We take a closer look at the ransomware-as-a-service model

On New Year’s Eve 2019, currency exchange Travelex discovered it had been infected with Sodinokibi ransomware, as hackers demanded $6 million for the return of customer data.

The incident forced the company temporarily offline, with Travelex insisting that no personal data had been taken as a result of the cyber-attack.

Analysis by security researcher Troy Mursch found that Travelex had failed to patch its vulnerable Pulse Secure VPN servers, despite warnings issued months earlier.

Infosec practitioner Kevin Beaumont reports that leaving these servers unpatched opens the door to attackers, particularly those wielding Sodinokibi to infiltrate corporate networks.

What is Sodinokibi ransomware?

Sodinokibi, also known as ‘REvil’, is a ransomware-as-a-service (RaaS) model, discovered in April 2019.

Its multiple infection vectors include exploiting known security vulnerabilities and phishing campaigns.

Sodinokibi encrypts a user’s files and can gain administrative access by exploiting a vulnerability in Oracle WebLogic (CVE-2019-2725).

It has garnered particular attention due to its similarities to GandCrab, another infamous RaaS campaign that shut down last year after reportedly earning cybercriminals more than $2 billion.

Despite rumors that Sodinokibi could be GandCrab’s successor, others suggest Sodinokibi was simply built from GandCrab’s source code.

Tamas Boczan, a researcher at cybersecurity firm VMRay, who is tracking Sodinokibi, told The Daily Swig: “The authors are likely not the same, but the two malware families do seem to be based on the same source code.

“In an underground forum, authors of the Sodinokibi ransomware claimed that they used to be affiliates of GandCrab, and later acquired its source code to use it in their own operation.”

How many have been impacted?

Sodinokibi ransomware has been the culprit behind numerous high-profile cyber-attacks in the past 12 months, though the exact number of victims is not quite clear.

Back in August, Sodinokibi ransomware crippled local governments throughout the state of Texas – later that month, it had infected a remote data backup service used by dental practices across the US.

In December, a New York Airport was targeted by the ransomware, the same month that major US data center provider Cyrus One fell victim to Sodinokibi’s reign.

Data, apparently stolen from US IT staffing organization Artech Information Systems, was also published online in January after attackers claimed it failed to pay the ransom, administered by Sodinokibi.

Needless to say, the Sodinokibi campaign shows no sign of slowing down.

How can you protect against Sodinokibi?

A few basic steps can be taken to protect against a Sodinokibi ransomware attack:

  1. Sodinokibi is known to target published vulnerabilities, so ensure all of your software and extensions are up to date

  2. Be aware of potentially harmful phishing emails, and never open an attachment that you don’t trust

  3. It’s also worth backing up files remotely, ensuring that your cloud servers are protected with a unique, strong password and two-factor authentication

Bert Steppé, researcher at F-Secure, told The Daily Swig: “‘Normal’ computer users can also get infected with Sodinokibi. It is a ransomware-as-a-service so it is up to the affiliates how the ransomware is distributed.

“Sodinokibi has been found distributed in almost every possible way: spam campaigns, plus fake or compromised websites, malvertising, hacked MSPs, and vulnerable servers.

“That said, Sodinokibi affiliates seem mainly focusing on instances where they can ask for big money.”

Boczan added: “To reduce the initial attack surface, make sure that public-facing software is up to date, configured securely, and uses two factor authentication.

“Keep macro execution in Office disabled, and if possible do not open document attachments from unknown senders at all.”

Can Sodinokibi be removed?

Ransomware locks down a victim’s files so that a decryption key is required to obtain access. The situation is the same, regardless of the ransomware variant.

Free decryptors are made available by researchers through the No More Ransom Project.

Unfortunately, there is no free decryptor available as of yet for accessing files impacted by Sodinokibi ransomware.

Boczan provides additional advice for those potentially infected with Sodinokibi, or other ransomware variants.

“Paying the ransom is usually not advised,” he said.

“The recommended remediation is to close the gap in defense so the malware doesn’t reinfect the system, then reinstall the infected machine and restore the files from backup if there is any.”


RELATED Travelex ransomware attack: Pulse Secure VPN flaw implicated in security incident