strong> Sodinokibi encrypts certain files on local drives with the Salsa20 encryption algorithm, with each file renamed to include a pre-generated, pseudo-random alpha-numeric extension that&#8217;s five to eight characters long.<\/p>\n<p>The extension name and character string included in the ransom note file name are the same. For example, if Sodinokibi has encrypted an image file and renamed it to <em>paris2017.r4nd01<\/em>, its corresponding ransom note will have the file name <em>r4nd01-readme.txt<\/em>.<\/p>\n<p>Sodinokibi looks for files that are mostly media- and programming-related, with the following extensions to encrypt:<\/p>\n<ul>\n<li>.jpg<\/li>\n<li>.jpeg<\/li>\n<li>.raw<\/li>\n<li>.tif<\/li>\n<li>.png<\/li>\n<li>.bmp<\/li>\n<li>.3dm<\/li>\n<li>.max<\/li>\n<li>.accdb<\/li>\n<li>.db<\/li>\n<li>.mdb<\/li>\n<li>.dwg<\/li>\n<li>.dxf<\/li>\n<li>.cpp<\/li>\n<li>.cs<\/li>\n<li>.h<\/li>\n<li>.php<\/li>\n<li>.asp<\/li>\n<li>.rb<\/li>\n<li>.java<\/li>\n<li>.aaf<\/li>\n<li>.aep<\/li>\n<li>.aepx<\/li>\n<li>.plb<\/li>\n<li>.prel<\/li>\n<li>.aet<\/li>\n<li>.ppj<\/li>\n<li>.gif<\/li>\n<li>.psd <\/li>\n<\/ul>\n<p><strong>Deleted shadow copy backups and disabled Windows Startup Repair tool.<\/strong> Shadow copy (also known as Volume Snapshot Service, Volume Shadow Copy Service, or VSS) and Startup Repair are technologies inherent in the Windows OS. The former is \u201ca snapshot of a volume that duplicates all of the data that is held on that volume at one well-defined instant in time,\u201d <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/vss\/shadow-copies-and-shadow-copy-sets\" target=\"_blank\">according to Windows Dev Center<\/a>. The latter is a recovery tool used to troubleshoot certain Windows problems.<\/p>\n<p>Deleting shadow copies prevents users from restoring from backup when they find their files are encrypted by ransomware. Disabling the Startup Repair tool prevents users from attempting to fix system errors that may have been caused by a ransomware infection.<\/p>\n<h3>Other tricks up Sodinokibi\u2019s sleeve<\/h3>\n<p>Ransomware doesn\u2019t normally take advantage of zero-day vulnerabilities in their attacks\u2014but Sodinokibi is not your average ransomware. It takes advantage of an elevated privilege zero-day vulnerability in the Win32k component file in Windows. <\/p>\n<p>Designated as <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2018-8453\" target=\"_blank\">CVE-2018-8453<\/a>, this flaw can grant Sodinokibi administrator access to the endpoints it infects. This means that it can conduct the same tasks as administrators on systems, such as disabling security software and other features that were meant to protect the system from malware.<\/p>\n<p>CVE-2018-8453 was the same vulnerability that <a href=\"https:\/\/threatpost.com\/fruityarmor-apt-exploits-yet-another-windows-graphics-kernel-flaw\/138192\/\">the <\/a><a rel=\"noreferrer noopener\" aria-label=\"FruitArmor (opens in a new tab)\" href=\"https:\/\/threatpost.com\/fruityarmor-apt-exploits-yet-another-windows-graphics-kernel-flaw\/138192\/\" target=\"_blank\">FruitArmor<\/a><a href=\"https:\/\/threatpost.com\/fruityarmor-apt-exploits-yet-another-windows-graphics-kernel-flaw\/138192\/\"> APT<\/a> exploited in its malware campaign last year.<\/p>\n<p>New variants of Sodinokibi have also been found to use \u201cHeaven\u2019s Gate,\u201d an old evasion technique used to execute 64-bit code on a 32-bit process, which allows malware to run without getting detected. We touched on this technique in early 2018 when we dissected <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/01\/a-coin-miner-with-a-heavens-gate\/\" target=\"_blank\">an interesting cryptominer<\/a> we captured in the wild.<\/p>\n<h3>Protect your system from Sodinokibi<\/h3>\n<p>Malwarebytes tracks Sodinokibi campaigns and protects users with <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/www.malwarebytes.com\/business\/endpointprotectionandresponse\/\" target=\"_blank\">a multi-layered approach using signature-less detection<\/a>, nipping the attack in the bud before the infection chain even begins.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" data-attachment-id=\"39597\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-spotlight\/2019\/07\/threat-spotlight-sodinokibi-ransomware-attempts-to-fill-gandcrab-void\/attachment\/s_meep\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/S_MEEP.png\" data-orig-size=\"624,444\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"S_MEEP\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/S_MEEP-300x213.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/S_MEEP-600x427.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/S_MEEP-600x427.png\" alt=\"\" class=\"wp-image-39597\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/S_MEEP-600x427.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/S_MEEP-300x213.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/S_MEEP.png 624w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/figure>\n<p>To mitigate, we also recommend IT administrators to do the following:<\/p>\n<ul>\n<li>Deny public IPs access to RDP port 3389.<\/li>\n<li>Replace your company\u2019s ConnectWise ManagedITSync integration plug-in with <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/marketplace.connectwise.com\/kaseya\" target=\"_blank\">the latest version<\/a> before reconnecting your VSA server to the Internet.<\/li>\n<li>Block SMB port 445. In fact, it\u2019s sound security practice to block all unused ports.<\/li>\n<li>Apply the latest Microsoft update packages.<\/li>\n<li>In this vein, make sure all software on endpoints is up-to-date.<\/li>\n<li>Limit the use of system administration tools to IT personnel or employees who need access only.<\/li>\n<li>Disable macro on Microsoft Office products.<\/li>\n<li>Regularly inform employees about threats that might be geared toward the organization\u2019s industry or the company itself with reminders on <a rel=\"noreferrer noopener\" aria-label=\"how to handle suspicious emails (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/101\/2018\/06\/five-easy-ways-to-recognize-and-dispose-of-malicious-emails\/\" target=\"_blank\">how to handle suspicious emails<\/a>, such as avoiding clicking on links or opening attachments if they\u2019re not sure of the source.<\/li>\n<li>Apply attachment filtering to email messages.<\/li>\n<li>Regularly create multiple backups of data, preferably to devices that aren\u2019t connected to the Internet. <\/li>\n<\/ul>\n<h3>Indicators of compromise (IOCs)<\/h3>\n<p>File hashes:<\/p>\n<ul>\n<li>e713658b666ff04c9863ebecb458f174<\/li>\n<li>bf9359046c4f5c24de0a9de28bbabd14<\/li>\n<li>177a571d7c6a6e4592c60a78b574fe0e<\/li>\n<\/ul>\n<p>Stay safe, everyone!<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-spotlight\/2019\/07\/threat-spotlight-sodinokibi-ransomware-attempts-to-fill-gandcrab-void\/\">Threat Spotlight: Sodinokibi ransomware attempts to fill GandCrab void<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/threat-spotlight\/2019\/07\/threat-spotlight-sodinokibi-ransomware-attempts-to-fill-gandcrab-void\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Jovi Umawing| Date: Thu, 18 Jul 2019 17:58:26 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/threat-spotlight\/2019\/07\/threat-spotlight-sodinokibi-ransomware-attempts-to-fill-gandcrab-void\/' title='Threat Spotlight: Sodinokibi ransomware attempts to fill GandCrab void'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/07\/shutterstock_668030038.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>There\u2019s a new ransomware-as-a-service (RaaS) in town, and it can twist tongues for giggles as much as twist organizations&#8217; arms for cash. Get to know the Sodinokibi ransomware, including how to protect against this fledgling threat.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-spotlight\/\" rel=\"category tag\">Threat spotlight<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/177a571d7c6a6e4592c60a78b574fe0e\/\" rel=\"tag\">177a571d7c6a6e4592c60a78b574fe0e<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/bf9359046c4f5c24de0a9de28bbabd14\/\" rel=\"tag\">bf9359046c4f5c24de0a9de28bbabd14<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/caas\/\" rel=\"tag\">caas<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/cisco-talos\/\" rel=\"tag\">Cisco Talos<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/crime-as-a-service\/\" rel=\"tag\">crime-as-a-service<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/cve-2018-8453\/\" rel=\"tag\">CVE-2018-8453<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/cve-2019-2725\/\" rel=\"tag\">CVE-2019-2725<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/e713658b666ff04c9863ebecb458f174\/\" rel=\"tag\">e713658b666ff04c9863ebecb458f174<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/fruitarmor-apt\/\" rel=\"tag\">FruitArmor APT<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/gandcrab\/\" rel=\"tag\">gandcrab<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/heavens-gate\/\" rel=\"tag\">Heaven&#8217;s Gate<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malvertising\/\" rel=\"tag\">malvertising<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/managed-service-providers\/\" rel=\"tag\">managed service providers<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/msp-hack\/\" rel=\"tag\">msp hack<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/oracle-weblogic-vulnerability\/\" rel=\"tag\">Oracle WebLogic vulnerability<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/raas\/\" rel=\"tag\">raas<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/ransom-sodinokibi\/\" rel=\"tag\">Ransom.Sodinokibi<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/ransomware\/\" rel=\"tag\">ransomware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/ransomware-as-a-service\/\" rel=\"tag\">Ransomware as a Service<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/revil\/\" rel=\"tag\">revil<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/salsa20\/\" rel=\"tag\">salsa20<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/shadow-copy\/\" rel=\"tag\">shadow copy<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/sodin\/\" rel=\"tag\">sodin<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/sodinokibi\/\" rel=\"tag\">Sodinokibi<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/volume-snapshot-service\/\" rel=\"tag\">volume snapshot service<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/vss\/\" rel=\"tag\">vss<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/win32k-vulnerability\/\" rel=\"tag\">Win32k vulnerability<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/zero-day-vulnerability\/\" rel=\"tag\">zero-day vulnerability<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/threat-spotlight\/2019\/07\/threat-spotlight-sodinokibi-ransomware-attempts-to-fill-gandcrab-void\/' title='Threat Spotlight: Sodinokibi ransomware attempts to fill GandCrab void'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-spotlight\/2019\/07\/threat-spotlight-sodinokibi-ransomware-attempts-to-fill-gandcrab-void\/\">Threat Spotlight: Sodinokibi ransomware attempts to fill GandCrab void<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[22334,22335,22336,20757,22337,19833,22338,22339,22340,17363,17205,10531,22341,22342,22343,11597,22344,3765,11598,22297,20480,22345,22298,22299,21161,22346,22347,22348,20369],"class_list":["post-15833","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-177a571d7c6a6e4592c60a78b574fe0e","tag-bf9359046c4f5c24de0a9de28bbabd14","tag-caas","tag-cisco-talos","tag-crime-as-a-service","tag-cve-2018-8453","tag-cve-2019-2725","tag-e713658b666ff04c9863ebecb458f174","tag-fruitarmor-apt","tag-gandcrab","tag-heavens-gate","tag-malvertising","tag-managed-service-providers","tag-msp-hack","tag-oracle-weblogic-vulnerability","tag-raas","tag-ransom-sodinokibi","tag-ransomware","tag-ransomware-as-a-service","tag-revil","tag-salsa20","tag-shadow-copy","tag-sodin","tag-sodinokibi","tag-threat-spotlight","tag-volume-snapshot-service","tag-vss","tag-win32k-vulnerability","tag-zero-day-vulnerability"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15833","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=15833"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15833\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=15833"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=15833"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=15833"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}